VBS:Malware-gen or other virus detected...

[frenchy128]

Hello Everyone

 

I've seen two posts in regards to virus on OSCommerce sites, one kinda of touching on what I'm about to discuss. I'm currently running a local flowershop shopping cart page with oscommerce, and I've had users email me about 2 months ago stating there was a virus on my site. I vaguely recall VBS:Malware-gen as being the identifier.. At the time, I noticed some extra code at the bottom of my index.php file, containing some cryptic javascript code.. I promptly removed it, set my permissions and went on my way.

 

I got a few emails over the last two days claiming I'm infected again. I took a look, and that cryptic javascript code is back. I've removed it, but I'm now a little concerned about ti re-occurring. Should I start a routine of checking my code daily to see if it been tampered with?

 

Permissions on the file 644, and folder permissions on 755

 

Added at the bottom of index.php

 

Any ideas on how to prevent this?

[FIMBLE]

First off you need to check and cleanse your entire site, i would imagine that there are a few files there also

Look for one in your CATALOG folder called orders.php.

There is one in your Admin folder that is supposed to be there mind!

Also any folders you do not recoginse, and your images folder also needs checking.

 

finally make sure all permissions are correct

[frenchy128]

First off you need to check and cleanse your entire site, i would imagine that there are a few files there also

Look for one in your CATALOG folder called orders.php.

There is one in your Admin folder that is supposed to be there mind!

Also any folders you do not recoginse, and your images folder also needs checking.

 

finally make sure all permissions are correct

 

I have taken a look at all the php files and didn't see any extra or unwanted code admin section and public. I have not found any extra files or folders that were not created by a contribution. File and folder permissions have been reset, even thou they were right to begin with.

 

I had the code re-appear again today.. I've removed it again.. If a solution can't be found I will need to migrate to another shopping cart system as I'm loosing my customers confidence with the problem re-appearing.

 

I'm surprised no one else is having a similar problem..

Sigh.. I have not found a solution yet...

[♥FWR Media]

I had the code re-appear again today.. I've removed it again.. If a solution can't be found I will need to migrate to another shopping cart system as I'm loosing my customers confidence with the problem re-appearing.

 

And you'll experience the same again.

 

Code being added to index.php is not an issue with oscommerce it's a problem caused by the fact that someone is able to get into the server and change your files .. shared hosting at a guess where quite often hackers can get into a server through the server being insecure, an insecure script, or both, then add code to e.g. index.php across all sites on the server.

[Guest]

I read something about XSS at joomla forum. I will also keep this in mind.

On my other site, I have some tracking js that lets me know what IP have visited it. I noticed twice that some one from DE (germany) had visited it.

Now I know, my marketing is very localized. Supicious.

I'm on the lookout as well.

One could write a PHP file to add to admin that does a file balance check, byte count or similar, to see if there has been any changes.