mongoled Posted May 12, 2011 Share Posted May 12, 2011 Hi, we have an OSCommerce website using version 2.3.1 I noticed when login into the admin control panel that a request was being made to the domain kusto11.com. After googling I came across this http://www.kahusecurity.com/2011/javascript-obfuscation-using-colors Low and behold, most of the files in the admin directory had been modified and the javascript code shown in the link above had been inserted into many files. Before this had happened, the admin directory has been renamed and the directory is password protected, standard security measures were put into place (those posted on here in the forums) when the site was first setup. We also have Security Pro 2.0 installed Does anybody have any idea, how this hack is being applied. I am suspecting its via an addon Can anyone suggest a methodology they use, to pinpoint such an attack. Thanks Link to comment Share on other sites More sharing options...
Guest Posted May 12, 2011 Share Posted May 12, 2011 Andrew, As there are NO known security issues with v2.3.1, I am going to suggest you check your hosting provider for possible server vulnerabilities. Chris Link to comment Share on other sites More sharing options...
mongoled Posted May 12, 2011 Author Share Posted May 12, 2011 Andrew, As there are NO known security issues with v2.3.1, I am going to suggest you check your hosting provider for possible server vulnerabilities. Chris Hi Chris thanks for your response! it could be from an addon, ive ran some security checks on our server and nothing came up. The server is fully patched and we have not has any unforseen problem with it recently (touch wood!) I am presently going through our log files to see if I can spot anything as we know the date the files were modified. Even the 'sitemonitor' files were effected Link to comment Share on other sites More sharing options...
Taipo Posted May 13, 2011 Share Posted May 13, 2011 The few thoughts that come to mind are: - did you have an earlier version of the website using osCommerce 2.2.x prior to 2.3.1. - is there any other scripts like wordpress or forums or some other blog script also running on the server. - can you give us a list of addons that you are using. - have any of the sites you run before ever been hacked, or have you ever browsed to an osCommerce site that was infected with the javscript infection. - do you keep your antivirus up to date. The reason I ask is that in the past I have worked with some site owners who experienced the same thing and it was one or more of those issues above that was the cause. I would also suggest that after you have cleaned up that you install osC_Sec as well (link in my signature) that may help you nab any further attempts to exploit your site. Just for your own information I would also suggest you read through this discussion and try out the file permissions test. This will help determine whether the attack could have possibly be launched from another virtual host on the server, or narrow it down to have to have come from within your own web directories. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.