Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Possible hacks?


ogwinilo

Recommended Posts

I have just installed Sitemonitor on a new oscommerce installation and Sitemonitor picks up the following files as possibly infected:

 

includes/classes/nusoap.php

includes/modules/payment/paypal_standard.php

mynewadmin/includes/classes/nusoap.php

 

I wonder if I can just do away with them since it would be difficult to pick up exactly what's the problem. I know I can do away with Paypal Standard since i'll be using Paypal's express checkout. What i'm not sure about are the other two, what's their function in the greater scheme of things. what would be implications if i were to take delete them?

 

Felix

Link to comment
Share on other sites

The algorithm that searches for potential hacks is very simple: it just looks for the following strings in your files:

  • error_reporting(0)
  • base64_decode
  • <iframe

While these are cause for suspicion, some files actually use them and cause false positives.

 

So here is what I suggest:

 

1) Check the files you list above, to see if they're legitimate.

 

2) If so, modify this file: catalog/admin/includes/functions/sitemonitor_functions.php

 

OLD CODE:

 $excludeFileArray = array();
 $excludeFileArray[] = 'sitemonitor_functions.php';   

 

NEW CODE:

 $excludeFileArray = array();
 $excludeFileArray[] = 'sitemonitor_functions.php';   
 $excludeFileArray[] = 'nusoap.php';   
 $excludeFileArray[] = 'paypal_standard.php';   

Check out Chad's News.

Link to comment
Share on other sites

Thanks, truly appreciated, will do

 

 

The algorithm that searches for potential hacks is very simple: it just looks for the following strings in your files:

  • error_reporting(0)
  • base64_decode
  • <iframe

While these are cause for suspicion, some files actually use them and cause false positives.

 

So here is what I suggest:

 

1) Check the files you list above, to see if they're legitimate.

 

2) If so, modify this file: catalog/admin/includes/functions/sitemonitor_functions.php

 

OLD CODE:

 $excludeFileArray = array();
 $excludeFileArray[] = 'sitemonitor_functions.php';   

 

NEW CODE:

 $excludeFileArray = array();
 $excludeFileArray[] = 'sitemonitor_functions.php';   
 $excludeFileArray[] = 'nusoap.php';   
 $excludeFileArray[] = 'paypal_standard.php';   

Link to comment
Share on other sites

Thanks, truly appreciated, will do

The paypal file has this legitimate code which would cause a "false positive":

 

// remove headers from the signature
         $signed = file_get_contents(MODULE_PAYMENT_PAYPAL_STANDARD_EWP_WORKING_DIRECTORY . '/' . $random_string . 'signed.txt');
         $signed = explode("\n\n", $signed);
         $signed = base64_decode($signed[1]);

I don't have a copy of the nusoap file.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Allowing a file solely by name is not reliable.

 

For instance, includes/classes/nusoap.php is probably a legitimate file, whereas images/nusoap.php would most likely be a hack file.

 

I don't know if Site Monitor allows at least part of the path in the exclusion. That's Jack's baby not mine.

 

If it doesn't it's not reliable in that respect.

 

It's a very old hack trick to put a file named something you'd expect to see, but place it in a folder where it doesn't belong.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I don't know if Site Monitor allows at least part of the path in the exclusion. That's Jack's baby not mine.

The Site Monitor code uses the file's basename, so all files with that name (regardless of location) are excluded from the check.

Check out Chad's News.

Link to comment
Share on other sites

The Site Monitor code uses the file's basename, so all files with that name (regardless of location) are excluded from the check.

Hence, it is not reliable in that aspect of the program.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Don't know if I missed something but if you exclude a file from the site monitor check, if the file does get hacked, you wouldn't know about it via sitemonitor. Doesn't that kind of defeat the purpose of site monitor?

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

Don't know if I missed something but if you exclude a file from the site monitor check, if the file does get hacked, you wouldn't know about it via sitemonitor. Doesn't that kind of defeat the purpose of site monitor?

I believe it works on several levels, such as file size, last mod, etc.

 

If exclusion by name also excludes it from the other checks then the purpose is defeated.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Don't know if I missed something but if you exclude a file from the site monitor check, if the file does get hacked, you wouldn't know about it via sitemonitor. Doesn't that kind of defeat the purpose of site monitor?

This particular exclusion list is only for the "Check for Hacked Files" operation. The primary purpose of Site Monitor is to check for modified files, which is not affected by this exclusion list.

Check out Chad's News.

Link to comment
Share on other sites

This particular exclusion list is only for the "Check for Hacked Files" operation. The primary purpose of Site Monitor is to check for modified files, which is not affected by this exclusion list.

I see, so yes you'd still be aware of it through the other checks site monitor does. Thanks for explaining.

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...