Tuesday, February 15, 2011

OSCommerce Hacked, Eval Base64 Decode attack

Recently one of my OSCommerce site is being banned by Google as malicious and harmful for your computer so I was forced to take a look at the code.  I had experience with Drupal and Joomla, but not too much with OSCommerce, this was a site that a friend of mine had setup and now it is kinda in my hands.  It was also a site that had a lot of customization and it was setup on shared hosting, so there were a lot of unknowns for me.  I found that part of the code that were trying to load malicious code was in fact based on a Eval Base64 command that can be easily found by using either UltraEdit or PSPad.  Just try to find 'base64' in the whole directory and it will be quite obvious which ones are legit and which ones are not.

However, the problem comes when similar code keeps poping up in my header.php file day after day.  So I had to look at my site again.  I then later found out that in my catalog/image/ and /catalog/admin/image directory there are a few suspected php, and looking into them shows signature of hackers claiming "... was here".  So it was again quite obvious,  since you probably don't expect anyone to put php files into image directory.

As after this I have implemented a few of the steps listed here .  It is recommended in the previous listed article about the base64 that you should at least change the admin path, install a few security add-ons for my site.  I hope I will never find those attack on my site ever again.

Hope this helps anyone out there who is having the same problem.