Hacked

English forums
1

Hi,

Its the 2nd time i have been hacked within a short time:
.htaccess:

ErrorDocument 400, 401, 403, 404 and 500 has http://greencoffee-fatburnsolution.com/?12/2
.
I use fireFTP where i used to store the login details in and i was told(makes sense now), that i should use a program like KeePass to protect my passwords. So i went and restored an old backup + changed password and used KeePass, but after some days, it has been hacked again.
I use OXID 4.7.4_57063 and im about to upgrade to the newest version. Any suggestions or questions please?

Netsparker issues:
1
2
3
4
5
6
7

2

Can anyone please help. pretty important

3

so they have redirected in your shops root .htaccess the error documents to their URL?

4

yes exacly

5

HI @gnomic,

this topic is not really OXID relevant as in my opinion it belongs to the security of your computer. What I saw very often is that a Windows machine has been infected with a malicious software that scans the usual paths of ini files where FTP programs store their passwords non-encrypted.
With this data, it is pretty simple to log in to somebody else’s FTP and make changes to the files.

What I would do in this case:

  • change all credentials relevant for your system (FTP, database etc.) immediately
  • store this credentials in Keepass
  • do not store these credentials in your FTP program
  • change the path of the file that contains the passwords
  • get a virus scanner and clean up your machine etc…

Regards

6

they can only get access to this file, if they have the credentials for the FTP account

Do you run an up-to-date Antivirus programm on your home PC?

7

Hi @Marco,

Thats what i did the first time (Clean pc with spybot + scanned with microsoft security essential + used keepass and changed my password + didnt store anything in fireftp). Im not sure what you mean about the “change the path of the file that contains the passwords”.
So my guess is, that its something else, thats giving them access? oxid module ? something old on my host, like php virtualmin etc?

@Hebsacker
yes

Thanks for helping guys!

8

[QUOTE=gnomic;128670]
So my guess is, that its something else, thats giving them access? oxid module ?
[/QUOTE]

Unlikely :frowning:

[QUOTE=gnomic;128670]
something old on my host, like php virtualmin etc?
[/QUOTE]
Well - who knows…
The main point is to change the credentials for your server immediately so once the old credentials are compromised they cannot be used any more.

Cheers

9

@Marco
and i did(keepass) that and it didnt help. So whats next?

10

@gnomic, Keepass is just a tool for secure storage of your credentials on your local machine. It doesn’t change anything on your server.

At least, the FTP password has to be changed in your server management tool. You can use Keepass to don’t forget it :wink:

11

@Marco
Now we can almost rule out, that they got the password from my pc to access the ftp. Whats the next step?

12

http://forum.oxid-esales.com/showthread.php?t=20058#post128667

and additional to those hints - secure your local machine properly

13

@websacker
thats what i did the last time? full scan with multiple software, keepass and changed all my logins. Now it happened again = probably not the issue then. Maybe this is:

Netsparker issues, added to OP
Spoke with my host about it the first time it happened and they said what you said(which i now have done.) and it wasnt an issue with old versions of php etc. many did that… sounds weird to me, what do you guys think?

14

all those issues from Netsparker are no reason for your hack

15

@websacker
Okay, thats good to know.
What would you then suggest i did? its probably not oxid, modules or the things my host runs = its probably still something at my end - if yes, whats the next move. Should i use other program? what programs do you guys use? or is there something else then me pc, that might cause this?

16

you should probably ask for some advice in a pc / software / security forum instead of ecommerce forum.
We are developing online shops, not hacking them

17

Some things you could do:

Try to find out the way of attack by checking log files, apache and ftp.
If you think passwords were stolen from your PC, double check your PC is trojan free. You should do a full scan of your PC with some different AV Programs. Get some good AV Programs (most of them are free for testing). Uninstall your current AV Program, install a different one and do a full scan. Then the same with another one. You can get an overview of AV Programs at http://www.av-test.org/ or http://www.av-comparatives.org/.

18

@leofonic
Thanks i will def. try that :slight_smile:

19

[QUOTE=Hebsacker;128685]http://forum.oxid-esales.com/showthread.php?t=20058#post128667

and additional to those hints - secure your local machine properly[/QUOTE]

I dont think i can do anything better then this:

  • Shutdown my pc.
  • Used my iphone(not on wifi) to change my Webmin password’S for everything.
  • Used ftp app to change the password, so it could access the website.
  • Never used the password with anything then my mobile(only the few times above).

And now i got hacked, so that means, it has nothing to do with the security on my pc. It’s my host or oxid/oxid modules. Now what?

Offtopic, i got the following:

  • Keepass
  • Bitdefender antivirus
  • Comodo firewall
  • Spybot
20

gnomic, at least your hosting provider must be able to find out the server logs which IP address was able to gain writing access to your .htaccess. They also should be able to find out how this access was gained. Impossible to resolve that in forums fishing around…