Fix for a hacked osCommerce website

A client that runs an ecommerce website called a week ago to report his site was hacked. This was the worst kind because his visitors would get redirected to a different site that offers a scareware and infects the computer when scareware is clicked. This hack basically brought his business to a halt in terms of online orders.

I believe what happened was that the business owner uploaded a PHP script to help with SEO and that script was malicious. Another theory of mine is that the hackers were able to exploit a known osCommerce vulnerability that allowed them to upload the files
http://blog.sotel.de/en/2010/11/25/os-commerce-sicherheitsluecke-adminlogin-php/

I found in the root and in subfolders the goog1exxx.php and goog1e_analist_xxx.php files that allows the hackers to launch and upload any files they please. These php files were embedded in various subfolders and they even set up an img_xxx.php file in the images folders as secondary backdoors in case the goog1exxx.php files were discovered and deleted. I searched for files with the same timestamp as the goog1exxx.php files to determine which ones were affected.

I found that the infection had touched over 3000 of the files in that site. The infection was in PHP, HTML, and JS files, and there were at least 5 different variants. There was the fake google analytics code, and the deadly try_pick_colors() javascript function just to name a few. In order to make bulk changes, I downloaded the entire site using an ftp client to my computer and used EditPlus to search/replace the entire site for occurences of the malicious code. After making the manual changes to each file, I uploaded the cleaned files up to his site.

I secured the /admin folder with the use of .htaccess file and then changed the database password because that is shown in clear text in the configure.php files. Finally, since shopping cart sessions were saved to the database instead of cookies, I truncated/cleared all the contents of the SESSIONS table to stop the redirection to the malicious websites that may have preserved.

At this point, the hackers were unable to upload any more files
(assuming they haven’t hidden any more backdoor scripts). I replaced the index.php temporarily with a “under construction” page in the interim while fix was applied. After everything was cleaned, I would say site was down for at least 5 days. Business owner is happier now.

If you want to see the 5 variants of malicious code that was removed from various files, please comment here.

Cannot run any EXE programs

Peter reported the other day that he received a popup on his screen regarding some virus. Not sure what web site he was on and what he downloaded. Whatever it was, he couldn’t run any programs as a result.

Thankfully he was able to launch a browser to access the web. We initially tried to use Zolved Remote control via http://www.zolved.com and quickly found the flaw in that. He couldn’t run the downloaded EXE so that I can remote control his computer.

Next we tried Adobe Acrobat’s Connectnow web conferencing tool via https://na2.connectnow.acrobat.com/chromilo. This worked and after downloading the plugins on his end, I was able to remote control his PC.

After asking my good friend Google, I came across this fix http://support.microsoft.com/kb/555067. It talks about running command.com and renaming regedit.exe to regedit.com so that I could launch Registry Editor. There was an entry that associated all EXE files with an executable called “nap.exe”. I searched for this file on his computrr and it appears to no longer exist. Maybe it has morphed into something else. Regardless, I deleted that entry and set it to defaults. I was able to launch EXE programs again after that.

Do you know what virus “nap.exe” is? Quick search on the web for it returns no relevant hits.

I downloaded MS Security Essentials for Peter and installed it for him. I disconnected and asked him to do a full scan of his PC. Curious to know if it detected a virus or not but I’ll find out next week.

Backing up virtual machine guests in Vmware Server 2.0 for Windows

I recently asked the twitterverse on backup strategies used by others who use VMware Server 2.0 for Windows and had no comments or responses. This makes me wonder if this platform has any marketshare at all in the virtualization arena. It may also mean no one is reading my posts but I’m hoping it isn’t that.

We use the free edition of Vmware Server 2.0 for Windows installed on a Vista Business 64bit workstation. It works well and our three methods for backing up hosted guests include using any of the following:

1) The free edition of Vmware Converter;
2) Built-in Vmware snapshots;
3) Simple folder copy to a remote disk.

We have been using Vmware Converter to clone existing guests and resize disk partitions. This generates compressed backups of guests for archival. Vmware snapshots are used for temporary (1-2 days maximum) point-in-time copies of each guest. The problem with this is that snapshots are often not removed or commited to disk which results in runaway images. The manual copy method for each guest folder to a remote location appears to work the best for us because it ensures a permanent offsite backup of the guest without use of any additional utility like Vmware Converter to do the restore. The only problem is that the copies are uncompressed and require an outage to the guest. Mitigation for this is that it is done during a scheduled systems maintenance window.

I would like to use Symantec’s BackupExec to make “hot” backups without shutting down the guests but have not looked at the various agents available to us yet. What do you use?