Guest Posted May 31, 2011 Share Posted May 31, 2011 I can suddenly no longer login as a customer or even into admin. It does process the password, as I get an error if I enter a wrong password. Entering the correct one just takes me back to the login screen. Not sure where to go from here. Keith Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, If you can post your URL we will better be able to help you. If you don't want to post the url here, you can PM it to me. Chris Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, If you can post your URL we will better be able to help you. If you don't want to post the url here, you can PM it to me. Chris http://www.k-wbookworm.com/catalog/ Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, Your website has been hacked ! Follow these steps to clean and secure your website: 1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code. 2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'. 3) Delete the files on your hosting account before uploading the clean files. 4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security. 5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE 6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444 7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list' 8) Remove the .htaccess password protection so your customers can resume making purchases from your website. 9) Monitor your website using the newly installed contributions to prevent future hacker attacks. 10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed. Chris Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Your website has been hacked ! Follow these steps to clean and secure your website: 1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code. 8) Remove the .htaccess password protection so your customers can resume making purchases from your website. Chris Can you provide me what any docs on the above two steps? Keith Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, There are no docs on those two steps. Log into your hosting account control panel, use file manager to locate the root directory of your osCommerce installation. Click password protect and create a username and password to lock it down. Once you are done cleaning it, reverse those steps. Chris Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, There are no docs on those two steps. Log into your hosting account control panel, use file manager to locate the root directory of your osCommerce installation. Click password protect and create a username and password to lock it down. Once you are done cleaning it, reverse those steps. Chris Got it. How did you know that it was hacked? How to check if it is cleaned out? Keith Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, The error message on your site with eval() was the first indication. The second was your http://www.k-wbookworm.com/catalog/images/ directory. The hacker has a file in there that displays his logo when you go to the directory. And finally, your /admin folder still has the filemanager.php in it and the directory is still called /admin. So, non of the basic security patches have been applied. Chris Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, The error message on your site with eval() was the first indication. The second was your http://www.k-wbookworm.com/catalog/images/ directory. The hacker has a file in there that displays his logo when you go to the directory. And finally, your /admin folder still has the filemanager.php in it and the directory is still called /admin. So, non of the basic security patches have been applied. Chris Actually, /admin was renamed. I just named it back to have access to the admin program. I was sure I deleted filemanager.php. Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, Read step 4 I posted above about the security support forum and look for all of the listed vulnerabilities. The site is definitely hacked and needs to be cleaned and then secured. Chris Link to comment Share on other sites More sharing options...
Guest Posted May 31, 2011 Share Posted May 31, 2011 Keith, Read step 4 I posted above about the security support forum and look for all of the listed vulnerabilities. The site is definitely hacked and needs to be cleaned and then secured. Chris Thanks Chris, I've spent the day searching and cleaning. I think I have it all fixed up. All passwords changes. Now, I still cannot login. As either a customer or an admin. Keith Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Ah, my host upgraded to php 5.3. I believe that might be the error now? Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Keith, If you host upgraded to PHP 5.3, you will receive Deprecated Ereg errors. If you want to update your files to be PHP 5.3 compatible, use this Chris Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Nope, still not working. Just keep coming back as a Guest to the login screen. Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Keith, Confirm your settings in admin>>configuration>>sessions The should appear like this: Session Directory /tmp Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions True Recreate Session True Chris Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Keith, Confirm your settings in admin>>configuration>>sessions The should appear like this: Session Directory /tmp Force Cookie Use False Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions True Recreate Session True Chris admin>configuration>sessions? I have no such path/file Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Oh, you mean in the administration program? I have no access to that. Won't let me login there either. Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Keith, Are you positive you have identified and removed ALL hacker files and malicious content from your website ? I just created an account on your site, and lost the osCID when I clicked Continue and also when I tried to add an item to the shopping cart Since your site is mostly unmodified, have you considered re-installing the files ? Just some thoughts. Chris Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Keith, Are you positive you have identified and removed ALL hacker files and malicious content from your website ? I just created an account on your site, and lost the osCID when I clicked Continue and also when I tried to add an item to the shopping cart Since your site is mostly unmodified, have you considered re-installing the files ? Just some thoughts. Chris I'm as sure as I can be. The only way I guess is to install each individual .php file from scratch until I find the issue. I assume if I d/l and extract, the full directory structure will be there for me on my local machine? I can then work on file at a time. Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Also, how do I confirm what version I'm running? My head is spinning here. I've been at this for two days and cannot find the issue. Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Also, how do I confirm what version I'm running? My head is spinning here. I've been at this for two days and cannot find the issue. V2.2 RC2a Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 I have now overwritten all files that come with a fresh download of the same version. Still I cannot log in as a customer. I am pretty sure it is not a hacker issue anymore. Link to comment Share on other sites More sharing options...
Taipo Posted June 1, 2011 Share Posted June 1, 2011 Actually, /admin was renamed. I just named it back to have access to the admin program. I was sure I deleted filemanager.php. When it is 'named back' are you able to log in at all? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 When it is 'named back' are you able to log in at all? Nope, just keeps taking me back to the login screen. Link to comment Share on other sites More sharing options...
Guest Posted June 1, 2011 Share Posted June 1, 2011 Keith, I once cleaned a site where the hacker corrupted the password_func.php, validation.php and the database tables. I ended up re-creating the site and database, importing the information after the database was re-created. I know it is not what you want to hear, but with all of the time you have already invested, you could have a new site installed. Chris Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.