OSC Security & a phishing page uploaded by hacker - help!

[mtmike]

A client of mine has an osCommerce store that's been working great for nearly 2 years. She was hosting with GoDaddy (and we know how great they are) :blink: Last month, they shut the site down and said a security vulnerability was discovered, but wouldn't give any indication as to which folder/file, etc., so we switched hosts.

 

Fast-forward to today, a hacker uploaded an IRS phishing page and spammed it out to a bunch of people. After a battle with repeatedly deleting the folder and changing permissions on the folder that it kept getting uploaded to, the entire catalog directory was deleted. Luckily, I'm a good webmaster and just re-uploaded the site from backup.

 

The database was left untouched, and the attempts to re-upload the page have ceased, for now.

 

Does anybody have any idea where this security exploit is in OSC and if there is a patch available for it?

 

Thanks

[FIMBLE]

Might be the folder permissions, or a whole host of others reasons possibly not connected with osc.

There is a contribution called site monitor that alerts you to any changes made to you site, its a very good early indication of anything happening to you files. There are also XXS scripts there, IP traps, contact us page security updates.

Regards

Nic

[Guest]

A client of mine has an osCommerce store that's been working great for nearly 2 years. She was hosting with GoDaddy (and we know how great they are) :blink: Last month, they shut the site down and said a security vulnerability was discovered, but wouldn't give any indication as to which folder/file, etc., so we switched hosts.

 

Fast-forward to today, a hacker uploaded an IRS phishing page and spammed it out to a bunch of people. After a battle with repeatedly deleting the folder and changing permissions on the folder that it kept getting uploaded to, the entire catalog directory was deleted. Luckily, I'm a good webmaster and just re-uploaded the site from backup.

 

The database was left untouched, and the attempts to re-upload the page have ceased, for now.

 

Does anybody have any idea where this security exploit is in OSC and if there is a patch available for it?

 

Thanks

Looks like GoDaddy was correct. The OSC security patches probably were not applied by your client.

[mtmike]

Looks like GoDaddy was correct. The OSC security patches probably were not applied by your client.

 

Do you have a link to this/these patch(es)? I couldn't find anything in the contributions center, or maybe I'm not searching for the right term/keyword.

 

Thanks.

[Guest]

Do you have a link to this/these patch(es)? I couldn't find anything in the contributions center, or maybe I'm not searching for the right term/keyword.

 

Thanks.

They are in the latest osc download, extra folder to start with.

[golfpros]

FYI.. My website was deactivated today by wsdomain.ws the administrator for the .ws domains

Actually they deactivated all websites that were registered under my name because of a violation caused by one website.

They deactivated the account, with no chance of reactivation for that domain, because the IRS contacted them today that the website was plishing. After reading the forum, I found the site did not have the admin area password protected so I assume that was how they got in based on comments in this forum. I've also found all the files that were uploaded yesterday including the txt file containing information from people who actually provided their personal information and cc details for the tax refund!

 

Please be aware that whoever is plishing is still out there doing it and if the IRS contacts the domain registar they may deactivate you account with no recourse. I'm currently trying to get non-involved websites back up but at this point I'm being told all accounts will stay down until they complete their review. Even if I get the other sites back, I won't be able to get the offending site back (10 year registration down the tubes!).