Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked


Guest

Recommended Posts

One of my OsC carts was hacked into last night, all prices & admin password changed. I'm not thinking too clearly right now... I need to know if there's anything in OsC that logs an IP address so I can nail whoever did it. Also where I can change the Admin passwords if possible. I can access the files, but can't get into admin itself.

 

Should be easy enough to catch the idiot, they went and placed a few orders right after it was done.

 

thanks,

Violet

Link to comment
Share on other sites

Look at your httpd logfiles.

They will show the ip addresses of whoever asked which url when.

 

HTH

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

how were u password proecting your admin?

 

with .htaccess and .htpasswd?

 

or were you using something like the administrators contribution?

The only thing necessary for evil to flourish is for good men to do nothing

- Edmund Burke

Link to comment
Share on other sites

Did you use obvious names?

A lot of people use the actual login NAME as the REALM as well,

which makes it 50% less work to hack the account.

They might have just guessed it if it was too easy...?

 

A good tip is to use a sleep() of a couple of seconds

on the requested index page, that way brute force crackers will get

slowed down severely. Use like 10 seconds or so.

 

HTH

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

if your IP doesn't change like on cable modems etc..

then you can build in an extra check like:

 

place in admin/includes/application_top.php

 

at the TOP after

<?php

 

if( getenv('REMOTE_ADDR') != 'put your ip here') { echo 'Goto DisneyWorld if you want to have fun !'; exit; }

 

just build it in myself while i did see your post

 

NOTE: USE WITH CAUTION !

If you are not sure if your IP stays the same then DON'T do this !

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

To see if you have a static IP address in Windows you can do the following:

 

1) connect to the internet

2) START -> RUN

3) Type winipcfg in the text box

4) hit enter

 

Now you get a popup screen that shows you all devices that are connected on the network (modems, ethernet cards, isdn adapters) and their respective IP address. Check the IP of your device, disconnect and go through the steps again to see if the ip is the same. Note that you will have multiple devices in the box, it's NOT the PPP one.

 

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Thanks to all of you for the info. The username/passwords I used on the cart were definately not easily guessed, and different than their site (hosting, email) username & passwords.

 

I did however, find out where the changed prices happened... the currency values were all changed. This cart's been running since last November with no currency issues.

 

All usernames/passwords have now been changed, and I'm double-checking on the chmod for everything (although I did check, check, and double check when I built the cart). I have a feeling that as the client saves the username and password on his computer, and he is on high-speed with no firewall (and has had problems before with worms & such), that this is how it happened. Needless to say, I've told him not to save those passwords, and to get a firewall.

 

Now... my mind is fried, and for the life of me I can't remember how to change the username/password in the MySQL database... can any of you tell me?

 

Thanks again for all your help,

Violet

Link to comment
Share on other sites

LOL

 

then nobody hacked your shopping cart that is an error with the currency update !!!

 

Since yesterday the currency update (cron or by manual pressing button update currencies) is not working right !!!

 

There is another post about this bug...

 

I think xe.com or the other one have changed their values (strings) to read

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

You've got to be kidding!!! Well, I know you're not, but I feel like an idiot. Still confused as to how the username/password got changed, but maybe it was a server glitch, and darn bad timing. That and 3 false orders in a row overnight (which happens pretty rarely)... it all seemed to add up to a hack.

 

K I am going to take the cron job off for now... and go crawl under a rock. I honestly did do a quick search for currency before I posted, but didn't see anything current and didn't dig any deeper as I was in a panic.

 

Sorry :(

 

Violet

Link to comment
Share on other sites

Well Violet,

you don't have to say sorry, maybe someone DID get into your ADMIN area (check your logfiles) at the same time, i hope not for you.

 

But one thing is for sure, you did wake up a whole bunch of people :shock:

 

Take care

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

Woke me up I tell ya... nothing like being woken at 6:30 am with a call about this, and having to actually think fast! :shock:

 

I am still checking those logfiles, just too many coincidences for one night... and it sure won't hurt.

 

Thanks again,

Violet

Link to comment
Share on other sites

i have a few Italians on dial-up trying to get into my admin area, but no luck for them...lol

 

you can always change the ADMIN directory name every week or so, but that is not what we want...lol

But when you do such a thing, do not forget to protect the directory again

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

agreed - it is always a good idea to change names occassionally to keep people offguard and stop them from trying to probe around

Link to comment
Share on other sites

Apart from the code & ideas posted you can also temporarily BAN a specific IP address / range that tries to (unsuccessfully) access the admin folder.

I've seen a few code fragments on Hotscripts.com that do this, shouldn't be too hard to implement; if ip fails insert into db / match those 'banned' ip's before showing a page / delete if record is older then nn hours.

 

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Another way to check your IP Address .

 

Open two web browser windows (press Ctrl-N with IE)

 

visit your osc store home page and log in as if you were a customer.

http://www.my-store.com/catalog

 

in the other browser window log into your OSC ADMIN .

http://www.my-store.com/catalog/admin

 

Go to Tools > Who's Online

 

WOW ! Your IP ADDRESS is there next to your account name !

Write this down then disconnect from the net.

 

Re-connect and repeat the steps and find the IP address.

If it is the same as before then you have a static IP !

 

COOL !

:-)

Special Effects / 3d + Flash

Link to comment
Share on other sites

Apart from the code & ideas posted you can also temporarily BAN a specific IP address / range that tries to (unsuccessfully) access the admin folder.

I've seen a few code fragments on Hotscripts.com that do this, shouldn't be too hard to implement; if ip fails insert into db / match those 'banned' ip's before showing a page / delete if record is older then nn hours.

 

Mattice

Check out the blacklist filters feature here

http://www.xav.com/scripts/guardian/

Link to comment
Share on other sites

To see if you have a static IP address in Windows you can do the following:

 

1) connect to the internet

2) START -> RUN  

3) Type  winipcfg in the text box

4) hit enter

 

Now you get a popup screen that shows you all devices that are connected on the network (modems, ethernet cards, isdn adapters) and their respective IP address.  Check the IP of  your device, disconnect and go through the steps again to see if the ip is the same. Note that you will have multiple devices in the box, it's NOT the PPP one.

 

Mattice

 

On Windows NT, 2000 and XP, you need to go to a command prompt and use ipconfig...

 

so the procedure would be:

 

1) Connect to the Internet

2) Start -> Run

3) Enter "cmd" and click OK.

4) Type "ipconfig /all and hit enter.

5) Repeat to see if it changes.

Link to comment
Share on other sites

http://www.snert.com/Software/mod_require_...ost/index.shtml

 

This is a great mod that you can use if you have access to (and knowledge of) your apache httpd.con file.

 

It will deny persistent attacks, make logs, and allow you to easily (and automatically) block offending IP's

 

Also, read this thread, it might be of interest:

 

http://www.oscommerce.com/forums/viewtopic.php?t=37140

 

--gabe

Link to comment
Share on other sites

I noticed an easy way to hack into some Osc sites

 

If you are using the different level admins module it comes with a default username and password.

What people do is setup new users and passwords, leaving the default intact.

 

Anyone that knows osc will know the default username and password then they are in....

 

John

Link to comment
Share on other sites

I noticed an easy way to hack into some Osc sites

...

 

This is, like securing your Admin with .htaccess or something else, the sole responsibility of the site owner / hoster.

 

Like mentioned by Druide in this thread before:

My advise to ANYBODY is to ask your ISP for a static IP address if you do not have one allready. Once you've obtained the static ip address leave your .htaccess / Administrators mod / whatever in place and add a check to the application_top.php for that IP; match - or die();

 

This is not foolproof (ip spoofing) but it will filter 95% of the wannabee attempts out. Combine this with a delay on your .htaccess index page.

 

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

the FIRST thing every OSC user should do is to change the name of the admin and catalog folders before running the install script and then enter those new names into the install script (or manually into the configure.php files if doing a manual installation)

Link to comment
Share on other sites

the FIRST thing every OSC user should do is to change the name of the admin and catalog folders before running the install script

 

Why catalog?

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

sorry :oops:

 

you are correct mattice - just rename the admin folder to something else

 

that will teach me to respond to a question when i first wake up.... :lol:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...