mstabrey Posted October 26, 2010 Posted October 26, 2010 Hello all I have read through some of the threads on this forum, but none quite seem to match what's happening with a site we manage. A few days ago we were hacked into as there were literally thousands of files eg. a34sgs89fs874jksdnas3kjfdjhr with no extension inside the root catalog folder. Also, there was a file called bak.htm inside the /images folder which redirected users to RAK Bank, along with a few others that clearly should not have been in the images folder. We went through all the usual things of changing passwords en masse and removing all files we suspected of being malicious. But clearly we haven't got to the bottom of this. Today, we have found one file called news.txt inside the images folder which has this inside it: 2010-10-25 17:28:41|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=zetas 2010-10-25 18:19:18|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.97|/catalog/images/view.php?page=condom+with+teeth 2010-10-25 18:19:19|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.97|/catalog/images/view.php?page=so+you+think+you+can+dance+winner 2010-10-25 18:48:33|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.97|/catalog/images/news.php?page=fa+community+shield&check=df55dfb866625beada48ff5c5327584e 2010-10-25 18:52:41|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=far+from+the+madding+crowd 2010-10-26 01:39:29|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=billy+madison 2010-10-26 01:40:10|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=ufc+117+start+time 2010-10-26 01:43:47|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=what+channel+is+fox 2010-10-26 01:52:12|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=motocrossed 2010-10-26 02:49:47|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=washington+county+fair+ri 2010-10-26 02:49:54|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=sturgis+2010 2010-10-26 02:50:02|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=crackdown+2+demo 2010-10-26 02:50:09|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=kyle+lowry 2010-10-26 02:50:15|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=haskell+invitational 2010-10-26 02:50:31|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=ipilimumab 2010-10-26 02:50:35|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=cris+cyborg 2010-10-26 02:50:38|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.105|/catalog/images/view.php?page=kendra+wilkinson+sextape+video 2010-10-26 03:14:13|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=get+him+to+the+greek 2010-10-26 04:19:41|Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)|67.195.113.236|/catalog/images/view.php?page=brennan+eden 2010-10-26 06:17:18|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.119|/catalog/images/news.php?page=ufc+114+rampage+vs.+evans&check=becfc4e65b6e2eafbc82040cf0b70952 2010-10-26 08:17:51|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.119|/catalog/images/page.php?page=lisa+gherardini&check=81fb1aab7cff569b3122d42cfedba06f 2010-10-26 08:48:47|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.119|/catalog/images/news.php?page=dan+haren&check=ed88d74f597a02225a91242133966a31 2010-10-26 08:48:53|Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)|66.249.65.119|/catalog/images/news.php?page=gallbladder&check=d98e97709a14e69061be4d1ca4796ac0 Also, the root is again filled with all sorts of files looking like a454ja7d65g9ds7f5d8gh98sd6hg8s, along with one file called r.gif.php which has inside it <?php eval(base64_decode("43tw345gtw45iutgw5tekrfrferkg43 ; ?> This is not all of the code inside the page - there is so much, it goes on for many pages. And that is the sum total of it. A starting point I've seen mentioned is that the admin folder name should be changed. Will that not break links inside OSC? Any other ideas anyone? Many thanks, Martin
burt Posted October 26, 2010 Posted October 26, 2010 You need to get to the root of the problem, and the only way to do that is to inspect every file manually. Any non-oscommerce code in any oscommerce file will need to be removed. Obviously you also need to know which files are oscommerce and which are not, and delete any that are not. Once you have done that, lockdown the site so hacks cannot happen again. Will that not break links inside OSC? It will not break links if done correctly.
mstabrey Posted October 26, 2010 Author Posted October 26, 2010 You need to get to the root of the problem, and the only way to do that is to inspect every file manually. Any non-oscommerce code in any oscommerce file will need to be removed. Obviously you also need to know which files are oscommerce and which are not, and delete any that are not. Once you have done that, lockdown the site so hacks cannot happen again. It will not break links if done correctly. Thanks for the response, but going through every file doesn't really sound like a practical solution. Easier to remove the shop and re-install surely. And how would I correctly not break links to the admin folder? Mart
germ Posted October 26, 2010 Posted October 26, 2010 Looks like a variation of this hack If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
mstabrey Posted October 27, 2010 Author Posted October 27, 2010 Looks like a variation of this hack Not a variation at all - the precise thing! In your link you mention "This would seem to be another affirmation to rename your admin and shelter it with a .htaccess file." Please explain to me, in laymans terms, what I need to do. Renaming the admin folder seems easy enough (although I'm worried about breaking links from files to that folder). It's the .htaccess file I'm clueless about. Thanks for you helpful response! Mart
♥mdtaylorlrim Posted October 27, 2010 Posted October 27, 2010 Not a variation at all - the precise thing! In your link you mention "This would seem to be another affirmation to rename your admin and shelter it with a .htaccess file." Please explain to me, in laymans terms, what I need to do. Renaming the admin folder seems easy enough (although I'm worried about breaking links from files to that folder). It's the .htaccess file I'm clueless about. Thanks for you helpful response! Mart The .htaccess file is very versitile. It can do many things. Most of the things you can simply put code in the file. However, to use it to create a password on a directory requires command line access. So, the makers of cPanel have made it an item on the cPanel simply called Password Protect Directory, or Directory Security. When you follow the instructions there to password protect a directory it is simply creating an .htaccess file for you. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
germ Posted October 27, 2010 Posted October 27, 2010 Tips on renaming the admin folder without breaking your site here If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
mstabrey Posted October 28, 2010 Author Posted October 28, 2010 Tips on renaming the admin folder without breaking your site here Thanks for them link, but it doesn't work for me. Changed my admin folder to adminmaps Then changed these two lines inside configure.php in the adminmaps folder - define('DIR_WS_ADMIN', '/catalog/admin/'); define('DIR_FS_ADMIN', '/usr/www/users/themap/catalog/admin/'); to define('DIR_WS_ADMIN', '/catalog/adminmaps/'); define('DIR_FS_ADMIN', '/usr/www/users/themap/catalog/adminmaps/'); When I try to access the shop admin it keeps saying saying an error has occurred. I then renamed them back to admin and everything worked fine. What am I doing wrong? Mart
♥geoffreywalton Posted October 28, 2010 Posted October 28, 2010 If you post the entire error message it might help the less psychic amongst us work out what is wrong :-) G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
mstabrey Posted October 28, 2010 Author Posted October 28, 2010 If you post the entire error message it might help the less psychic amongst us work out what is wrong :-) G This is the full message that appears on screen - "An error has occurred". I think that's just about what I said in my previous message :-) Mart
♥geoffreywalton Posted October 28, 2010 Posted October 28, 2010 Can't see anything wrong there. If it is not that, could it be an htaccess thing? G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.