I was called upon yesterday to sort out a website running osCommerce. It had been installed a few years ago, had a few modifications added and that was it. No security updates. Ever!
The first sign something was amiss was it became impossible to browse the shop. I quickly traced that to a key missing file. When the file was replaced all appeared to be OK again. It was then a matter of how that file came to be missing. Was it human error, a deliberate act of focussed sabotage or something destructive but less personal? Fortunately, as the incident unfolded, the first two possibilities were eliminated.
Emails arrived indicating that a page had been set up on the site phishing for people’s bank details. Then another page, then another. The hunt was on then to find and eliminate the phishing files and the files left by the hackers which enabled the phishing files to be deposited. Simply removing these is no use as the vulnerability that let the hackers in in the first place has to be addressed.
First: the default admin folder was renamed and the vulnerable files were removed (file_manager.php, define_languages.php). Then various security updates and modifications were applied. Finally a site monitoring tool was installed and run to check for suspicious files, files that should be there but with suspicious content and to alert to future changes. The siteĀ monitor found a dozen files that had been deposited over the past week, plus 5 bona fide files that had nasty stuff injected into them by the hackers.
The site is now thoroughly cleansed and all is well. But monitoring continues, both for intrusion attempts and any security updates.
If you have an osCommerce site that needs updating or you suspect/know has been hacked, contact Jewelion Web Design today – we can help!
- webmaster
jewelion
com - T:01691 682428
- M:07980444071
- Visit our osCommerce Services Pages
