Whiskers Posted April 19, 2009 Posted April 19, 2009 Hi all, I think there is a serious concern with the latest addition to this addon. There was an update on 9th April and also on 15th April by Pektsekye (http://addons.oscommerce.com/info/2823) which says about an autoinstaller of this program which I thought was a great idea. When installing the .php file and refresh my browser nothing happened. I deleted it and thought nothing mor eof it, but now my site has been hacked with a porn front page and my cpanel/ftp password has been changed. I checked his profile and he has never posted anything and only joined on 9th April, which leads me to believe this is a hacker. Can anybody help with taking this update off this site? He has also done the same to the More Pics 6 addons tooon the 17th April: http://addons.oscommerce.com/info/1611 I hope this helps! I don't know how to get my site back to normal either! :(
Guest Posted April 19, 2009 Posted April 19, 2009 I reported this to the moderators to look into, as far as restoring your site you do have a back up, right?
Whiskers Posted April 19, 2009 Author Posted April 19, 2009 I have the databse restore thing on admin, but it doesn't get rid of the problem. They have changed my cpanel password too so I can't upload the old files etc. I'm waiting for my host to get back to me. Anything else you can suggest?
Jan Zonjee Posted April 19, 2009 Posted April 19, 2009 I think there is a serious concern with the latest addition to this addon. There was an update on 9th April and also on 15th April by Pektsekye (addons.oscommerce.com/info/2823) which says about an autoinstaller of this program which I thought was a great idea. When installing the .php file and refresh my browser nothing happened. I deleted it and thought nothing mor eof it, but now my site has been hacked with a porn front page and my cpanel/ftp password has been changed. I checked his profile and he has never posted anything and only joined on 9th April, which leads me to believe this is a hacker. Can anybody help with taking this update off this site? I just spent half an hour going over the files of #2823 and so far I haven't found the slightest thing that could indicate you are right with this accusation. Included classes (preventDuplicates.php, seo.class.php, and reset_seo_cache.php) are binary equal to the one in the latest upload of faaliyet. In the .htaccess instructions the only difference I could see was that RewriteBase / was changed to RewriteBase /directory/ So far so good. It is not unusual to see contributions uploaded by people who never posted by the way.
Whiskers Posted April 19, 2009 Author Posted April 19, 2009 I just spent half an hour going over the files of #2823 and so far I haven't found the slightest thing that could indicate you are right with this accusation. Included classes (preventDuplicates.php, seo.class.php, and reset_seo_cache.php) are binary equal to the one in the latest upload of faaliyet. In the .htaccess instructions the only difference I could see was that RewriteBase / was changed to RewriteBase /directory/ So far so good. It is not unusual to see contributions uploaded by people who never posted by the way. I understand, but neither of his contributions work. They just show up a blank page. Then suddenly I have all my site hacked into. I have managed to get the cpanel up and running again now and I have found that they made a temp1 file which contained 2 .jpg files, a hack.php and a c100.php file. Also there was a picture of a girl on it (maybe a girl hacker?). They also changed my cpanel admin account email to this: [email protected]. I looked in the .php fiels and there is reference to emp3ror.com/kira which when Googled leads me to hacking websites as do a few other emails that are in the files. I don't know why people bother!
Jan Zonjee Posted April 19, 2009 Posted April 19, 2009 I understand, but neither of his contributions work. I can imagine that if you try it on a live server with regard to file permissions not being set to be able to write to files (as they should be - read-only for the webserver is high enough). There is no mention of chmod commands in the autoinstaller file so perhaps this is just a nasty coincidence.
Whiskers Posted April 19, 2009 Author Posted April 19, 2009 I can imagine that if you try it on a live server with regard to file permissions not being set to be able to write to files (as they should be - read-only for the webserver is high enough). There is no mention of chmod commands in the autoinstaller file so perhaps this is just a nasty coincidence. Maybe. The More Pics was done one a different site than the URL one, so if the same happens to that then I know it must be more than just coincidence. :(
GemRock Posted April 19, 2009 Posted April 19, 2009 a more cautious approach should be adopted for this kind of things. unless different people do the same thing in different situations and all of them get the same result then one could be sure to make a claim in a conclusive way. anyway, "hack" or not, IMO, u seo urls does NOT need an extra installer be it auto or otherwise. do we need an autoinstaller for the autoinstaller...?? by the time you install/copy the autoinstaller (it wont run from the contribution site without downloading it or from the zip file will it?), i reckon i would have installed u seo url twice over. there is no manual run of query script in chemo's u seo url - it is "autoinstall" already. a second thing is, imo, that contribution (2823) seems needing clear-up, removing most of addons that trying to solve self inflicted problems or fixes that only needed for their own sites. many noobies are confused or overwhelmed and do not know which one to use. if anyone think theirs are better than chemo's originals, then they should post it as another contribution of their own. people come to that contribution in search for the originator's name, so dont take advantage of that. Ken commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile). over 20 years of computer programming experience.
Whiskers Posted April 19, 2009 Author Posted April 19, 2009 The cheeking hackers have just emailed me on my personal email address?!: Hi Just a quick email to tell you about the hack on your site. None of the databases were compromised, the only things that were changed were the index.php to oldindex.php. Glad to see its been resolved. -wan5
Whiskers Posted April 19, 2009 Author Posted April 19, 2009 He's been emailing me telling me how it was done now! Apparently it was an SQL Injection techinique. :blink:
Jan Zonjee Posted April 19, 2009 Posted April 19, 2009 He's been emailing me telling me how it was done now! Apparently it was an SQL Injection techinique. :blink: Do you use RC2a or an older version? For older versions apparently sql injection was still possible on some pages.
Superpet toys rus Posted May 23, 2009 Posted May 23, 2009 Hiya just reading through this post as it seems a little too late...i have used one of this guys add ons and had the same result...im gutted wish i hadnt been so lazy to use an autoinstaller grrrrrrrr
fetish Posted May 26, 2009 Posted May 26, 2009 Please tell me.. this is true?? y just installed su_autoinstaller
Jan Zonjee Posted May 26, 2009 Posted May 26, 2009 Please tell me.. this is true?? y just installed su_autoinstaller Do you mind reading the whole thread instead of just reading the last post?
fetish Posted May 26, 2009 Posted May 26, 2009 Do you mind reading the whole thread instead of just reading the last post? yes jan, i read all post, included super toy rus post.. ask is better dont you? regards
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.