Post by spikeachu » Sun Nov 17, 2013 4:37 pm

Hi,

I've had my demo site hacked and forwarded to another site. I've sorted it out, it was a case of removing an iframe from index.php.

I'm curious as to how it happened. Files were placed in the download folder, despite this function being disabled to the demo user.

There are other OC sites on this server, so I don't think it's the server that was compromised, just getting access to the admin area makes the demo install compromisable.

I've posted server logs below;

Code: Select all

115.135.122.150 - - [04/Jan/2013:13:18:08 +0000] "GET /index.php?route=information/information&information_id=3//index.php?route=product/product/upload HTTP/1.1" 200 13143 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:09 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:10 +0000] "GET /index.php?route=information//index.php?route=product/product/upload HTTP/1.1" 404 13161 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:10 +0000] "POST /index.php?route=product/product/upload HTTP/1.1" 200 148 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:18:14 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+) HTTP/1.1" 404 325 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:15 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 333 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:15 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 341 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:16 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+).+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 348 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:19 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:20 +0000] "POST //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "libwww-perl/5.834"
180.76.5.163 - - [04/Jan/2013:13:35:35 +0000] "GET /index.php?route=product/category&path=33&sort=p.model&order=ASC HTTP/1.1" 200 28781 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:52 +0000] "GET /index.php?route=information/information&information_id=3//index.php?route=product/product/upload HTTP/1.1" 200 13143 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:54 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:54 +0000] "GET /index.php?route=information//index.php?route=product/product/upload HTTP/1.1" 404 13161 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:55 +0000] "POST /index.php?route=product/product/upload HTTP/1.1" 200 148 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:36:58 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+) HTTP/1.1" 404 325 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:59 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 333 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:59 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 341 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:00 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+).+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 348 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:03 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:04 +0000] "POST //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:38:18 +0000] "GET /index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:19 +0000] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:20 +0000] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:29 +0000] "GET /download/readme.jpg.82d88ed2038c94b2c47c9a1a671c2822 HTTP/1.1" 404 341 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"

Wedding Invitations and Stationery by Love2print

Commercial Mods
Product Colours on Category Page
Cardsave Direct Gateway
Clear Cache
Promotional Watermarks on Images
Multiple Category / Product Templates ** Popular **
Log Failed Login Attempts
Display Eligible Coupons with Products
Twitter Feeds

Have I helped you out or saved you some time? Please donate


Active Member

Posts

Joined
Fri Mar 12, 2010 6:31 am

Post by Johnathan » Sun Nov 17, 2013 11:18 pm

1. Demo admin users can upload files via the "Downloads" area, or using the file manager. Make sure both things are disabled for a demo store.

2. Make sure your "download" folder's permissions are set to 644

3. Add this to your .htaccess file:

Code: Select all

RewriteRule ^download/(.*) /index.php?route=error/not_found [L]

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by MarketInSG » Mon Nov 18, 2013 12:40 am

if you look at the logs clearly, the person uploaded through the front end upload function....as usual. Then, I believe he manage to get your encryption key from the admin area. From there, he easily find the name of his uploaded file and there you go...he gotten himself to run any script he uploaded.


User avatar
Guru Member
Online

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by spikeachu » Mon Nov 18, 2013 4:11 am

Thanks guys. I'd completely forgotten about the front end upload option. I'm blaming a baby and too many nights of broken sleep ... haha

Still amazes me the lengths that people will go to to steal a $15 mod.

Wedding Invitations and Stationery by Love2print

Commercial Mods
Product Colours on Category Page
Cardsave Direct Gateway
Clear Cache
Promotional Watermarks on Images
Multiple Category / Product Templates ** Popular **
Log Failed Login Attempts
Display Eligible Coupons with Products
Twitter Feeds

Have I helped you out or saved you some time? Please donate


Active Member

Posts

Joined
Fri Mar 12, 2010 6:31 am
Who is online

Users browsing this forum: No registered users and 9 guests