Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked (or bug) - someone in database or backend


forumsviewer

Recommended Posts

So my friend's oscommerce website got hacked, or atleast has an open bug. He said that he received an email from someone asking for money to fix problems on the site and attached a list of data from the customers table in the database. My friend said that the list of customers in the database was correct, so he definitely had access to either the oscommerce backend or the database itself.

 

What type of measures can he take? How can he find the IP address or any relevant information about this hacker? Could it possibly be a bug or just not a secure enough password or maybe not properly protecting configure.php in includes?

 

Any information would be greatly appreciated.

 

You can ask any questions and i'll get the answers from him if you need additional info. Thank you.

Link to comment
Share on other sites

Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

How does one upgrade when you have a lot of custom development?

 

The host has said that the version that we are running of the shopping cart software is back a bit. There are exploits in it he said.

 

How would I get this fixed? Anyone here want a job? :)

Link to comment
Share on other sites

The exploits have to do with using the URL to access certain tables in the database. I guess these are called "holes" or "exploits"?

 

How would I know how to fix them?

 

With a lot of custom development and changes in the coding, how would one upgrade successfully?

Link to comment
Share on other sites

UPDATE

 

I have come to realize that what they used was a SQL injection, specifically with customer_testimonials.php. Does oscommerce website have all of the SQL injection security threats listed anywhere?

 

customer_testimonials.php ?? thats not a standard OSCommerce file is it??

Link to comment
Share on other sites

spooks - one of your contributions listed actually mentions the customer_testimonials.php exploit. However, I was curious if there are any others that I should be aware of or if we are good by just installing all of those security contributions

Link to comment
Share on other sites

Most of your questions were delt with my initial answer.

 

Security Pro will stop injection attack, including sql

 

the htaccess protection will stop most other attacks and block know bad bots/ips

 

Yes testimonials is a well known hacking root, pehaps you should remove it.

 

With reasonable coding knowladge & familiarity with osC it would be quite feasable to upgrade, you must take care though.

 

Best best way is to set up a duplicate, upgrade that, then when fully working transfer, then no distruption or risk down time.

 

The law requires you to secure customer info, so you must take all steps to that end.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

spooks - yes we are going to upgrade. For now, we needed a temporary fix and found one so that the hack, as i have read it, does not work on customer_testimonials.php

 

Does the hack or anything extremely similar work on other pages by default? I just want to close this hack quickly and then start the upgrading over the weekend on a dev server then go into production.

Link to comment
Share on other sites

spooks (or anyone else) I just installed Security Pro. I have enabled it in the admin backend. How can I test to ensure that it is working? I tried browsing around the website and everything is functional. However, I want to make sure that it is actually working.

Link to comment
Share on other sites

spooks (or anyone else) I just installed Security Pro. I have enabled it in the admin backend. How can I test to ensure that it is working? I tried browsing around the website and everything is functional. However, I want to make sure that it is actually working.

 

 

Go to you search form, put in the query [w](o)%3Cr%3Ek|i*n^g

 

You should then find query searched is 'working'

 

And also try putting this url

 

http://www.mysite.co.uk/catalog/advanced_s...)%3Cr%3Ek|i*n^g

 

Should give same result

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...