samstones Posted May 11, 2011 Share Posted May 11, 2011 Hello, I hope someone can help, I presume this must have happened before, but I can't find anything using the search... I've just discovered that one of our web sites was hacked last weekend, and the "payment modules" were altered. Basically, they turned them all off, bar paypal. They then changed the paypal "payments to" email address from our one, to their own. The objective being so we get an order, but they get the payment. Luckily paypal's systems picked up on this and no money has been lost, but I need to find out how they got in, and what else they changed (if anything!) All ideas welcome... TIA Link to comment Share on other sites More sharing options...
Guest Posted May 11, 2011 Share Posted May 11, 2011 Sam, Read these two security threads: Admin Security and Website Security. Chris Link to comment Share on other sites More sharing options...
samstones Posted May 11, 2011 Author Share Posted May 11, 2011 Hello, Thanks for the reply. I'd done most of these some time ago, I've just added the htaccess to the admin folder though as another level of security and am going through changing passwords. Is there any way I can tell how they got in? I can't find anything else edited other than this. Link to comment Share on other sites More sharing options...
Guest Posted May 11, 2011 Share Posted May 11, 2011 Sam, Perhaps this exploit: http://www.oscommerce.com/forums/topic/372970-malware-cookie-usagephp-explained/ Chris Link to comment Share on other sites More sharing options...
Taipo Posted May 12, 2011 Share Posted May 12, 2011 but I need to find out how they got in, and what else they changed (if anything!) Assuming the hack was the admin bypass, the attackers probably uploaded some files into one of the directories on your site which allowed them to use those attack files to append code to site files. This means you will need to clean your site right up. If you are familiar with site code you will need to go through your site pages and look for 1/ added files, 2/ code that has been added to site files, and 3/ you should patch the $PHP_SELF exploit commonly known as the admin bypass exploit which allowed them in, in the first place. I wrote a little addon called osC_Sec, link in my signature, which contains the patch as well as a number of other security fixes for osCommerce 2.2.x versions. That will also help. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Geotex Posted May 13, 2011 Share Posted May 13, 2011 One other thing you need to specifically check is the PayPal payment module you are using. If you have one called paypal.php, which came standard at least up through 2.2ms2 060817, you must replace it with a paypal_ipn.php module. I found on several sites that even without any other known intrusions, that module could have the PayPal payment address changed. Look in the contributions, one should be there. When installed, it works the same as the older paypal modules. George GEOTEX from Houston, TX (George) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.