got me too
Muslim Defacer
Hacked By oToFaReSi
will be starting from the ground up with new OS and all , even a new MB faster and more mem.
Question, how did they do this? all sites in home had the index replaced
yes I have clients with oscommerce, wordpress and zencart
I read that these script were to back door in
I am upgrading to the latest stable versions of all services will stop most of it?
I am running older centOS 4.4 and php ect
even when the system is all new, can these idiots still have access through the scripts people run?
also using ConfigServer Security & Firewall - csf v5.13 and that has stopped so many attempts
but these attempt were not seen as intrusive to the FW
tell to all the clients with oscommerce to upgrade their version and to download all the fixes, there are many fixes.
Pratically the hacker is uploading the file through oscommerce (the ftp on oscommerce, if they are not going to use .htpasswd and .htaccess setting up just 1 ip that can join in all the admin folders are ****ed, is free to access and do whatever they wants), than, still using an exploit of oscommerce are running the script that make all the changes, and they got access not with ssh but still i didn't understood how, is looking a similar interface like kvm, and in the end delete all the logs.
I can just tell that after all the fixes and major secure the oscommerce (obviously the customer must do it), everything is gonna be ok. If you want i can give you the contact of my customer that i think he can speak english and can explain what he did with his oscommerce.
After august i didn't had anymore issues.
Last thing, when you'll put again up everything check daily the syslog, at least, after the hacking, i had a continuous flood of DNS attack
more info i did the report here and as you can see there are many other with the same problem from the same ip
http://www.liveipmap.com/109.72.146.154.html
obviously i started to populate iptables adding every ip address DROPPING their connections.
iptables -A INPUT -s 109.72.146.154 -j DROP
The log will be something like this :
XXX : 109.172.146.154#(random port) query (cache) ./INS/IN denied
And than everything was going to be better
I contacted now my customer, he's preparing an howto for oscommerce regarding what he did to secure his platform, i suggest everybody that got customers that are using oscommerce platform to give them this howto. ASAP there will be news.
EDIT: Here below the modification to do for OSCommerce customers ...
- deleted file file_manager.php from oscommerce Admin folder
- deleted file define_language.php from oscommerce Admin folder
- changed Admin folder name, use a not standard name... different from "admin, administration, adm..."
- added a htaccess rule in every folder where access is not allowed from http (Ex. Backups, Cache, pub, tmp...)
--- Start htaccess rule ---
#Block all files from HTTP
Options -Indexes
<Files *>
Order Deny,Allow
Deny from all
</Files>
--- End htaccess rule ---
- added a htaccess rule in every "include" folder (oscommerce/include - oscommerce/admin/include) for blocking *.php requests from http
--- Start htaccess rule ---
#Block all php files from HTTP
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
--- End htaccess rule ---
PS: Don't worry, it doesn't block php include or require command.
- normally you can access to the Administration Panel from any computer with an internet connection, but in my case is not necessary... for this reason i've added an additionally rule into "oscommerce/admin", with this rule is possible to access to the panel only from your office static ip (if you have one...).
--- Start htaccess rule ---
#Block all ip different from mine
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^111.222.333.444$
RewriteRule .* – [R=403,L]
--- End htaccess rule ---