Best methods to clean up a hacked site with no clean version available?

Question

I have been asked to fix a hacked site that was built using osCommerce on a production server.

The site has always existed on the remote host. There is no o

Answer 1

I know this is a little late in the day to be offering this solution but the official fix from osCommerce developement is here: http://library.oscommerce.com/confluence/display/OSCOM23/(A)+(SEC)+Administration+Tool+Log-In+Update

Once those code changes are applied then most of the actual work is in cleaning up the website. The admin login bypass exploit will be the cause that has allowed attackers to upload files via the file manager (usually) into directories that are writable, often the images directory.

There are other files that are often writable too which can have malicious code appended in them. cookie_usage.php and includes/languages/english/cookie_usage.php are the usual files that are affected, however on some server configurations, all site files can be susceptible.

Even though the official osCommerce fix is linked to above, I would also suggest to make this change as well: In the page above, scroll down till you see the link that says "Update PHP_SELF Value". Make those changes as well.

This will correct the way $PHP_SELF reports and prevent attackers from using malformed URLs in attempts to bypass the admin login.

I also suggest that you add htaccess basic authentication login to the admin directory.

Also check out an addon I authored called osC_Sec which is an all in one security fix, which while works on most php backed websystems, it is specifically designed to deal to the issues that exist in the older versions of osCommerce. http://addons.oscommerce.com/info/8283