Shopping Cart Hacked

Portal Home > Knowledgebase > Articles Database > Shopping Cart Hacked

Posted by crazylane, 05-16-2011, 01:38 PM
I'm trying to help someone out who has a hacked oscommerce site that has had the footer changed to: I've looked everywhere even grep'd for eval, _decode, etc.... But still can't find it! Anyone know a better way to find these type of hacks?
Posted by asciiDigital, 05-16-2011, 02:02 PM
Use LMD to clean your files: http://www.webhostingtalk.com/wiki/Linux_Malware_Detect
Posted by crazylane, 05-16-2011, 02:39 PM
LMD didn't find anything,scan} 8228/8228 files scanned: 0 hits 0 cleaned
Posted by asciiDigital, 05-16-2011, 02:42 PM
You should install ClamAV then run the scan. LMD will then use ClamAV to scan the files more thoroughly.
Posted by jackpx, 05-16-2011, 03:56 PM
oscommerce is very very very buggy ... forget oscommerce .... use prestashop
Posted by crazylane, 05-16-2011, 03:59 PM
I tried clam nothing found, stumped.
Posted by SPaReK, 05-16-2011, 04:31 PM
Are you trying to find out where the inserted code is being stored on the server? Have you looked through the database that osCommerce uses? It might be being stored somewhere in there. I'm not sure where osCommerce stores all of its data. But as others have said, osCommerce isn't the greatest product. They are very slow to fix any security related issues in their product.
Posted by gpl24, 05-16-2011, 10:41 PM
A shopping cart is only good as the person that's maintaining it. If you don't know how to apply the available security patches, then yes, oscommerce should not be used (same goes for any open source software or script!). Prestashop is less "insecure" because it isn't as widely used. Oscommerce is one of the most popular carts - hence it will be more attractive to hackers & script kiddies.
Posted by stardust_x7, 05-17-2011, 02:28 AM
You get SQL injection, you need to use secure and updated version of the script. Also set proper CHMOD permissions for directories and configuration files...
Posted by WeWatch, 05-17-2011, 11:19 AM
Is there a bunch of .php files with: in them? We've been seeing this code used to redirect to cx.cc sites. Have you replaced $PHP_SELF in the two application_top.php files? Have you renamed the admin folder? Have you password protected the newly renamed admin folder? Have you removed the file_manager.php and define_language.php files? If not, you should immediately. Can you post the contents of the application_bottom.php files here? Be sure to use the code tags.