ToS violation | Web server overload

[Guest]

Hi, just got an email from my host saying my site is causing a sever overload and they have disabled my site, until I sort it out basically. I have no idea why and was wondering anyone here could shed some light on the issue. Here is a some code that the host sent in the email. I have replaced my domain name with "mydomain".

 

/hsphere/local/home/mydomain123/mydomain.co.uk/ folder has been chmoded to 0 due to excessive CPU usage.
Examples:
889 25182 40.0 0.3 37372 16404 ? D 06:57 0:00 /hsphere/shared/apache/cgi-bin/php5-cgi PATH=/usr/local/bin:/usr/bin:/bin DOCUMENT_ROOT=/hsphere/local/home/mydomain123/mydomain.co.uk HTTP_ACCEPT=*/* HTTP_ACCEPT_LANGUAGE=en-gb HTTP_CONNECTION=Keep-Alive HTTP_COOKIE=cookie_test=please_accept_for_session; oscsid=6oskfmhhospj598s8dhfaoak31; __utma=119288539.1731606547.1274957801.1274957801.1274957801.1; __utmb=119288539; __utmc=119288539; __utmz=119288539.1274957801.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none) HTTP_HOST=www.mydomain.co.uk HTTP_REFERER=http://www.mydomain.co.uk/bt-2795/bt-ink-cartridges-34/bt-paperjet-55-1819/bt-m2176-black-ink-cartridge-561.html HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2) HTTP_VIA=1.1 ISA-PROXY01 REDIRECT_QUERY_STRING=cPath=2795_34_1002 REDIRECT_STATUS=200 REDIRECT_URL=/index.php REMOTE_ADDR=212.219.230.61 REMOTE_PORT=17834 SCRIPT_FILENAME=/hsphere/local/home/mydomain123/mydomain.co.uk/cgi-bin/php5-cgi SERVER_ADDR=98.130.5.244 SERVER_ADMIN=webmaster@mydomain.co.uk SERVER_NAME=mydomain.co.uk SERVER_PORT=80 SERVER_SOFTWARE=Apache GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET QUERY_STRING=cPath=2795_34_1002 REQUEST_URI=/bt-2795/bt-ink-cartridges-34/bt-paperjet-60-1002/ SCRIPT_NAME=/cgi-bin/php5-cgi PATH_INFO=/index.php PATH_TRANSLATED=/hsphere/local/home/mydomain123/mydomain.co.uk/index.php
889 24698 13.4 0.5 47828 23784 ? D 06:57 0:01 /hsphere/shared/apache/cgi-bin/php5-cgi PATH=/usr/local/bin:/usr/bin:/bin DOCUMENT_ROOT=/hsphere/local/home/mydomain123/mydomain.co.uk HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_ACCEPT_LANGUAGE=de-at HTTP_CONNECTION=TE HTTP_COOKIE=oscsid=qmjj0sqj869flkb2cdijropi92; cookie_test=please_accept_for_session HTTP_COOKIE2=$Version="1" HTTP_HOST=www.mydomain.co.uk HTTP_TE=deflate,gzip;q=0.3 HTTP_USER_AGENT=Murkszilla/6.0 REDIRECT_QUERY_STRING=keywords=%25%25%25&sort=2a&page=42 REDIRECT_STATUS=200 REDIRECT_URL=/advanced_search_result.php REMOTE_ADDR=93.189.29.26 REMOTE_PORT=48000 SCRIPT_FILENAME=/hsphere/local/home/mydomain123/mydomain.co.uk/cgi-bin/php5-cgi SERVER_ADDR=98.130.5.244 SERVER_ADMIN=webmaster@mydomain.co.uk SERVER_NAME=mydomain.co.uk SERVER_PORT=80 SERVER_SOFTWARE=Apache GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET QUERY_STRING=keywords=%25%25%25&sort=2a&page=42 REQUEST_URI=/search/results.html?keywords=%25%25%25&sort=2a&page=42 SCRIPT_NAME=/cgi-bin/php5-cgi PATH_INFO=/advanced_search_result.php PATH_TRANSLATED=/hsphere/local/home/mydomain123/mydomain.co.uk/advanced_search_result.php
889 25150 4.5 0.3 36456 15060 ? D 06:57 0:00 /hsphere/shared/apache/cgi-bin/php5-cgi PATH=/usr/local/bin:/usr/bin:/bin DOCUMENT_ROOT=/hsphere/local/home/mydomain123/mydomain.co.uk HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 HTTP_ACCEPT_ENCODING=gzip HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5 HTTP_HOST=www.mydomain.co.uk HTTP_USER_AGENT=Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp) REDIRECT_QUERY_STRING=products_id=1445 REDIRECT_STATUS=200 REDIRECT_URL=/product_info.php REMOTE_ADDR=67.195.114.50 REMOTE_PORT=54285 SCRIPT_FILENAME=/hsphere/local/home/mydomain123/mydomain.co.uk/cgi-bin/php5-cgi SERVER_ADDR=98.130.5.244 SERVER_ADMIN=webmaster@mydomain.co.uk SERVER_NAME=mydomain.co.uk SERVER_PORT=80 SERVER_SOFTWARE=Apache GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.0 REQUEST_METHOD=GET QUERY_STRING=products_id=1445 REQUEST_URI=/oki-2799/oki-ribbons-2808/oki-microline-3320-3952/oki-09002303-cassette-ribbon-cartridge-1445.html SCRIPT_NAME=/cgi-bin/php5-cgi PATH_INFO=/product_info.php PATH_TRANSLATED=/hsphere/local/home/mydomain123/mydomain.co.uk/product_info.php 

 

any help/suggestions welcome. Thanks.

[Guest]

David,

 

Check your files for encrypted code. index.php, application_top.php and login.php are some of the more common files hackers will place code.

 

 

 

Chris

[Guest]

David,

 

Check your files for encrypted code. index.php, application_top.php and login.php are some of the more common files hackers will place code.

 

 

 

Chris

 

 

Thanks for the reply chris, unfortunately at the moment I can't get into the folder where are all the files are because my host has chmoded it to 0. So untill they get back to me I stuffed.

 

What sort of stuff should I be looking for? You say encrypted code will it be obvious? Are there any clues in the code in the email from my host as to what is causing the problem? - it mentions advanced search somewhere.

[Guest]

David,

 

Use your FTP access to download the files, check them for eval base64 code.

 

Read this:

 

http://www.oscommerce.com/forums/topic/345957-evalbase64-decode-hack/page__st__70__p__1495892__hl__eval%2064__fromsearch__1entry1495892

 

 

 

Chris

[Guest]

David,

 

Use your FTP access to download the files, check them for eval base64 code.

 

Read this:

 

http://www.oscommerce.com/forums/topic/345957-evalbase64-decode-hack/page__st__70__p__1495892__hl__eval%2064__fromsearch__1entry1495892

 

 

 

Chris

 

Can’t download the files because I no longer have permission,

 

Response: 550 No such file or directory

Error: Could not retrieve directory listing

 

is the response I get from the FTP program. Thanks for the link I will read through it now.

[NodsDorf]

I'd tell my host, I can't fix the issue if I can't access my files.

 

If they resist tell them to make a .htaccess file that denies from all except your IP, or your ISP if you have a dynamic IP, then stick it in the root directory and allow you access to public_html.

This would give you access to the files you need to fix while preventing anybody but you from accessing the site. Thus no more damage can be done.

 

Just a thought.

[Guest]

Thanks for everyone's replies so far.

 

I’ve finally been sent a backup of the site from the host so I can check the files. I have check and I can find no encrypted code in any of them. I have not installed anything lately in terms of contributions. The last thing I did was to set up a cron job to run everyday to execute a google product feed file, but I only have about 1500 products and that has been running everyday for at least two months without any complaints from my host about server overloading.

 

Anyone got anymore ideas? The most annoying thing is my host say they can pin point my site that’s causing the problem, but they can’t tell me what is causing it or even when the problem started.

[MrPhil]

Is the backup your host sent you the actual site code that was shut down, or is it an earlier normal server backup? If it's a normal backup, from before your site was compromised, it won't do you any good. Anyway, I'd ask them to be sure that it's the actual code that was running when the site was taken down.

 

How did you examine it? Did you compare it against a fresh copy on your PC, unzipped from the installation package? Did you confirm that no files have been added without your knowledge? Did you scan for 'base64' (there are a few legit base64_encode and base64_decode function calls), 'display: none' (there are some legitimate uses), 'iframe' (not used in vanilla osC), and 'urldecode' (again, some legitimate uses)? Add-ons and such may also add such uses.

 

What permissions do you have? Is any directory or file "world writable" (e.g., 777 or 666 permissions)? If so, why? Some badly configured servers may need such permissions for selected directories or files, in order for osC to upload or update files, but if you need to do that, remove such permissions when done (change back to 755 or 644). You should never be routinely running 777/666 permissions (your data feed cron job may pose a problem here -- maybe it needs to chmod at the beginning and end of a job?).

 

Have you scanned all PCs you use to access your server for spyware, such as keystroke loggers and password sniffers? You may want to change all access passwords (server, FTP, admin user, etc.) just to be sure, even if the spyware scan shows nothing. If your site was running along fine with no problems, and then suddenly is spiking CPU usage, it's very likely that it's been compromised somewhere. It may not be anything to do with osC, but other files added by a hacker to "borrow" your account and spam or participate in DDoS attacks, etc. Have you read the threads on securing your site, such as getting rid of the osC File Manager and Define Language, renaming the admin directory, and password protecting it?

 

Finally, take a look at your routine processes. You mentioned adding a product feed -- any chance that it has gone "out of control" without your noticing it? Is it running every minute now? Has the amount of product data slowly increased and put you over the CPU limit? You may need to run less often, or split it up into smaller updates.