How To Fix OsCommerce Attack – Infected Files With base64_decode Code

OsCommerce is a free, open-source e-commerce script. Widely popular, this also means that it is widely targeted and susceptible to hacks and attacks. One recent major OsCommerce attack happened on September 4th 2009, where a large number of unpatched OsCommerce websites were hacked/attacked. This attack involved inserting chunks of base64_decode codes into the users’ OsCommerce files.

The safest way to solve this issue is to erase your entire site and restore from a recent back up. However, some people might not have a backup, or not have a recent enough backup to make this feasible, so the next best way is to find every file that was hacked in the attack by checking the last modified date/time of the files, and removing the extra code.

First of all you need to actually locate the files that are affected by this attack, so you need to decode/de-encrypt/decipher the base64 encoded code chunk. This is the code that you can find at the top of any of the infected PHP files. Find that code, and decode it using the decoder on this site: http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

Note that you only need to copy whatever’s in the quote marks and not the entire chunk of code into the decoder. For example, with this block of PHP code:

/**/eval(base64_decode(‘WKlkOnUr3…993//5/8B’));

Just copy this part of the code to decode it:

WKlkOnUr3…993//5/8B

After you run that piece of code through and get it decoded, the first line of the decoded result should look something like this:

if(function_exists(‘ob_start’)&&!isset($GLOBALS[‘sh_no’])){$GLOBALS[‘sh_no’]=1;if(file_exists(‘/home/username/htdocs/catalog/admin/includes/languages/english/images/buttons/style.css.php’))

That filepath specified in the file_exists() function would be the exact file that you need to remove:

/home/username/htdocs/catalog/admin/includes/languages/english/images/buttons/style.css.php

The good news is if you’re on a web hosting account that runs Unix, or any of its variants, and if you have shell access, then this script by Jerry Rose will help automate the removal of any base64_decode infected PHP files: http://www.jerryrose.org/osc-cleanup.sh

Warning: Always backup your site files and your OsCommerce store database before using this (or any other) script!

To prevent such attacks on your OsCommerce website, additional securing and ‘hardening’ of your web hosting account and your OsCommerce installation is highly recommended.

In addition, these OsCommerce add-ons or mods will help improve your OsCommerce’s security. Check them out, and if you haven’t installed them, you should.

Prevent Cross Site Scripting (XSS) attacks: http://addons.oscommerce.com/info/6044

Prevent SQL injection attacks: http://addons.oscommerce.com/info/5752

Monitor for unauthorised file changes: http://addons.oscommerce.com/info/4441

Ban IPs that try to attack your OsCommerce: http://addons.oscommerce.com/info/5914

You’re not wrong if you think that doing this will involve a lot of work, but making sure that your OsCommerce site is well secured and hardened will allow you to sleep easier, and prevent you from going through the hassle and trauma of finding out that your OsCommerce site got hacked. If it was done out of fun, it wouldn’t be that bad, but imagine if a competitor instigated the attack and now all your customer details are gone or stolen.

[template id=”7325″]