Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

site hacked b


zaq2011

Recommended Posts

hi all

i noticed my site been hacked,

when i go to the site i see on top of the page ,

noticed many files bee uploaded to my filemanger, and on the configration next to the site name , the hackers added , <Iframe src='http://willysy.com/images/banner/'style=position:absolute;visibili

 

i did my google search with the above url address , and came up with many results , all sites are Oscommerce website,

 

check your site

 

any idea how to protect from such an attack , such files to modify ?

 

zaq

Link to comment
Share on other sites

Zaq,

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed.

 

 

Chris

Link to comment
Share on other sites

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

 

This returns lots of false positives..

 

I don't think this is how this attack works. If you don't have experience with this particular exploit please refrain from comment.

------------------------------------------------------------------------

The first panacea for a mismanaged nation is inflation

of the currency; the second is war. Both bring a
temporary prosperity; both bring permanent ruin.
Ernest Hemingway
------------------------------------------------------------------------

Link to comment
Share on other sites

How to protect:

 

1. First you need to clean existing code so that no backdoor is left.

2. Change user and pass of your admin and ftp.

3. Htaccess protect your admin.

4. Delete file manager.php fomr admin folder.

5. Now you need to apply code so that sql injections will be ineffective.

 

 

6. To further strenghthen add htaccess to images folder and other folders where you have permission as 777.

 

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

This returns lots of false positives..

 

Depending on the breadth of the attack on your site. The method of cleaning up should be measured on the scale of the attack. If your server uses the regular file permissions configuration where 644 is read only for files and 755 is view only for directories then you may find that only files that are set to perms 666 have been affected and shell code added to directories set to 777. In that scenario, a cleanup would not take that much time to complete, and of course, patching your site against further exploits.

 

However webservers using configurations where PHP has owner privaleges may find a great many files if not all files infected with parts of the code that allow for the eventual iframe injection. So if there is an application out there that allows a user to scan their files for virus code and the results show that the majority of files are infected, while in amongst those there may be legitimate files that have eval() and base64_decode() in them, the results to me would still tell me that it would be less time consuming to just upgrade your site to version 2.3.1 even if that meant starting again.

 

See more about file permission types here.

 

I don't think this is how this attack works. If you don't have experience with this particular exploit please refrain from comment.

 

How does this iframe injection attack differ from previous iframe injections that have taken place over the past 8-10 months on vulnerable osCommerce systems xtronics?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...