djp-at Posted April 28, 2011 Share Posted April 28, 2011 Version OSC 2.2-MS2 We have had several site's using this version lately come to us hacked. We have taken all of the usual steps to prevent the hacks, including osc_sec install, admin folder rename, etc... but we keep finding these same sites hacked over and over again.. They are adding a php append into the htaccess file, and then adding a thumbs.db file, which includes encrypted code which forwards a user to download a trojan. any help please... Professionally Done Module Install's Custom Modules Support USA Coder's. And Get The Job Done Right! Link to comment Share on other sites More sharing options...
Xpajun Posted April 28, 2011 Share Posted April 28, 2011 A extensive clean up of the sites removing all non-osC files applying all the security patches to each store or upgrading each to 2.3.1 then apply the extra security It is no good trying to prevent hacks after you've been hacked because you can be sure the hacker have left loads of back doors to get back in again - circumventing the security you have added Think stable door and horses bolting! My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
djp-at Posted April 28, 2011 Author Share Posted April 28, 2011 the sites were totally cleaned, i have gone through each and every file, and i applied all the security patches.. and it happened again.. i deal with hacks on oscommerce stores everyday for the last 3 years, and these are the first of these kind that i have seen. i assume its a new hack. Professionally Done Module Install's Custom Modules Support USA Coder's. And Get The Job Done Right! Link to comment Share on other sites More sharing options...
Guest Posted April 28, 2011 Share Posted April 28, 2011 Darryl, MS2.2 was coded for use with PHP 4 and therefore did not have a strong infrastructure compared to more recent releases. As Julian stated, the hacker has more than likely uploaded or embedded back doors into your site. Because your site is out of date, the best solution would be to create a new site using v2.3.1 and then adding the appropriate security contributions. Chris Link to comment Share on other sites More sharing options...
Taipo Posted April 29, 2011 Share Posted April 29, 2011 Yes, the issue with some of the types of attacks, especially when targetted at webservers where PHP has owner permissions, is that the upload file code can be hidden just about anywhere. Even worse if you are running several websites under one virtualhost login. The particular attack you refer to is an old one that has been around on the net for ever. Whenever a script is found to be vulnerable to file uploads (which oscommerce version 2.2.1 is unless it was first patched), attackers will reset that particular attack to target the vulnerable file upload function to get their code onboard, then use it over and over and over again to append more virus code into your site, overwrite the htaccess files and a lot lot more. Osc_Sec.php cannot prevent attackers using files or code resident in your site files to add malicious code into files like htaccess they (htaccess for example) are not called from application_top.php The only real solution is to go through every file with a fine tooth comb and remove any of the upload code that has been appended in there that is allowing them to do this type of attack. But again you only need to miss one code set and it wont take long before the code installing type attacks add it all back in again. I would take stock of the amount of time if I were you, that you have put in trying to shore up your site and then consider the option that DunWeb is suggesting, as that will most certainly be a painful exercise being that you have multiple sites, but once its done, then that will be the end of the attacks. Either that or hire someone to go through your site and root out the offending upload code, which if it is a heavily modded site, or in this case, multiple sites, that would be quite a task. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.