an email I got from a hacker...

[grumpydasmurf]

I guess I am one of the lucky ones. This is an email I got from a hacker... I guess it's onto the security thread but thought I would share it...

 

 

Hi

I am Ethical Hacker and penetration tester

we discovered more than 80 vulnerabilities in web apps

and we have private vulnerabilities also in joomla , oscommerce etc ...

i found your site , i checked the security in your site http://chicagogunsmith.com

and i found vulnerabilities that allows the hacker to hack your site

to be sure that i am true

your database info :

define('DB_SERVER', 'localhost');

define('DB_SERVER_USERNAME', 'the actual info');

define('DB_SERVER_PASSWORD', 'the actual info');

define('DB_DATABASE', 'the actual info');

if you interest i can check your site , patch the vulnerabilities and make your site more secure than now

Th cost will be 100$ if you interest reply to me

Thanks

[burt]

$100 is cheap, but you should either do it yourself or pay more for a known "name" here at the osCommerce forum to do it for you. I know you know this, but for future readers of this post who might not realise; an "ethical" hacker might not be so ethical after all - could easily make hidden backdoors and so on...

[Taipo]

Thomas, try this addon http://addons.oscommerce.com/info/7834. It is fairly straight forward to install from the instructions in the readme.htm.

 

Then go into your images directory and remove all of those files in there that end in .php (basically if it isn't an image then remove it)

 

Also in the images directory, place a file called .htaccess the following code in it.

 

Options All -Indexes
<Files ~"\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

[grumpydasmurf]

$100 is cheap, but I am not going to pay this guy. I am workign on it right now to secure it myself. If I feel in over my head i will pay a professional to assist.

 

 

here is the problem I have with so many add ons, and I like evryone have numerous, when I upgrade it's going to be a loooong drawn out process which is why I haven't yet upgraded.

 

I'll check out that add on though. The order of the day is to secure secure secure until my brain turns to mush or I make my site stop working. .htaccess file done, thanks!

 

BTW, you signature appears to have some good info in it Taipo.

[Taipo]

Its not so much an addon as it is a patch for the security holes that are in osCommerce 2.2x versions that have allowed attackers to exploit your site, in your case they have installed around 90 or so php files in the images directory that will be allowing them almost full access back dooring into your site.

 

Once you have removed the offending files from the images directory you need to patch the faulty code which is what osC_Sec does....and its free ;)

[burt]

Just follow the steps here; http://www.oscommerce.com/forums/topic/375288-updated-security-thread/page__view__findpost__p__1584648

 

Do step 5 first.

 

Then start cleaning the site of bad files.

[germ]

I posted about a week ago here that you had serious security problems.

[grumpydasmurf]

Sorry germ, I didn't see your reply that day. I appreciate it very much.

 

Taipo, are you sure there are php files? There were weeks ago, see the thread germ refrenced, but I thoguht I removed all of them. A check today with file zilla, I am unable to see any files other than .gif and .jp (except the .htaccess file I just uploaded).

 

I'll give your guys suggestions a try tonight, but if someone can verify the php files in the images folder because I am not seeing it.

[germ]

I can count around 90 right now.

[grumpydasmurf]

I can count around 90 right now.

WTF?! I see none with ftp, and how do you see them anyways? http://www.chicagogunsmith.com/catalog/images ?! You should see error 403.

[germ]

I saw them before you added the tidbit that now denies access.

 

They're there.

 

Not sure why you can't see them with FTP.

[grumpydasmurf]

I saw them before you added the tidbit that now denies access.

 

They're there.

 

Not sure why you can't see them with FTP.

I will remove htaccess right now temporarily. Ok I see some php files now in the list.... but CAN'T see them in ftp. This is so frustrating. filezilla and dreamweaver are both useless showing the same files, but none of the php files. Gonna have to break out the Linux book and putty.

 

wtf now shell access denied by host? Awesome.

[germ]

I PM'd you a list.

 

Not all are PHP files.

[Taipo]

Here is a visual of how to test for them.

[grumpydasmurf]

Thanks for the list germ. Yes sir tapio, that's what I did after temp removing the htaccess. I see them now in http, but can't see them in ftp for some reason. I don't know why and gave up trying, so am trying to find a way to ssh/telnet into the server. Shell is disabled for some reason and telnet has always been disabled for "security reasons".

 

working diligently on it now via cpanel file manager, but with so many files it lags the file manager. cpanel File manager seems to have the same problem as dreamweaver and filezilla. I'm only seeing jpg and gif.

[Taipo]

Email your web provider for the proper login details for FTP and use filezilla to ftp into the site. Some ftp servers are now using secure ftp, that sort of thing. Thats the info you need from your provider to correctly be able to login. Once thats done, then first things first, you need to empty out that image directory of those php files, then add the htaccess that I gave above, then patch the sites security.

[grumpydasmurf]

Ok got the ssh worked out with my web host, a cpanel upgrade last week dropped my ssh access. Once I got that setup I cleaned up my images dir in seconds. Reinstalled the htaccess. Renamed my admin and added a password. Earlier I removed define_language and file_managr from /admin.

 

... gonna re-read this thread and work on the rest in the morning. LOL for all the time I put into the site, it's about time I get some sales!

 

 

Thanks guys for all the help. I would have definetly missed those existing php fils, I thought I got them all weeks ago and with the FTP problem never would have known.

[Taipo]

The issue would have been since the site was not patched against the admin bypass exploit, the php files would have just all came back again.

[grumpydasmurf]

I posted a reply today but obviously it was also removed at the same time as another thread I started. I am not sure what's going on here...

 

I figured I'd just mention it since I got not Private Message or anything saying not to do what ever I did.

[vampirehunter]

Hi

can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?

 

which addons, things i should change?

 

i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.

 

I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again

Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.

 

thanks

[Taipo]

2.3.1 is pretty much secure. It has been in play for a couple of years now and no bad security issues have appeared. There are a couple of things you can do to make sure you are using the most security, for example, make sure you are using the htaccess basic authentication function that comes as a part of 2.3.1

 

The rest is optional including the security addons that were principly developed for the earlier versions of osCommerce which had a few serious security issues.