Oscommerce Security - Osc_Sec.php

[mountainski]

As this has gone on so long now we are forced to lay off the staff now. as just too much down time while developers try to fix the os commerce site there has now been 5 developers in total !!

[Taipo]

osC_Sec is an addon that will protect the site from attacks directed at the osCommerce code. However it will not protect your site against attacks levelled from files still resident in your site from before the site was protected with osC_Sec or before you updated to 2.3.1.

 

It appears to me then as I have said a few times already, that you still have attack files in your websites file repositories that are being used to internally add malicious code to your site. I say this assuming a number of things, but from information you have given, that is what I am able to determine.

 

Yours is not a unique situation, it has been the nightmare of millions of osCommerce users who did not update their sites in time. See: http://www.oscommerce.com/forums/topic/378148-38-million-infected-pages-willysy-targets-oscommerce-22-sites/ at the time that stat was put out, 3.8 million sites were infected with a similar type of attack that yours received. Since then it seems from those stats that only about 600,000 have bothered to patch their sites correctly because Google search still shows 3.2 million infected by that iFrame attack.

 

That iFrame attack is carried out in exactly the same manner as the one plaguing your site. Attackers able to exploit files already resident in websites that allow them full access to be able to insert iFrame code. Most have probably upgraded their sites, added security such as osC_Sec, IP Trap and more, but failed to remove the original offending files, which then has allowed those sites to be infected over and over again by automated attack servers that troll through google search results daily and reinfect sites who have not been properly cleaned up.

 

I cannot help you any further other than to give you that advice, and while I feel for your situation, there is nothing I can do to help you any more than what I have done so far.

 

As I said, if you have hired developers from these forums or anywhere else that are crap at their job, and, have refused to fix their mess up, then go start a discussion thread somewhere in these forums and bring that issue up. This discussion thread is about the addon called osC_Sec, not about bad developers or how bad you think version 2.3.1 of osCommerce is.

 

However if these 5 developers you hired are willing to fix their mess up then get them to read through this part of the discussion and read the bits I have highlighted in bold text.

 

Many security focussed people think that cleanup begins with adding security addons, it doesnt. As many of the regulars here have repeated over and over again, if you are upgrading, start again completely. Clean your site right out. Only import images back in to the new site, download new copies of addons and templates as there is a high chance that the old ones may contain worm code. etc etc etc.

 

There is no addon around, including osC_Sec, that can protect your site from shellcode files that are still resident in the publicly accessible side of your websites file directories.

[mountainski]

For those with similar problems.Here is just some of the info supplied from hosting company from a site made live last night and malware attack immediate:

 

 

You site is being compromised through an exploit in your OS Commerce installation. Below you will find the logs from the server showing this.

 

Please be aware that we only provide the hosting for the site. The content that you put on it is your responsibility and you should make sure that it is secure and up to date.

 

If you are not prepared to secure your site then we will have not option but to suspend your hosting permanently and you will have to look for hosting elsewhere. The security of our servers must always come first.

 

31.133.43.125 - - [24/Oct/2011:13:48:33 +0100] "GET /admin/login.php?osCAdminID=6eb638437c4898769ac80d101198e50e HTTP/1.1" 200 3843 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=119&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:34 +0100] "GET /admin/configuration.php?gID=10&cID=120&osCAdminID=bb3e39d522380d20996992cdb69d78c3 HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=120&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:33 +0100] "GET /admin/configuration.php?gID=10&cID=119&osCAdminID=6eb638437c4898769ac80d101198e50e HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=119&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:37 +0100] "GET /admin/login.php?osCAdminID=f50031ce6fbb1e14b365961c9194fe20 HTTP/1.1" 200 3843 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=118&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:39 +0100] "GET /admin/login.php?osCAdminID=2799ec0abf1b0b7df13510daeaf02518 HTTP/1.1" 200 3892 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=121&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:35 +0100] "GET /admin/login.php?osCAdminID=bb3e39d522380d20996992cdb69d78c3 HTTP/1.1" 200 4000 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=120&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:37 +0100] "GET /admin/configuration.php?gID=10&cID=118&osCAdminID=f50031ce6fbb1e14b365961c9194fe20 HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=118&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:42 +0100] "GET /admin/configuration.php?gID=10&cID=122&osCAdminID=06fc09a7c69e744c2c7fe1fcd1051070 HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=122&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:44 +0100] "GET /admin/login.php?osCAdminID=06fc09a7c69e744c2c7fe1fcd1051070 HTTP/1.1" 200 4055 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=122&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:38 +0100] "GET /admin/configuration.php?gID=10&cID=121&osCAdminID=2799ec0abf1b0b7df13510daeaf02518 HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=121&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:51 +0100] "GET /admin/configuration.php?gID=10&cID=120&osCAdminID=2115b3dd5237a959e296817ae5228ddf HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=120&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:50 +0100] "GET /admin/login.php?osCAdminID=0771d1ae70c205d280ab155d94e7aece HTTP/1.1" 200 4055 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=119&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:50 +0100] "GET /admin/configuration.php?gID=10&cID=119&osCAdminID=0771d1ae70c205d280ab155d94e7aece HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=119&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:50 +0100] "GET /admin/login.php?osCAdminID=2115b3dd5237a959e296817ae5228ddf HTTP/1.1" 200 4055 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=120&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:53 +0100] "GET /admin/configuration.php?gID=10&cID=118&osCAdminID=b02c4c8917089cb7db31df69dab8e37c HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=118&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:54 +0100] "GET /admin/configuration.php?gID=10&cID=121&osCAdminID=436e9abc6dbf5a0b7f6c7f62c63fe39d HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=121&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:53 +0100] "GET /admin/login.php?osCAdminID=b02c4c8917089cb7db31df69dab8e37c HTTP/1.1" 200 4000 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=118&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:57 +0100] "GET /admin/configuration.php?gID=10&cID=122&osCAdminID=d53db9a2fa044b7c0baa3c5149884900 HTTP/1.1" 302 376 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=122&act

ion=save" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:55 +0100] "GET /admin/login.php?osCAdminID=436e9abc6dbf5a0b7f6c7f62c63fe39d HTTP/1.1" 200 3843 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=121&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

31.133.43.125 - - [24/Oct/2011:13:48:57 +0100] "GET /admin/login.php?osCAdminID=d53db9a2fa044b7c0baa3c5149884900 HTTP/1.1" 200 3976 "http://yoshkar-ola-gifts.com/admin/configuration.php/login.php?gID=10&cID=122&action=save" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

[Taipo]

All that above might look impressive to you but it is nothing more than what I have been telling you right from the start of your repeated spamming this thread.

 

There is a file in your sites somewhere that is allowing attackers to add iFrame code to your osCommerce files. Find it and remove it FFS.

[mountainski]

Taipo

 

if i am spamming this thread THEN REMOVE ALL MAILS AND CONTACT DETAILS WITH IMMEDIATE EFFECT !!!!!!!!!!!!!!

[Taipo]

How would I be able to do that Kevin. You must assume I am a moderator of these forums which I am not. You also assume that this particular thread is a general discussion about sites being hacked which if you even for a minute bothered to check you would find out that it is not. It is a discussion about a specific addon to osCommerce called osC_Sec, not a bitch session about how you cannot find someone to fix your site for you.

 

You really need start your own discussion thread about your particular website issues. Click here to start your own discussion. Do it please and stop spamming this thread. I won't ask you again.

[Taipo]

Having just had a quick look at your site I can see the following inconsistencies to your claims.

 

- Firstly you are not using version 2.3.1, you are still using 2.2RC2

- Secondly there are almost no attempts at all to protect your site using any of the suggestions others have repeated posted into these forums over and over again

- Thirdly you do not have osC_Sec installed or it is at least not installed correctly

 

Therefore that is why your site is wide open to attackers to install whatever hack code they wish and not because of any of the claims you have spammed above.

[Taipo]

Your own discussion thread Kevin

http://www.oscommerce.com/forums/topic/380836-y-ola-site-hacked/

[mountainski]

so whats this then in the admin file:

 

<?php

/*

$Id$

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2010 osCommerce

 

Released under the GNU General Public License

*/

[Taipo]

Kevin

 

Discuss your website woes at the new discussion I made for you

http://www.oscommerce.com/forums/topic/380836-y-ola-site-hacked/

 

You need to stop spamming this thread NOW.

[Guest]

Hi Taipo,

My site was recently hacked and trying to implement the updates. This seems a bit silly, but I don't have a login.php in the admin folder. I'm using CRE loaded, so perhaps it handles this differently? Any advice on how to implement the fix if I'm using a version without a admin/login.php?

Thanks.

[Taipo]

What is the name of the page that you use to log in on the admin side of the site?

[Guest]

Well, I think I have very old version of oscommerce..<?php

/*

$Id: configuration.php,v 1.43 2003/06/29 22:50:51 hpdl Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

I only use .htaccess file for logging in.

[Taipo]

Well the best advice I could give you would be to upgrade your site to the latest Creloaded.

 

You can still install osC_Sec in the application_top.php files as per the instructions but I suppose the optional additional code in the readme is not applicable since it is aimed at the login process.

 

Many of those prepackaged versions of osCommerce also did things like have FCKEditor installed on the catalog side of the site and not behind the admin directory. FCKEditor left unprotected by htaccess has a flaw in at least earlier versions that allows attackers to upload files which are later used to exploit your site.

 

Using htaccess <LIMIT> directive to ban all IPs other than your own to the admin directory is vulnerable on some webservers to be bypassed.

 

If possible it is best used without the <LIMIT></LIMIT> directives at all by just using the deny from all and allow from your IP lines without being wrapped in the LIMIT directive.

 

If that does not work or throws an error then leave the <LIMIT> directive wrapped around the deny code and just make sure that $nonGETPOSTReqs is enabled in osc.php

 

There are many flaws in the earlier versions of osCommerce prior to when someone started thinking about having a login page. osC_Sec is not specifically geared to deal with those particular issues nor has it been thoroughly tested on packaged versions of osCommerce other than osCommerce 2.2RC..., 2.3.1 and Digistore 4.1, but it has been lightly tested on the other prepackaged versions like Tomatocart and Creloaded and even Zencart from memory.

 

In general though it is a good general security addon that can make life rather difficult for attackers that have not already preseeded your site with shellcode.

[Guest]

Good to know...thanks for the detailed information, Taipo.

[Taipo]

osC_Sec 4.1[r1]

Whats New?

- Updated the file injection section

- Removed blacklist items that clash with the way some addons use GET instead of POST as a method of processing input data in forms.

- Added the Quickpay 3rd party payment addon to the IPBypass code

- The ban bad spiders feature is now optional for new installs

- Fixed a bug in the IP address detection code

 

* For those updating, replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

[Taipo]

Apologies for the second update in one day. It seems there is a raft of database injections beginning to be targetted at osCommerce sites so some of these changes below reflect the types of attacks coming in.

 

osC_Sec 4.1[r2]

Whats New?

- Fixed an issue where code had become wrapped

- Removed a getShield blacklist item that could cause a false positive

- More hardening of the SQL Injection protection

 

* For those updating, replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

[ecommforum]

Thanks for the contribution it seems really good...and nice support...I have oscommerce 2.3.1 and I will try to use it...but I have a doubt...could you please tell what should I do with the style.css file in the osc_sec, I didnt see anything about it in the installation manual of this addon...sorry I'm kind of new in oscommerce.

 

Thanks a lot in advance

[ecommforum]

Ohh sorry just one more question...in case I have any problem with any add-on...which option should I disable to keep the things I have so far...Thanks again

[Taipo]

Just upload the files in the /includes/ directory into your websites /includes/ directory. The style.css file is just for the readme.htm file.

 

Depending on which addons you have, these are the two that will have issues if there are any.

 

 $GETcleanup = 0;			    # 1 = Clean up $_GET variables, 0 = don't cleanup. If you use FWR_SECURITY_PRO then you can set this to not 0.
 $osCSpamTrap = 0;			   # 1 = Demand visitor browsers understand javascript on selected input pages, 0 = disable the check ( see readme.htm for more info )

 

If you are not sure, just leave those two set to 0 in osc.php.

 

The other settings will not clash with other addons.

[ecommforum]

Just upload the files in the /includes/ directory into your websites /includes/ directory. The style.css file is just for the readme.htm file.

 

Depending on which addons you have, these are the two that will have issues if there are any.

 

 $GETcleanup = 0;				# 1 = Clean up $_GET variables, 0 = don't cleanup. If you use FWR_SECURITY_PRO then you can set this to not 0.
 $osCSpamTrap = 0;			   # 1 = Demand visitor browsers understand javascript on selected input pages, 0 = disable the check ( see readme.htm for more info )

 

If you are not sure, just leave those two set to 0 in osc.php.

 

The other settings will not clash with other addons.

 

Thank you...I will try

[Taipo]

osC_Sec 4.1[r3]

Whats New?

- Code cleanup

- Tweaked the flood protection settings in $osCSpamTrap

- More additions to the database Shield

- dbShield() now checks all server requests for sql injection attempts

 

* For those updating, replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

[Taipo]

osC_Sec 4.1[r5]

Whats New?

- More work on the dbShield() to prevent false positives and catch more injection attempts

 

* For those updating, replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

[albe]

Hi,

 

have question. We use a oscommercial internet shop. From the beginning I had help from a guy to make all the installation work. Now he moved far away and can not assist me anymore. My problem is the shop is infected with maleware. To stop the development the shop is "parked" now. I would need some professional help, cleaning the shop and get back safely on the air, Do you have any suggestion? Thanks in advance.

 

Ralf

[Taipo]

No doubt there are a number of people that frequent these forums that would be able to offer their services to you to clean out your site files. Obviously I also suggest than when your site is cleaned out that you install osC_Sec .There are a number of other security layers you can add in as well including protecting the admin directory from unauthorized access.