Topic: ocCommerce Hacked ?¿

[ChemicalBliss]

Firstly, i know there are probably lots of posts regarding this type of hack, but:

My main question is: How did they know where the install directory was when i randomly named it (16-20 char random).
Some files were edited in there like all the others.

---
The back story:
osCommerce Version 2.2 RC2 (Yes i know silly).
When i installed osCommerce the only security related thing i did was set user/pass randomly, as well as the install folder name.

A few days ago i noticed that the website was only displaying a specific string of text i didnt recognize, it seems there was javascript dotted all over the webpages, using write directly to the page, and contacting some malicious site (urlnext.ru).

So as i was removing them from every index and every javascript file on the server, i noticed i couldnt log into admin anymore so i reset the admin and now all is clean but, and the major but:
How would a script of found this uniquely named install folder (like, asdkjahf8y8y325802308f), i thought brute forcing would of taken years, and the file-manager file, thoguht they could only save, not retrieve directory listings?

Any thoughts? or am i missing something?
-CB-

[jskywalker]

i think http://forums.oscommerce.com/ is a better place to ask....

And do you know for sure that they did use the install directory which was randomly named (16-20 char ??
Mybe they found another way, and thats why the forums of osCommerce is a better place to ask.

[neil.johnson]

They probably haven't used any install directory at all. In fact you should have completely removed the install directory from the server after installing the application. I'm guessing that you are on a shared hosting server. If you are, it is likely that one of the accounts on this server has been compromised and has resulted in all sites hosted on the server being defaced. I have seen this happen plenty of times.

[sKunKbad]

Another thing to consider is that you, or another computer on your network might have one of the password stealing viruses that are very common. Even if your computer is 100% clean, an infected computer on your network could be sniffing network traffic and sending your FTP login to a bot network.

1) Never store your passwords in your FTP program.
2) Always use an encrypted connection when using FTP.
3) Make sure all computers on your network are clean (this should probably be #1).

This might explain why files were changed, yet good passwords existed, and directories were named with security in mind.

[ChemicalBliss]

Thanks for the advice guys.

Just to clarify;
Files were modified in the randomly named install directory.
Techs didnt seem to know (or care tbh) about the hack so i think it was just me.
Only a specific javascript function was appended to index/javascript files, if FTP was compromised why not do more extensive/subtle damage?

I have read that there is a security flaw in file-manager.php, so thats probably what it was.

Thanks guys,
-CB-