roserve Posted November 24, 2014 Share Posted November 24, 2014 Hi, I am hosting an OSC 2.3.3 site for a customer. It got injected with a shell script and wanted to advise the customer to take some actions. It's version as guessed from includes/version.php (is this the right way to asses the OSC version) is 2.3.3. Is this version vulnerable? Were there security updates since 2.3.3? The log lines responisble for the hack are these: 178.170.108.47 - - [23/Nov/2014:00:39:36 +0200] "POST /magazin/popup_image.php?pID=584&sa=U&ei=2w9xVPOgGaXiywPg04CIBQ&ved=0CCYQFjAEOMgB&usg=AFQjCNHMEEYPp6pH1spkq_RUcD7SQYNQ-g/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 2402 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 16688 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "GET /magazin/images/petx.pHp?lol HTTP/1.1" 403 1139 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" Any advice? Thanks! Link to comment Share on other sites More sharing options...
burt Posted November 24, 2014 Share Posted November 24, 2014 Top one is looking for an osCommerce signature (popup_image.php), those parameters are google search parameters. He then tries to access admin via an old exploit that was patched years ago. The injection came from elsewhere I'd suggest, check your whole server for signs of hack activity. FTI at 2.3.3, this site is 5 releases behind the current master. Link to comment Share on other sites More sharing options...
roserve Posted November 24, 2014 Author Share Posted November 24, 2014 Hi, Thanks for your answer. I can't check the entire server as there are quite a few accounts (hundreds) but the timestamp of the injected file is 23/Nov/2014:00:39:37 (identical with the log lines above) and the injected file has the ownership of the account (PHP is with suexec). So this is why I concluded it must be something related to the above lines. I checked again and around that time (seconds +/-), there's nothing else: 178.170.108.47 - - [23/Nov/2014:00:39:36 +0200] "POST /magazin/popup_image.php?pID=584&sa=U&ei=2w9xVPOgGaXiywPg04CIBQ&ved=0CCYQFjAEOMgB&usg=AFQjCNHMEEYPp6pH1spkq_RUcD7SQYNQ-g/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 2402 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 16688 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"178.170.108.47 - - [23/Nov/2014:00:39:37 +0200] "GET /magazin/images/petx.pHp?lol HTTP/1.1" 403 1139 "-" "Mozilla/5.0 (Windows NT 5.1) APPWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36" I know this version is 2 years old. But are there any security updates in the versions afterwards? Thanks, Regards! Link to comment Share on other sites More sharing options...
acidvertigo Posted November 24, 2014 Share Posted November 24, 2014 You can see the full changelog here: https://raw.githubusercontent.com/osCommerce/oscommerce2/master/docs/CHANGELOG to stay secure upload always to the latest stable version Link to comment Share on other sites More sharing options...
roserve Posted November 25, 2014 Author Share Posted November 25, 2014 Hi, Thanks. 2 things if I may: 1. I can't see any security patch of any vulnerability in the changelog. Are they supposed to be listed into the changelog and there were none since 2.3.3 or they are not publicly listed into the changelog even if there were patched vulnerabilities? My question is this: can I prove to the customer that an update is essential based on some evidence? I would like to have more than the fact that it's common sense to keep your software up to date. 2. It occurred again and this time it looks differently (I replaced the actual account with the word account): This is the stat of the injected file: File: `/home/account/public_html/magazin/images/car.php' Size: 172435 Blocks: 344 IO Block: 4096 regular fileDevice: 802h/2050d Inode: 62670280 Links: 1Access: (0777/-rwxrwxrwx) Uid: ( 761/ account) Gid: ( 772/ account)Access: 2014-11-25 04:49:33.255998549 +0200Modify: 2014-11-24 22:01:10.606986711 +0200Change: 2014-11-24 22:01:10.606986711 +0200 208.67.23.91 - - [24/Nov/2014:22:00:50 +0200] "GET /admin/categories.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:51 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/categories.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:52 +0200] "GET /admin/file_manager.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:52 +0200] "GET /magazin/admin/categories.php/login.php HTTP/1.1" 200 27356 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:53 +0200] "GET /admin/banner_manager.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:53 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/file_manager.php/login.php HTTP/1.1" 404 1148 "-""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:55 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/banner_manager.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:55 +0200] "GET /admin/administrators.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:54 +0200] "GET /magazin/admin/file_manager.php/login.php HTTP/1.1" 200 153573 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:56 +0200] "GET /magazin/contact_us.php&sa=U&ei=kItzVIahIdS1oQS-p4DIAQ&ved=0CKUCEBYwMziWAQ&usg=AFQjCNFD4Bq9_RL-QUW5rHObVUl4U67vxw/admin/administrators.php/login.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:57 +0200] "GET /magazin/admin/banner_manager.php/login.php HTTP/1.1" 200 28125 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:00:59 +0200] "GET /magazin/admin/administrators.php/login.php HTTP/1.1" 200 13592 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:01:04 +0200] "GET /magazin/admin/categories.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 200 27356 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:01:05 +0200] "POST /magazin//admin/administrators.php/login.php?action=insert HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"208.67.23.91 - - [24/Nov/2014:22:01:05 +0200] "GET /magazin/admin/administrators.php/login.php?action=new HTTP/1.1" 200 14075 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:01:07 +0200] "GET /magazin/admin/categories.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"208.67.23.91 - - [24/Nov/2014:22:01:07 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 200 16688 "-" "libwww-perl/5.833"208.67.23.91 - - [24/Nov/2014:22:01:15 +0200] "POST /magazin/admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"208.67.23.91 - - [24/Nov/2014:22:01:16 +0200] "GET /magazin/images/car.php HTTP/1.1" 403 1139 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:01:17 +0200] "GET /magazin/images/run.php HTTP/1.1" 404 1148 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:01:17 +0200] "GET /magazin/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 200 1318 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:01:17 +0200] "POST /magazin//admin/administrators.php/login.php?action=insert HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"208.67.23.91 - - [24/Nov/2014:22:01:18 +0200] "GET /magazin/admin/administrators.php/login.php?action=new HTTP/1.1" 200 14075 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"208.67.23.91 - - [24/Nov/2014:22:01:18 +0200] "GET /magazin/admin/file_manager.php/login.php?action=download&filename=/includes/configure.php HTTP/1.1" 406 1131 "-" "libwww-perl/5.833"208.67.23.91 - - [24/Nov/2014:22:01:19 +0200] "POST /magazin/admin/file_manager.php/login.php?action=processuploads HTTP/1.1" 500 296 "-" "libwww-perl/5.833" As it can be seen from the log above it triggered 5 mod_sec alerts with 13-14 seconds hence it got banned at 22:01:23 (4 seconds after the last log line above). The 403 error above is due to the fact that it got injected with 777 ownership and this type of permissions get denied by suexec. From the log above I can't see when that shell script got injected but... a) This particular account has no other log associated with it and the inserted shell has the ownership of the account. b. The FTP log is empty and also I have found nothing related to this particular account in /var/log/messages so nothing got injected by FTP. c) I have also checked the /usr/local/cpanel/logs/access_log to check if maybe it got injected through cPanel (File Editor etc). There have been no logins to cPanel in the last 2 weeks by anyone on this particular account. d) Although there are quite a few hundreds of accounts on this server, I am not aware of any other hacks. This website has been a permanent and recurrent problem for as long as I can remember so if the customer is not doing anything I am trying to figure out what to do for him. But I don't know anything about OS Commerce in particular so... Any insight? Thanks and regards! Link to comment Share on other sites More sharing options...
♥joli1811 Posted November 25, 2014 Share Posted November 25, 2014 No security expert myself but 1 x fix here for 2.3.3.4 but this does not seem to be your problem was fixed very quickly within hours of being found and does not appear in your logs above PM sent He should have also have renamed admin to something random and taken the opportunity of extra .htaccess protection which is offered in the admin I am wondering if he is using an addon which may have made him vunerable The below should have also been in his image folder # $Id$ # # This is used to restrict access to this folder to anything other # than images # Prevents any script files from being accessed from the images folder <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> Options -Indexes ************************************************************************************************** This file for example from the above logs has not existed for many years /admin/file_manager.php So as Burt said it is looking for old exploits from the 2.2 series Another possbility is that springs to mind is that it may not have been a true 2.3... install but an ugraded 2.rc site?? Maybe worth while asking someone here to take a look at the file structure would not be hard to tell if it is a true 2.3 version or an upgraded older version Not much help but something to think on Regards Joli PS: full release upgrade notes here http://library.oscommerce.com/Online&en&oscom_2_3&release_notes To improve is to change; to be perfect is to change often. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.