Hacked / PHP Virus?

noxas · December 26, 2009

Hi, I was wondering if any of you can help me. I dont know if i have been hacked or if i have a php virus (if they exist) but my site suddenly had a 'google' link in the bottom which i did not put there, but i could delete it through the banner section in admin. aside from this i keep getting emails sent to myself and my customers which comes from my site (because i keep getting kicked off for spamming) but i am not sending. the email address it comes from ends in my site name, but doesnt start with any filter i created.

I have only created one filter 'tizzy' but the emails come from names like 'administrator' or 'support' etc. also sometimes the email will end in @www.mysitename.co.uk, which is very unusual. at least 1 a day is sent out, which is a real pain because it is being sent to my customers, and sometimes the email has swearing in it, with links it it to pharmacies etc. and it also makes my host kick me off for sending too many emails at once.

Iv tried changing all passwords for admin / cpanel etc but that didnt work :S.

Any, can anyone please help me with this, its driving me mad!

Thank you everone.

Ben Nevis · December 26, 2009

Yes, you've been hacked. There are lots of threads from people who've been hacked, a little searching in the forums would give you all the information you need. Just deleting one or two things you might notice isn't going to cure your site, and neither is changing passwords. There will be multiple ways into your site including backdoors that the hacker will have dropped, unless and until you remove every piece of malicious code and fix all the vulnerabilities.

The easiest way to fix your site will be to delete it and the database, restore everything from a known clean backup, and then apply all the fixes. Otherwise you are going to have to identify all affected and hacker added files, remove the malicious code, delete all the added files, and apply all the fixes.

Have a look at the 'How to secure your site' and 'Serious Hole in osCommerce' threads. You could also look at the thread called 'Has my store been hacked?' started by someone else who noticed a google link that had suddenly appeared at the bottom of the page.... Just removing that link isn't going to help.

spooks · December 26, 2009

As Richard has stated already the procedure you should do I'm just posting this out of curiosity.

Would you mind saying why you havent looked at security b4 and further why having been hacked you havent looked at the threads in security covering this instead creating yet another topic.

I'm just interested to know why so many seem to ignore these matters til they get bitten and then fail to see the solutions to their problems are already here.

♥mdtaylorlrim · December 27, 2009

I'm just interested to know why so many seem to ignore these matters til they get bitten and then fail to see the solutions to their problems are already here.

Probably for the same reason I never did. One would think that software that is so widely used is updated regularly to include important security updates. It's a complacency thing. You usually only go on a search for assistance once you find that you cannot solve a problem on your own, *then* you discover that the program is crap right out of the box and needs updates before it is even safe to use.

December 27, 2009

As Richard has stated already the procedure you should do I'm just posting this out of curiosity.

Would you mind saying why you havent looked at security b4 and further why having been hacked you havent looked at the threads in security covering this instead creating yet another topic.

I'm just interested to know why so many seem to ignore these matters til they get bitten and then fail to see the solutions to their problems are already here.

I would like to reply to this on my, and my two friends behalf (I reported this problem in another thread):

Question 1: Why do we ignore the SME's advices (is that a word) until we get bitten? Because we are (pick 1, please do not pick all three) 1) mentally challenged 2) asleep at the wheel 3) live in some sort of fantasy land that would exclude us from any hacks.

Question 2: After bitten, why do we continue to ignore the advice given to us? First answer: Please refer to 1 and 2, in previous question. 2nd answer, we get in a panic and our IQ drops to Forrest Gump level.

I am sure you already knew all of these answers, but I just wanted to acknowledge that some of are aware of our behavior but can't seem to get with the program. :)

In my own personal weak defense, we did apply the security fixes to one of the 3 sites until we fell into the delirium that caused the current problem.

P.S. This was an effort to agree with you, so please don't hurl me into the hurt locker.

spooks · December 27, 2009

Probably for the same reason I never did. One would think that software that is so widely used is updated regularly to include important security updates. It's a complacency thing. You usually only go on a search for assistance once you find that you cannot solve a problem on your own, *then* you discover that the program is crap right out of the box and needs updates before it is even safe to use.

I think the neg score given already speaks for itself, people don't want to admit its their own fault, its stated here plainly many times that the app is a basic core for you to create upon, not a finished solution. You need to check out all aspects b4 u use it.

If you were buying a store in the high st would you do that with no research 1st?? Yet people pay nothing for this & think they need do none!!

♥geoffreywalton · December 27, 2009

With open source software it is really a case of buyer beware but it would really help if there was a pinned thread in the installation section that had a list of security patches that ought to be installed.

Another useful thing would be a link to the bug fixes.

Any one know where the rc2a fixes have gone http://svn.oscommerce.com/jira/secure/Dashboard.jspa seems to be missing them?

G

Ben Nevis · December 27, 2009

With open source software it is really a case of buyer beware but it would really help if there was a pinned thread in the installation section that had a list of security patches that ought to be installed.

Another useful thing would be a link to the bug fixes.

Any one know where the rc2a fixes have gone http://svn.oscommerce.com/jira/secure/Dashboard.jspa seems to be missing them?

G

What would be even more useful would be if the patches and fixes could be rolled up into the download/installation file. osc2.2 just isn't being maintained by the development team, and while I do understand that osc3 is the priority for development work, it doesn't seem like it would have been so difficult to roll out a minor version update with a fix each time a vulnerability or bug was discovered? The daily questions about hacking all result from things that have been known about for quite a long time.

So I can understand those who've set up store recently believing that it should be secure at least against anything but newly emerging vulnerabilities, and not prioritising checking for security updates. What is less easy to understand is why people don't search for information before posting a question, but that is a general problem not confined to questions about hacking - it is easier to write a post with a question (that even then sometimes manages to avoid describing the problem in a way that would enable someone to answer it) than it is to type a few words into a search box, it seems???

Jan Zonjee · December 27, 2009

osc2.2 just isn't being maintained by the development team

I beg to differ.

Ben Nevis · December 27, 2009

I beg to differ.

Ah, well there are signs of life then :blush: Didn't know about that stuff, or where to look for it. Pity that this work apparently hasn't found its way into the osc download file though, which doesn't seem to have been updated since 30/1/08...

Jan Zonjee · December 27, 2009

Pity that this work apparently hasn't found its way into the osc download file though, which doesn't seem to have been updated since 30/1/08...

I'm not the spokesman for the project of course but I wouldn't be surprised to see an RC3 one of these days.

December 27, 2009

One would think that software that is so widely used is updated regularly to include important security updates.....the program is crap right out of the box and needs updates before it is even safe to use.

That is a valid point, except to the extent that the problems arise due to a failure to follow the installation instructions that come with the program. Someone who has just discovered osC shouldn't be expected to know about all of the "updates" that are posted throughout this forum nor should they be expected to know to look for them. After all, the description that osC has on its home page says that "it features a rich set of out-of-the-box online shopping cart functionality that allows store owners to setup, run, and maintain online stores with minimum effort and with no costs, fees, or limitations involved."

♥geoffreywalton · December 27, 2009

Thanks Jan.

Interesting thing is that the link I gave above is the only one I can find from http://www.oscommerce.com/ to a bugs page.

How would a new person ever find the git hub page, let alone understand what is on it?

Are all the other rc2a patches lost?

G

Jan Zonjee · December 27, 2009

Interesting thing is that the link I gave above is the only one I can find from http://www.oscommerce.com/ to a bugs page.

How would a new person ever find the git hub page, let alone understand what is on it?

She/he wouldn't.

Are all the other rc2a patches lost?

Aren't the ones you mean not here?

noxas · December 29, 2009

I'm just interested to know why so many seem to ignore these matters til they get bitten and then fail to see the solutions to their problems are already here.

Well, i was naive but i did think that the security would already be on. But iv learnt my lesson now i suppose.

Anyway thanks for the help everyone, i have now backed up the site from a previous back-up (hoping that it is hack free) and have also:

Changed name of admin directory
added htaccess password
added code to application_top.php for $PHP_SELF
installed security pro
Removed the file manager
removed define_language
added Anti XSS

i also have IP trap in place. Should that keep me safe now??

Thanks!

Ben Nevis · December 29, 2009

That seems to be pretty much everything except you didn't mention Site Monitor, http://addons.oscommerce.com/info/4441, which is worth doing, and Sam's code to also clean POST vars with arrays: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/page__view__findpost__p__1461711. Site Monitor doesn't secure the site but could alert you to any changed or possibly hacked files, particularly worth doing if you have reinstalled from a back up which you're not 100% sure of.

noxas · December 29, 2009

That seems to be pretty much everything except you didn't mention Site Monitor, http://addons.oscommerce.com/info/4441, which is worth doing, and Sam's code to also clean POST vars with arrays: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/page__view__findpost__p__1461711. Site Monitor doesn't secure the site but could alert you to any changed or possibly hacked files, particularly worth doing if you have reinstalled from a back up which you're not 100% sure of.

Thanks for the reply, i installed site monitor, but it wouldnt work (reported open_dir errors), i changed permissions etc but had no such luck. so i just took it back off again.

crawlspeed · December 29, 2009

Same subject but off topic - I was also hacked over the christmas holiday. Luckily the site is pretty new so not many users to send spam email to. But I am curious about 1 thing.

the latest backup I have has the hacked files in it, so its basically useless to restore. My question is about exporting the products. Say I was to start fresh with a new install and a new database just to be sure I am starting clean before doing all the security updates. Is there a way to export just the product info I have so I don't have to added them all back in manually?

Thanks

-Dave

noxas · December 31, 2009

Same subject but off topic - I was also hacked over the christmas holiday. Luckily the site is pretty new so not many users to send spam email to. But I am curious about 1 thing.

the latest backup I have has the hacked files in it, so its basically useless to restore. My question is about exporting the products. Say I was to start fresh with a new install and a new database just to be sure I am starting clean before doing all the security updates. Is there a way to export just the product info I have so I don't have to added them all back in manually?

Thanks

-Dave

I think just copying your database should do it... Because i dont think that the hackers make any changes to your database, they just add code to some php files to access the database information. dont quote me on that though.

Xpajun · December 31, 2009

... Should that keep me safe now??

Thanks!

Well providing the now you refer to is the last ten minutes of the hour that you posted in you should be safe :-" :lol:

What everyone needs to remember is that there is a game being played - the hackers make a hole, we fix - the hackers make another hole, we fix, ect., ect., etc.

Everyone needs to keep on top of security updates and constantly check their files for malicious content

noxas · January 7, 2010

Right, things were all well (for the past week). but yesterday i reinstalled the "bulk email engine" addon and sent a newsletter (ensuring i stayed below the allowed emails per hour). but today at about 2, the site got kicked off again. this happened well after i sent the newsletter, so it cant be that. but i didnt recieve an email like before (im signed up to my own site, so if a hacked email was sent i would recieve one).

Does anyone have any idea what is happening now?? am i still getting hacked but in a different way? Or is it possible that its the bulk mail engine that is hacking the site?

The site first started getting hacked the first time i installed the bulk mail engine. then i installed a backup of the site and added all the security features i mentioned above. it was fine for a week, then i installed again, and a day later i get kicked off again....

Help :(

Ben Nevis · January 7, 2010

Right, things were all well (for the past week). but yesterday i reinstalled the "bulk email engine" addon and sent a newsletter (ensuring i stayed below the allowed emails per hour). but today at about 2, the site got kicked off again. this happened well after i sent the newsletter, so it cant be that. but i didnt recieve an email like before (im signed up to my own site, so if a hacked email was sent i would recieve one).

Does anyone have any idea what is happening now?? am i still getting hacked but in a different way? Or is it possible that its the bulk mail engine that is hacking the site?

The site first started getting hacked the first time i installed the bulk mail engine. then i installed a backup of the site and added all the security features i mentioned above. it was fine for a week, then i installed again, and a day later i get kicked off again....

Help :(

What do you mean you or the site got "kicked off"? Did your web host complain about your site sending too many emails and take it down or what? What sort of error message did you get or what exactly happened? If your host took it down you'll need to ask them why they did it.

Hacked / PHP Virus?

Recommended Posts

noxas

Ben Nevis

spooks

♥mdtaylorlrim

Guest

spooks

♥geoffreywalton

Ben Nevis

Jan Zonjee

Ben Nevis

Jan Zonjee

Guest

♥geoffreywalton

Jan Zonjee

noxas

Ben Nevis

noxas

crawlspeed

noxas

Xpajun

noxas

Ben Nevis

Archived

Browse

Activity