Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacker tools to look for


VAZ2121

Recommended Posts

Posted

Hi

 

I have also been hacked for about 6 months now (on and off).

The following were the hardest to find:

1) In the Root: send_orders.php

2) In /includes/languages/english/cookie_usage.php

All others had crazy names.

 

Ad.1) "send_orders.php"

This one is not a part of the standard OSC installation.

This was also the worst. It's a complete hacker-console special designed for OSC. It includes a lot of functions to manipulate everythin on your site, and your mySQL-server. EVERYTHING.

Made by professionals, complete with OSC-logo and all - plug and play, easy to use.

The size is whooping 36 kb.

Ad.2) "cookie_usage.php"

Is a part of the standard OSC installation.

Was changed to contain PHP-commands to delete/upload/download/update any file and a few more features.

 

The most funny thing is, it's placed in your OSC-installation and left for a while. So, when you roll back the installation to a previous backup - it's also there!

 

I have a copy of the hacker-console for those of you, who are developing anti-hacking-SW, OSC-team etc.

 

Take care out there

Posted

I have not found how this got into my OSC.

 

However, it all started by a Virus on a web-page (I visit a lot of Russian web-sites)

The virus was very new (my anti-virus tool found it 1 month later)

Resarch about this specific virus, told me it were steeling Username + Passwords from Filezilla (the FTP-upload program I used)

 

So the hackers had 1 month, untill I knew something was wrong.

At that time, the hackers could have placed a small PHP-file that will execute any command (via the EVAL()-function) into my OSC.

I guess, this is what happened. I keept changning Password, but it did not help, since the small PHP-file are able to do anything.

A lot of small PHP-files with the EVAL()-function appeared.

Later the bigger Hacker-console was uploaded (via the small PHP-files or via the hidden EVAL's in my modified cookie_usage.php

 

Yesterday new hacker-consoles were uploaded again. I have no idea how. All my OSC-files were valid, and there were no other files present.

The new files are from other hackers, they all have some personal tag.

The new hacker-consoles are just left ready to use, untill someone decides to activate them.

Posted

what is yours anti virus? i use nod32 but i cant find any virus or trojan ...

 

i dont think user and pass stolen from filezilla

 

i login to some of my web sites 4-5 months ago and i dont save password in filezilla

 

i think this is 99% a security bug in osc.

 

if any one want modified files tell me too upload these files.

 

 

(excuse me for my bad english)

Posted

The Virus I got just started the whole thing. The virus is long gone, and my User + Passw is safe again.

The hackers put out my User + Passw + web-address on their hacker-forums.

NOW, my web-site attracts a lot of OSC-hackers.

 

I have cleaned my OSC serverel times, BUT the new attacks MUST be so called "Injections".

The "Injection"-method is a security bug, not only in OSC, but in all web-sites based on the PHP-script-language.

I'm not an experts in Injections, but it happens like this:

You put some parameters (containing the evil code) like this: http:\\yoursite.com\index.php?="evilcodeandscripts

The evil code is often just something that will Inject/upload a small PHP-file.

This small PHP-file will then help the hacker to upload a larger, more powerfull tool.

 

I have installed the contribution "Security Pro". This one checks all parameters and remove suspisious characters.

So far, it works. My OSC has not been attacked.

 

(your english is perfectly understandable :-)

  • 1 month later...
Posted

Should I delete these two files if they exist in my OCS store?

 

1) In the Root: send_orders.php

2) In /includes/languages/english/cookie_usage.php

Best regards,

Koh Kho King

Posted

Should I delete these two files if they exist in my OCS store?

 

1) In the Root: send_orders.php

2) In /includes/languages/english/cookie_usage.php

 

 

Item #1: Definitely. It is not part of OSC.

 

Item #2: Get a fresh-install copy of that file, delete the existing one, and upload that fresh one.

 

I would then set out to fix any security threats listed in the security threads.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...