Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

3.8 million infected pages--willysy targets osCommerce 2.2 sites


waynehuang

Recommended Posts

Number of infections: As of July 31th, Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages. Note this number is for individual infected pages, not sites or domains.

 

We wrote up a blog post: http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html, hope it's useful!

 

Wayne

[email protected]

willysy_drive_by_download_mass_injection_google_3_million.png

Link to comment
Share on other sites

The version of osCommerce that is being targetted here is about 8 years out of date back in the day when there was no login for the admin area and admin/configuration.php was accessible to anyone that had a web browser.

 

The most disturbing part of all this is that there are that many websites out there still using those old carts.

 

ps the exploit here at http://www.exploit-db.com/exploits/17285/ made mention of in your blog is a bogus exploit report. The banner manager in 2.3.1 is not vulnerable to the admin bypass exploit. Try it for yourself if you need to.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

The majority of these that we've cleaned are V2.2 RC2, but there have been RC1, CRE loaded and others. We've been able to secure them by the usual methods:

 

1. Change the name of admin folder

2. Add password protection to the admin folder

3. Be certain that $PHP_SELF is defined properly in application_top.php

4. Disable file_manager.php and define_language.php

5. Check the list of admins in the database. The majority of the time, with this infection, we see new admins listed - delete them

6. Reset the admin and database passwords

 

Most of the sites infected have none of these changes. Especially renaming the admin folder.

 

That's my two cents

We Watch Your Website - so you don't have to!

no outside links allowed in signature!

Link to comment
Share on other sites

Applying those changes to V2.2x will certainly prevent the majority of attacks exploiting the admin bypass exploit.

 

It pays to patch this part of the login script as well: Link (in actual fact oddly enough its listed as high importance yet the $PHP_SELF patch is ironically set to low importance - go figure).

 

If you also have a look through the updates from v2.2x to v2.3.1 you will see that there are a number of bug fixes that sanitize parameters which will prevent the Cross-Site Request Forgeries that are also affecting v2.2x. The quick fix for those is to install an addon that deals with whitelisting GET request user inputs. Two addons come to mind that do this, FWR MEDIA SECURITY PRO 2.0 and osC_Sec (which has a version of FWRs whitelisting function in it).

 

For professionals that patch v2.2x sites I recommend that instead of the regular htpasswd addition to the admin directory, this update is the better option as it allows for a one stop login for administrators.

 

For sites that are receiving gigabytes of garbage attack requests you can also use something like this (piece of code from osC_Sec) below in both application_top.php files that will drop the bandwidth considerably.

 

 $oscsec_reqVar_blacklist = array( ".php/admin",".php/login","login.php?action=backupnow" );
 foreach ( $oscsec_reqVar_blacklist as $blacklisted ) {
     if  ( strpos( urldecode( $_SERVER[ "REQUEST_URI" ]), $blacklisted ) !== FALSE ) {
         $header = array( "HTTP/1.1 403 Access Denied","Status: 403 Access Denied", "Content-Length: 0" );
         foreach( $header as $sent ) {
             header( $sent );
         }
         die();
     }
 }

 

Hope that helps.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

With 2.3.1 in place these hackings no more there.

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

Well on that note :-" with osC_Sec in place these hackings are no more too, irrespective of which version of 2.2x or other.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Taipo,

 

You speak wisely.

 

I like your knowledge and insight into osCommerce.

 

I'm going to dig deeper into the issues you've presented here.

 

Thank you for sharing.

 

Remember what the world was like before sharing of ideas on forums like this?

 

I do.

 

It wasn't much fun.

We Watch Your Website - so you don't have to!

no outside links allowed in signature!

Link to comment
Share on other sites

Just another note about the perceptions of this iframe attack.

 

On very early versions of osCommerce there is no login to the admin section, so unless users have their admin directories protected with htpasswd authentication or changed the name of that directory then this latest distributed attack will take their sites apart.

 

On versions of osCommerce that even bother to have admin login.php script, the 'iframe injection' and 'admin vulnerability hack' are actually one in the same thing. iFrames cannot simply be injected into osCommerce files at will, unless the application_top.php files still contain the faulty $PHP_SELF code of earlier versions of osCommerce or a vulnerable version of FCKEditor is installed in an unprotected directory.

 

The majority of the iFrame appending though is done either via files that have been uploaded due the misreporting $PHP_SELF code on sites where the admin directory is not protected, or, via older versions of osCommerce which just do not have any user authentication at all on the admin directory.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...