Htaccess attack from a Russian

Song · 3-16-12, 04:24 AM

Recently, some one from Russia has been injecting code into my .htaccess file. I have cleaned ip my computer and my oscommerce files to no avail. Its almost I wish I could somehow get a hold of this guy and shoot him with a gun. For over 10 months this person has been injecting new file/htaccess above my htdocs and knocking of my website. Anyone has a clue aon how to block this person from creating htaccess file above my htdocs?

Thank you in advance.

tpoynton · 3-16-12, 09:29 AM

did you change your FTP/OPS/all other passwords?

**snowmaker** · 3-16-12, 11:19 AM

And put passwords together to make passphrases, like what's done here - "That's a Battery Staple" - Passwords for Humans.

**Jim M** · 3-16-12, 04:03 PM

osCommerce is notoriously insecure - particularly the file manager, which can easily be exploited to upload malicious content, as you seem to be suffering. I'd read the suggestions at the link below with regard to "hardening" the application:
http://forums.oscommerce.com/topic/3...merce-22-site/
At the very least, disable the file manager.

shrupa · 3-20-12, 11:36 AM

Try adding a .htaccess password protection for admin folder. Then can use the tool at http://www.countryipblocks.net/count...elect-formats/ to block IPs from Russian federation

Song · 4-17-12, 08:23 AM

Since the last time I posted here my website has been down, banned by google becaus eof this senseless act of wickedness. So I devoted an entire time to understand what was going on and why this person has chose my site to perpetrate this bullish tyranny. I found our that this person turned website site into a spam machine and was using my oscommerce customer list to distribute spam mails. I received warning from powweb concerning the spamming or else be banned.

Anyway I have done what I could and the last visit of this rogue resulted in his IP address being banned. I used the OSC_sec.php addon to create this firewall. I also deleted one two files in oscommerce admin panel that this rogue was using to gain entrance. After All thesde and a loss of over $7k, I sat and watched this bastard roam into my site this morning hoping to attack me and low and behold my trap detected his russian rogue ***, banned him and sent him packing with a warning.

I have cleaned my computer, reformatted my drive with hopes that this individual will not have access to my computer.

Also I changed my Oscommerce Admin panel to some crap that I believe his Russian Smelling *** cannot decode.

Thank you all for coming to my aid. I have been unemployed for awhile, my oscommerce site is the last resource to keep buying gas and feeding my little children. I have also contacted the authorities and waiting for an escalation as a branch of the KGB is intolerant to this this and they work with the USA authorities to combat tjis type of crap.

So Long. Please If can be of help let me know because what I have done to my site seem pretty good for now and I can breathe a sigh of relief knowing that my loyal customers may return.

**Croc Hunter** · 4-17-12, 04:31 PM

Great to hear from you Song, hope your health is well. Inject access above htdocs is rare, what a pain. Both OSC and ZenCart seem a target, sadly any popular applications are, even these things called iMac. I would have advised you run anti-malware etc on your local system but a format is even better. Happy travels.

Song · 4-17-12, 04:58 PM

Yes indeed my health is well. I was very angry because I have never seen anything like this.

For anyone running Oscommerce, go to the contribution section of oscommerce.com, type osC_Sec, download this great addon and secure your store.

Also search filesafe.php and add this great addon. This will will tell you which files were manipulated by an attacker if they gained access without you knowing

Also, you can use SUCURI.net to check your site to be sure that you do not have malware. This is a free service and they can check anysite for you including your non oscommerce sites

Thank you.

Song · 4-20-12, 06:18 PM

After a 10 month relentless attack and loss of income I finally warded off an oscommerce hacker and attacker

http://forums.oscommerce.com/topic/3...ecurity-holes/

http://www.parorrey.com/blog/php-dev...-being-hacked/

http://forums.oscommerce.com/topic/3...curity-thread/ <======= I used this thread, Look for =>OSC SEC from Taipo

The truth is the filemanager.php in old version of oscommerce make them vulnerable to attacks. After I patched up I also deleted filemanager.php because it is useless, only exist as an hacker enabler.

3-16-12, 04:24 AM	#1
Song Join Date: Jul 2003 Location: Pittsburgh Posts: 66 Reputation: 10	Htaccess attack from a Russian Recently, some one from Russia has been injecting code into my .htaccess file. I have cleaned ip my computer and my oscommerce files to no avail. Its almost I wish I could somehow get a hold of this guy and shoot him with a gun. For over 10 months this person has been injecting new file/htaccess above my htdocs and knocking of my website. Anyone has a clue aon how to block this person from creating htaccess file above my htdocs? Thank you in advance.

3-16-12, 09:29 AM	#2
tpoynton Custom User Title Join Date: Sep 2004 Location: Mass Posts: 2,119 Reputation: 293	did you change your FTP/OPS/all other passwords? __________________ Edit your php.ini Enable CGI Update your stats Domain Pointing Tool Subdomain Pointing Tool CGI Error Log File a ticket

3-16-12, 11:19 AM	#3
snowmaker   Join Date: Nov 2002 Location: Solomons Island Posts: 3,120 Reputation: 318	And put passwords together to make passphrases, like what's done here - "That's a Battery Staple" - Passwords for Humans. __________________ -bruce /* somdcomputerguy / 'If you change the way you look at things, the things you look at change.'*

3-20-12, 11:36 AM	#5
shrupa Join Date: Feb 2009 Location: India Posts: 165 Reputation: 32	Try adding a .htaccess password protection for admin folder. Then can use the tool at http://www.countryipblocks.net/count...elect-formats/ to block IPs from Russian federation __________________

4-17-12, 08:23 AM	#6
Song Join Date: Jul 2003 Location: Pittsburgh Posts: 66 Reputation: 10	Thank you all Since the last time I posted here my website has been down, banned by google becaus eof this senseless act of wickedness. So I devoted an entire time to understand what was going on and why this person has chose my site to perpetrate this bullish tyranny. I found our that this person turned website site into a spam machine and was using my oscommerce customer list to distribute spam mails. I received warning from powweb concerning the spamming or else be banned. Anyway I have done what I could and the last visit of this rogue resulted in his IP address being banned. I used the OSC_sec.php addon to create this firewall. I also deleted one two files in oscommerce admin panel that this rogue was using to gain entrance. After All thesde and a loss of over $7k, I sat and watched this bastard roam into my site this morning hoping to attack me and low and behold my trap detected his russian rogue *, banned him and sent him packing with a warning. I have cleaned my computer, reformatted my drive with hopes that this individual will not have access to my computer. Also I changed my Oscommerce Admin panel to some crap that I believe his Russian Smelling * cannot decode. Thank you all for coming to my aid. I have been unemployed for awhile, my oscommerce site is the last resource to keep buying gas and feeding my little children. I have also contacted the authorities and waiting for an escalation as a branch of the KGB is intolerant to this this and they work with the USA authorities to combat tjis type of crap. So Long. Please If can be of help let me know because what I have done to my site seem pretty good for now and I can breathe a sigh of relief knowing that my loyal customers may return.

3-16-12, 04:03 PM	#4
Jim M PowWeb Staff Join Date: Sep 2011 Location: Phoenix, AZ Posts: 93 Reputation: 76	osCommerce is notoriously insecure - particularly the file manager, which can easily be exploited to upload malicious content, as you seem to be suffering. I'd read the suggestions at the link below with regard to "hardening" the application: http://forums.oscommerce.com/topic/3...merce-22-site/ At the very least, disable the file manager.

4-17-12, 04:31 PM	#7
Croc Hunter Mod.. with bite.. Join Date: Sep 2002 Location: Australia Posts: 7,295 Reputation: 442	Great to hear from you Song, hope your health is well. Inject access above htdocs is rare, what a pain. Both OSC and ZenCart seem a target, sadly any popular applications are, even these things called iMac. I would have advised you run anti-malware etc on your local system but a format is even better. Happy travels. __________________ Croc Hunter MSC :

4-17-12, 04:58 PM	#8
Song Join Date: Jul 2003 Location: Pittsburgh Posts: 66 Reputation: 10	Thank you Crochunter Yes indeed my health is well. I was very angry because I have never seen anything like this. For anyone running Oscommerce, go to the contribution section of oscommerce.com, type osC_Sec, download this great addon and secure your store. Also search filesafe.php and add this great addon. This will will tell you which files were manipulated by an attacker if they gained access without you knowing Also, you can use SUCURI.net to check your site to be sure that you do not have malware. This is a free service and they can check anysite for you including your non oscommerce sites Thank you.

4-20-12, 06:18 PM	#9
Song Join Date: Jul 2003 Location: Pittsburgh Posts: 66 Reputation: 10	Stop Oscommerce attacks - Cool links After a 10 month relentless attack and loss of income I finally warded off an oscommerce hacker and attacker http://forums.oscommerce.com/topic/3...ecurity-holes/ http://www.parorrey.com/blog/php-dev...-being-hacked/ http://forums.oscommerce.com/topic/3...curity-thread/ <======= I used this thread, Look for =>OSC SEC from Taipo The truth is the filemanager.php in old version of oscommerce make them vulnerable to attacks. After I patched up I also deleted filemanager.php because it is useless, only exist as an hacker enabler.