Results 1 to 12 of 12
  1. #1

    Exclamation thumbs.db files generated, site hacked

    A client is running OS Commerce. There is suspected to be compromised code somewhere in the system. This morning, via FTP, we saw multiple folders with thumbs.db and .htaccess files uploaded (both datestamped with today's date).

    This means that someone was able to mount the files on a windows platform and browse the folders (as that is how the thumbs.db files are generated).

    The current host isn't too much of a help. Nothing shows up in the ftp logs and I have no idea what we can do a full text search for, in the php files on the server to see where this compromised code is located.

    Any ideas?

    Thanks in advance.

  2. #2
    Have you checked your HTTP logs to see if OS Commerce might have been exploited? Do you have any other way of accessing the filesystem (e.g. WebDAV, SSH, etc.) that might have been used by the attacker rather than FTP?
    Adam McMaster

    Valcato Hosting Over nine years of great service
    Shared, VPS and dedicated servers.

  3. #3
    Thanks for your reply. WebDav was just disabled so we're monitoring things. Even with webdav, a password is needed and that was changed a few weeks ago.

    I will also check the logs for any evidence on hacking but will research that some more as im not sure what to look for.

  4. #4

    Seems that sounds like its me with that problem.

    Have located a file in oshop directory hash2.asp
    Seems is responsible or looks like for virus
    activity and part of that windows recovery/restore virus.

    Renamed it to virus just incase I need it back. Clever bit of
    annoying but not destructive code. I might modify it later to reverse virus itself on the net. Virus fighting virus...

    HTACCESS also seems all edited bottom of the page right at the bottom, last line to include thumbs.db which might be the
    mad-scientists screen that pops up at the front of the
    page when surfing it.

    Just editing that out everywhere now to see.


    oh, and htaccess appears to have nothing in it to control access...that might help.

    Configuration.php file needs attention, keep getting, warning I can edit, security risk.

    u did explain what I came across. lots of php's that shouldnt be there.
    sample content..some had back door labelling...
    $login = "airmata";
    $pass = "";
    $md5_pass = "2a5f99a042b73f2c4580c4216755a1f6"; //Password yg telah di enkripsi dg md5. Jika kosong, md5($pass).
    $host_allow = array("*"); //Contoh: array("192.168.0.*","")
    $login_txt = "Restricted Area"; //Pesan HTTP-Auth
    $accessdeniedmess = "<a href=\"$sh_mainurl\">".$sh_name."</a>: access denied";
    $gzipencode = TRUE;
    $updatenow = FALSE; //Jika TRUE, update shell sekarang.
    $c99sh_updateurl = $sh_mainurl."memek.php";
    $c99sh_sourcesurl = $sh_mainurl."pastiu.txt";
    //$c99sh_updateurl = "";
    //$c99sh_sourcesurl = "";
    $filestealth = TRUE; //TRUE, tidak merubah waktu modifikasi dan akses.
    $curdir = "./";
    $tmpdir = "";
    $tmpdir_log = "./";
    $log_email = "[email protected]"; //email untuk pengiriman log.
    Last edited by anon-e-mouse; 05-13-2011 at 06:29 AM. Reason: merged posts

  5. #5
    @trinivps Some version of osCommerce are vulnerable to file uploads and arbitrary code execution.Look here and here

  6. #6
    I think the OP needs to update the software they are running

  7. #7

    hmm upgrade ..

    Only prob is the host doesnt support the hosted site as they took over another company and dont support the software. hmm, what to do.

  8. #8
    Join Date
    May 2007
    No host is going to update oscommerce for you, it's a 3rd party script.

  9. #9
    Join Date
    Jun 2003

    1. You got exploited by a moron. Think about how that makes you look.
    2. Your $9.95/mo provider is NEVER going to take responsibility for whatever you upload.

    They don't look and they don't care as long as it doesn't cause any problems. (Yeah, I get 5-10 of these tickets a day.)

    Upgrade the script. If you can't upgrade OSCommerce ... you should not be touching anything on a server - ever. Hire a consultant.

    Bonus points:
    Lock that **** down.
    Disable php functions you don't need.
    Use correct permissions. No, 777 everywhere are not correct.
    Upgrade **** regularly.
    Common sense is not so common.

  10. #10
    Join Date
    May 2007
    Quote Originally Posted by Xous View Post

    1. You got exploited by a moron. Think about how that makes you look.
    That was unnecessary and unhelpful. What do you hope to gain by insulting people who come here looking for help? Does it make you feel better about yourself?

  11. #11


    I think Net registry appreciates ur answer.

    I wouldnt mind or complain at $9.99 a month but the charge is
    somewhat dearer at $450 a year or some such figure.
    An as for that Aussieweb also an oscommerce hosting mob charge
    $760 a year for same....Also the charge for the same is meant
    to be $900 a year if unlimited categories and products for ecommerce.

    As for the hacking etc, going thru and removing all those uploaded files and some interesting advertising and products for other companies and links for their own advertising etc.....
    Me thinks the morons are those doing the hacking and putting links to others to follow and do likewise.

    On a side note, it was the hosting company that installed oscommerce and set it up originally.
    It is with little wonder viewing ur response why the hosting companies now wish to not support
    the sites with attitudes like urs being typical among hackers.
    Last edited by LeeSMaz; 05-14-2011 at 04:05 AM. Reason: clarification

  12. #12
    Join Date
    Jun 2003

    If your paying for managed OSCommerce hosting that is a bit different. Depending on what your agreement is with the hosting provider they may be responsible for upgrades and securing the site. I'd still be willing to bet that they installed it for a one time fee and never said anything about managing it.

    $33/mo still ain't really enough for me to see someone properly managing site for you.
    If you had been doing your due diligence as a business owner you would have daily if nor hourly backups of the content and database and this would be a non-issue.

    Bottom line is you still got owned by a moron and you've lost money because you didn't take the necessary precautions to ensure this didn't happen or have a disaster recovery plan in place in case it did.
    Common sense is not so common.

Similar Threads

  1. site was hacked, trying to get old files back.
    By Cyberkiller in forum Hosting Security and Technology
    Replies: 9
    Last Post: 03-08-2010, 03:42 AM
  2. Removal of wget generated files
    By ladless in forum Programming Discussion
    Replies: 8
    Last Post: 09-20-2008, 03:17 PM
  3. FTP site hacked, can't delete files
    By Umpire in forum Hosting Security and Technology
    Replies: 13
    Last Post: 11-09-2004, 08:38 AM
  4. Replies: 0
    Last Post: 03-08-2002, 07:47 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts