102 and counting…

By | January 11, 2011

Last week I cleaned a locked down another 4 hacked osCommerce sites – which takes the total to 102 that I have personally cleaned, I suspect there are a few more developers who have cleaned as many if not more. osCommerce is a magnet for hackers.

Anyway, of the 102 that I have cleaned, only 1 has been subject to rehack – after much investigation it -appears- that the clients computer is infected, possibly using a variant of Gumblar, as it seems that each time he FTPs using a certain piece of software, his site is hacked within a few hours. It’s a strange case.

I’m seeing more and more hacked osCommerce sites – with some shop owners completely unaware until Google tells them it’s a “malware” site – then it’s noticed pretty quickly.

If you are unsure about your osCommerce security, contact me on oscshops@gmail.com to book a quick scan of your site – I’ll let you know about any insecurities and give you a guideline on how it can be cleaned and/or secured.

15 thoughts on “102 and counting…

  1. Xpajun

    Would it be me being totally pessimistic to think that someone would hack a store and then join osC to offer, even push, their services to remove the hack…

  2. Isabella

    Were you thinking of someone in particular? 🙂
    On the basis that hacking is the knowledge and application of programming in order to manipulate it, and that coders are potential hackers and vice versa, then it makes sense to wonder if some wise @$$s first hack you then help you at the forums, but I highly doubt that this is Gary’s case.

  3. Gary Post author

    Isabella – depends upon the complexity of the site, how much it differs from standard osC and so on.

    Juls – hmmm, I’d hope not. But nothing surprises me these days.

  4. multimixer

    @ Juls: Hard to believe this, I mean there are already so may stores getting hacked without any “experts” help …
    @ Isabella: coders are potential hackers? I mean they have the “tool”, their knowledge, sometimes the opportunity, but do they have the motive? Or would this be just the option to repair the store again?

  5. Isabella

    I said that coders are potential hackers, but only in terms of programming knowledge, not in terms of ethics or moral principles.
    “Or would this be just the option to repair the store again?”: why not after all? Call me paranoid, but I am sure that some top software manufacturers are the ones that make and spread viruses in order to get us to buy their virus removal tool.

  6. multimixer

    Like H1M1? I’m sorry, that’s not for software

    And no, I’ll not call you paranoid, I’ll have to think how to call you. 🙂

    But, seriously again, it may be true what you say, in such a case we are all affected by this, but still, there are some osCommerce stores being hacked more often/easier than others, and that’s not because of CIA, Moshad, Norton, or whoever. And I also don’t think they got hacked by their developer

  7. Gary Post author

    I’d hope that no developer would purposely “hack” just so that their client would go back to them and spend more money to get it cleaned.

  8. Isabella

    What’s swine flu got to do with this? or the CIA? or the Mossad? I never implied our modest stores are of any interest to these people. Please don’t name Ben Laden next! 😀
    I don’t know why some oscommerce stores are getting hacked more than others, I merely was pointing out that, in this wild wild world, there are some dishonest people that might be playing a double game, such things do exist unfortunately, and in all aspects of life.

    Thought how to call me yet? 😉

  9. Xpajun

    @ Isabella – “Were you thinking of someone in particular?” – Perhaps 😉

    @ Gary – I’d hope not as well

    @ George – yes there are many stores being hacked at the moment but they aren’t all being done for fun so the possibility of this scam being done for money could be quite high.

    @ Gary – I wouldn’t accuse the developers, I’d look at people that suddenly appear and post mainly on security aspects rather than on the other type of help

    @ Isabella – “What’s swine flu got to do with this?” – well these hack attempts are a pig to get rid of 😀

    think I’d better leave on that line – ahh, my coat – thank you

  10. Gary Post author

    Another 3 cleaned and secured this week, taking the total to 105.

    One of these was particularly interesting – the hack was at the server level, in php.ini using auto_append_file and a rather elegantly coded file injection.

  11. Gary Post author

    Almost all of the hacks I’ve been helping with are people who have never had any previous dealings with developers – they are mainly people trying to run a business on a shoe string. So, I’d say that 99.9% of known osC developers are good guys. The ones doing the hacks are from the usual “hacker countries”…

  12. Xpajun

    “One of these was particularly interesting – the hack was at the server level, in php.ini using auto_append_file and a rather elegantly coded file injection.”

    I found this one – or similar – on mine, my host knew nothing about it, thankfully FWR’s filesafe caught it well worth the install time

  13. Gary Post author

    The php.ini was buried in /etc/ and the hack file was buried in /usr/share/pear/

    Filesafe checks /public_html/ and higher if I recall correctly?

  14. Xpajun

    Yes, I had an etc in my public_html – shouldn’t have been there, a left over from XAMPP when I did an earlier upload – but the hack duly arrived and was dispatched along with the etc directory

    I don’t have a php.ini in my etc above public_html…

Leave a Reply

Your email address will not be published.