artstyle Posted November 5, 2008 Share Posted November 5, 2008 Hi, As I was browsing my site I got a warning from Avast anti virus about VBS:Malware-gen virus-worm. I checked my test site and there was no problem browsing it or other sites on the internet. The warnings kept popping up only when browsing on my official site. As I checked my index files, catalog and root, I noticed a script at the bottom of these files that I have not seen before. I deleted them and I do not get any warnings. I changed my password as well. My question is how could this happen and if there is a way to avoid it? I have installed many contributions but always on my test site first and then on the official site. My test site was not affected. Is there anything else I should check for? Any help is greatly appreciated. Thank you, Alexandra Link to comment Share on other sites More sharing options...
germ Posted November 5, 2008 Share Posted November 5, 2008 The most common reason for web sites to become compromised is incorrect permissions. FOLDER permissions should not be higher than 755 FILE permissions no higher than 644 If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
artstyle Posted November 6, 2008 Author Share Posted November 6, 2008 The most common reason for web sites to become compromised is incorrect permissions. FOLDER permissions should not be higher than 755 FILE permissions no higher than 644 Thank you for you reply. I checked and file and folder permissions are correct. However, sometimes as I'm adding a contribution I have to change admin file permission. I try not to leave it high for too long. I contacted my host and they say they see something strange in my footer.php file. I have this include(DIR_WS_MODULES . 'your_recent_history.php'); echo $yrh; This script is part of your recent history contribution v3.0 http://addons.oscommerce.com/info/3204 I am not sure if there is malicious code in that contribution as I really don't know about these things and what to look for. If anyone can have a look at that contribution and let me know I would really appreciate it. I like the way it looks on my site but if I have to take it out I will. Thank you in advance, Alexandra Link to comment Share on other sites More sharing options...
germ Posted November 6, 2008 Share Posted November 6, 2008 I downloaded v3.0 and examined all the files and they have to malicious code in them. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
artstyle Posted November 7, 2008 Author Share Posted November 7, 2008 I downloaded v3.0 and examined all the files and they have to malicious code in them. Hi, Thank again for your response. Sorry I'm not sure if I understood. They have no malicious code or they have two malicious codes??? Regards, Alexandra Link to comment Share on other sites More sharing options...
germ Posted November 7, 2008 Share Posted November 7, 2008 They're as clean as an operating room table. Clear now? :unsure: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
artstyle Posted November 7, 2008 Author Share Posted November 7, 2008 They're as clean as an operating room table. Clear now? :unsure: Ok Thanks, You had a typo in your first response. All clear now. Cheers, Alexandra Link to comment Share on other sites More sharing options...
germ Posted November 7, 2008 Share Posted November 7, 2008 D*mn fingers anyway.... Sry. :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Guest Posted November 8, 2008 Share Posted November 8, 2008 Using a file compare program see if there are any differences between your live site and your test site. Also check the forum for "hack", "hacked" and you will find lots of thread about how to protect your site. Link to comment Share on other sites More sharing options...
artstyle Posted November 9, 2008 Author Share Posted November 9, 2008 Thanks very much. I will have a look! Link to comment Share on other sites More sharing options...
coolwater Posted June 5, 2009 Share Posted June 5, 2009 Thanks very much. I will have a look! Hey - I'm a newbie who came across just the problem that you did. After many reinstallations of osc 2.2rc2a on my shared hosting server, and playing with permissions, It's suggested that the the infection came from another user of the server. I discovered (with the help of my hoster) that ownerships set to "domain.user" can allow for vulnerability. I've subsequently altered my site/public folder ownerships to "domain.domain" , and it seems to have worked. That html-injected worm is real pain. Am pleased that both AVG and Avast! picked it up. Just wanted to share this, and am thankful for the info. regarding permissions and the viral threat. Sincerely Garth Link to comment Share on other sites More sharing options...
coolwater Posted June 8, 2009 Share Posted June 8, 2009 Correction: although what I mentioned may help, the threat has nevertheless returned. Any assistance would be most welcome. Link to comment Share on other sites More sharing options...
kuai Posted June 17, 2009 Share Posted June 17, 2009 Make sure your pc is sanitized of any ftp sniffer programs looking for usernames and passwords. Been there. Most of the dirty code is placed at the bottom of the index files. I had some nasty code even put in the webalizer and webalizer ftp index files. took awhile to clean up. Good Luck Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted June 19, 2009 Share Posted June 19, 2009 Follow the useful link below for a thread on how to secure your site. Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.