Website Hacked - Possible Security Breech

[robp]

Hi All,

Having used OSC ms2.2 and OSCMax for a number of years across a number of different websites, i had a bit of a shock this morning, when i received a phone call from a client claiming that one of their customers had complained about having to fill out their credit card details twice; once on the website and once through protx. Upon investigation it became apparent that one of my worst fears was happening and that this site had been seriously hacked, and a fake "Payment Form" has now been inserted into the checkout_confirmation.php screen.

I have posted this to the OSC forums, but such is my concern over security breeches that i'm posting it to this community too.

I've found a number of files have appeared on the server within the catalog/images folder:

cvv.html
yzx.txt
two image files for mastercard and amex

Additionally, the following files within catalog/ have all been modified with different upload dates according to my ftp client:

index.php
create_account.php
login.php
tell_a_friend.php

Each modified file contains the following:

// da edit xong

The login file contains this code at line 26:

$password123 = $password;
session_unregister("password123");
session_register("password123");
// da edit xong

Create account Contains around line 55:

$password123 = $password;
session_unregister("password123");
session_register("password123");
// da edit xong

The index file contains:

$td_query = tep_db_query("UPDATE `configuration` SET `configuration_value` = 'true' where `configuration_key` = 'ACCOUNT_DOB'");

at the bottom of the file.

Tell a Friend

The Tell a Friend file however is of most concern as this file has been modified to allow the hacker to upload other modified files.

My belief is that the tell a friend file was the first to be modified and then the hackers use this file to do their work, via uploading the other files.

Additionally i have subsequently established that the checkout_confirmation.php page has also been hacked, however the date has not been altered since the original upload when the site was moved to its new server earlier this year.

This file has been modifed to run an sql query to extract the customers (based on their customer_id) information, ie name, address, date of birth, telephone and email to be emailed to a gmail account, along with the credit card details that have been posted on the "Fake Payment" form.

--

As far as i can ascertain no other files have been modified / hacked.

We have in the past few hours been able to rule out a security breech from malware / spyware / keyword loggers etc, and the server company have also ruled out a security breech.

I am still investigating how the fake payment form has been added into the checkout page, however i have now deleted the entire shop from the server pending further investigation.

If anybody has experienced this before and knows if there is a security breech or "hole" within OSC ie a file or folder that could potentially be a security risk, then if they could let me know so i can close it all up - as this site is on a dedicated server all folders are set to 755 including the images folder and all config files are set to 444.

Regards,

Rob

[michael_s]

I have seen this happen before, but it was not a hole in osC that caused the problem at that time, it was a hole in another script (phpBB2) that allowed the attacker a method of opening a backdoor on the server to modify the osC files.

If you are on a shared server that runs any other web scripts like phpbb, joomla, smarty, etc, and the person running the site has not properly secured it, it is very easy for someone to upload a file to the server and execute it. There are automated bots that do nothing but search for these holes.

mod_security can go a long way to blocking access to the common vulnerabilities, and if your server is not running it, I highly suggest you get it installed and running with a good rule set.

Without looking through the server logs, there really is no way to tell how they got in really. So I suggest you get a hold of the logs or persist in getting your host to find the specific vector used to get in.

[robp]

Hi,

Thanks for the reply. This site is actually on my new dedicated server and is one of only 4 sites on there, all of which currently run OSC yet is the only one affected.

I was speaking with one of the OSC modorators yesterday via PM and he mentioned that it was probably the normal "hole" within the images folder due to that folder having 777 permissions.

The problem is this server doesn't permit 777 permissions on any folder, so all folders (inclding images) were running at 755 with files at 644 except for the config files at 444. The site was shifted to it current location 3 months ago, but there was no sign of this until september, so some how they've managed to hack into a site with no obvious holes in it.

I've spoken with the server tech people and they are saying the server is totally secure, so i'm really stummped as to how they managed to get in. If i knew that then at least it would make me feel a touch better!

I'm actually going through all of the OSC updates to double check that i'm running all of the latest patches, i'm part way through and so far have only found one i'm missing and that was a spelling mistake in a word.

If i do ever establish how this occured then i'll post back to the forum as if i can prevent it happening to somebody else then it needs to be done.

Regards,

Rob

[MindTwist]

I've spoken with the server tech people and they are saying the server is totally secure, so i'm really stummped as to how they managed to get in. If i knew that then at least it would make me feel a touch better!

Yeah, all servers are always totally secure (until proved otherwise).

I would surely would be very troubled until I was able to find out what happened and how they got in...

[robp]

thats exactly what i said to the server company ... who incidently blamed the software for security holes - its just a bit strange that this particular site has been running for nearly 3 years on a shared server without any sign of a problem, then it was shifted to the new server as they were outgrowing the shared space - 3 months later hacked to pieces!!

I've had all of the PC's and MAC's in the office scanned for malware etc, i've had the clients IT people scan their systems in case somebody was able to get usernames and passwords from our systems and then access via ftp, but they've all come back clean.

it really is so annoying!!!!!

[michael_s]

If you are on a dedicated box, make sure you have the following installed and configured:

1. Hardware of software firewall
2. mod_security with a good rule set - Really important to close the most widely known exploits.
3. Disable direct root login (force SU) or use a keypair instead of password
4. Disable telnet
5. Disable anonymous ftp
6. Make sure all your server software is up to date - OS, control panel, kernel, rpm's, etc.


Next, your host is probably correct. The 'hacker' most likely took advantage of a hole in one of many scripts on the server. This is always the easiest way in.

If you are using an older version of osCommerce, there are many, many of these holes. Update asap.

If your dedicated box is not running mod_security,that is most likely the reason you have not had issues until now. Most hosts run it on their apache based shared servers. When you move to a dedicated solution, security responsibility switched to you instead of a hosts security team.

Next, hackers rarely target really small sites. So as your site has grown, it has become a more appealing target. If your server is not properly stealthed, it is advertising itself to port scanners and telling hackers 'look at me, I am not properly firewalled!'

To a hacker, that means an easy target.

Since you are running your own server, you have access to all the logs, so start looking