HIDDEN HACKING CODE IN MY WEBSTORE PLEASE HELP

[agnes]

Hi

 

Can anyone help me please. Some rotten so and so has placed about 100 links for viagra in my webstore. I have spent many hours in cpanel file manager trying to find the html pages and have removed about 80 links.

 

I am now stuck as I simply cannot locate the rest.

 

Can you see the location by looking at the source?

 

www.memoriesforeveruk.co.uk/webstore

 

it is above my logo and appears on every page.

 

I have changed my password to hopefully prevent anymore attacks.

 

Do you know where I can get security updates from on this website?

 

Very many thanks for reading and hopfully helping me out!

 

Thank you and merry christmas

 

Agnes UK

[♥FWR Media]

This may help

 

http://www.oscommerce.com/forums/index.php?sho...=257996&hl=

[♥geoffreywalton]

Try looking in webstore/index.php

 

There might be an include statement that includes code that displays these lines.

 

Also you could download a copy of the entire site to your pc and use windows explorer to search for viaga in all the files you download.

[germ]

I may have found some of what you're looking for.

 

In this folder: /webstore/images/imagecache

 

Check these files:

 

17538.php

29858.php

 

If I find more, I'll post again.

[germ]

In this folder: /webstore/images

 

Check these:

 

216278.php

225289.php

[agnes]

I may have found some of what you're looking for.

 

In this folder: /webstore/images/imagecache

 

Check these files:

 

17538.php

29858.php

 

If I find more, I'll post again.

 

Many thanks Jim, I have removed them, but still have the viagra links on webstore!

 

Regards

 

Agnes UK

[agnes]

This may help

 

http://www.oscommerce.com/forums/index.php?sho...=257996&hl=

 

Many thnaks Robert. I will read up.

 

Regards

 

Agnes UK

[agnes]

In this folder: /webstore/images

 

Check these:

 

216278.php

225289.php

 

Many thanks Jim, I have removed them, but I still have the viagra links on webstore! Arrrrgghhhhh!!!!!

 

Regards

 

Agnes UK

[crash3903]

Many thanks Jim, I have removed them, but I still have the viagra links on webstore! Arrrrgghhhhh!!!!!

 

Regards

 

Agnes UK

 

have you checked your header file? The code may be sitting in there

[germ]

I'd agree with the last post.

 

They either hacked every single page, or a module that all the pages use.

 

All the pages use your /webstore/includes/header.php and /webstore/includes/application_top.php

 

If you're not sure, post the contents of both of those files.

 

There are many qualified eyes here that can spot rogue code in a heartbeat.

;)

[agnes]

have you checked your header file? The code may be sitting in there

 

TOP MAN!!!!!

 

Mark many thanks indeed, it's very nice to know that genuine people still exist!

 

It was in the review_php pages and goodness knows where else.

 

You are a real gent.

 

Thanks and remember to look me up when you are this way, I will take you for a run in the old car.

 

Cheers

 

Garry & Agnes

[agnes]

I'd agree with the last post.

 

They either hacked every single page, or a module that all the pages use.

 

All the pages use your /webstore/includes/header.php and /webstore/includes/application_top.php

 

If you're not sure, post the contents of both of those files.

 

There are many qualified eyes here that can spot rogue code in a heartbeat.

;)

 

Thanks Jim, Mark has now sorted it all out. I am downloading a clean site now in my dreamweaver CS3 and will be able to back up / restore from that if these low lifes do it again. What do they get out of this, I wonder what happens if you make contact with the link end? Best not go there I guess!

 

low lifes anyway....

 

I have broken the link where the reviews normally show but I am ok with that. I may even see if I can edit out the review button on ecah product anyway.

 

Cheers

 

Garry & Agnes

[crash3903]

I have broken the link where the reviews normally show but I am ok with that. I may even see if I can edit out the review button on ecah product anyway

 

Not any more ;)

[germ]

You may want to check permissions on your files/folders to try to stop this from happening again.

 

According to my "source", in osC folders should be 755 and files 644

[crash3903]

You may want to check permissions on your files/folders to try to stop this from happening again.

 

According to my "source", in osC folders should be 755 and files 644

 

Your right Jim - He has been advised and he should be doing it as we speak

 

Thanks

 

Mark

[germ]

Another form of defense is to keep "prying eyes" out of places they don't belong....

 

Like here:

 

Click me

 

In that folder, and other folders people can reach from their browser that they don't need access to, make a file called "index.php" with this code in it:

 

<?php
header ("Location: http://memoriesforeveruk.co.uk/webstore/index.php");
?>

Then, if they go there, it pops them right into the main page on the site.

 

Just be sure you NEVER overwrite an existing index.php file!!!

 

My theory is they can't hack what they can't see...

:thumbsup:

[crash3903]

Another form of defense is to keep "prying eyes" out of places they don't belong....

 

Like here:

 

Click me

 

In that folder, and other folders people can reach from their browser that they don't need access to, make a file called "index.php" with this code in it:

 

<?php
header ("Location: http://memoriesforeveruk.co.uk/webstore/index.php");
?>

Then, if they go there, it pops them right into the main page on the site.

 

Just be sure you NEVER overwrite an existing index.php file!!!

 

My theory is they can't hack what they can't see...

:thumbsup:

 

Great tip :thumbsup:

[digilee]

Better still, for OSC, use index.html instead of index.php with this code:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title></title>
<meta http-equiv="refresh" content="0;URL=http://MYDOMAIN.com" />
</head>
<body>
</body>
</html>

 

This way you'll never have the worry of overwriting index.php

[germ]

True, you'll never overwrite it.

 

But if you accidentally put it in the same folder with an index.php file, the index.html file becomes the "default" page (if someone types http://www.your_site.com/folder into their browser address bar).

 

Useful information for anyone with both an index.php and an index.html (or index.htm) in the same folder, who wonders why they can't get the PHP page to display.

[agnes]

You may want to check permissions on your files/folders to try to stop this from happening again.

 

According to my "source", in osC folders should be 755 and files 644

 

Hi Jim

 

755 and 644, working may way through all my files.

 

Have a good one.

 

Garry & Agnes