Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked? Spamed? Noobie mistake? or all of the above?


Mudflap

Recommended Posts

After spendng weeks struggling to get a simple store set up to sell a few items for my club, I finally posted a link to it on my website. Within one week I noticed a long list of spam links covering every page of the entire store.

 

I did a search of this site before I posted to see if I could find any similar problems, but could not. I did see a lot of comments about 777 something... but I had no clue what they were talking about.

 

here is a link so you can see what happened: http://www.botwmc.com/store/

 

If someone can help me understand what happened, how to fix it, and how to prevent further attacks, I would be most greatfull. Please remember I am not an expert at this stuff, so please be gentle.

 

Thanks, MF

Link to comment
Share on other sites

I dont know what i am saying BUT

 

the ouside liks ARE (checked with mozilla addon ) there BUT they dont appear in the source code they point to existing sites and shops for examle

 

this (go to the link at your own risk)

http://www.bonavie.com/yellow-aragonite-stretchy-bracelet-pr-16507.html?item-help=31

 

gets you to a wordpress site which i dont if its an actual site

 

however removing the item-help ..thing

 

 

http://www.bonavie.com/yellow-aragonite-stretchy-bracelet-pr-16507.html

 

will get to to a working store

 

 

???????????????

Really dont know what is happening it may be host related !!!

Link to comment
Share on other sites

I did see a lot of comments about 777 something... but I had no clue what they were talking about.

all this comments are crap, if the server correctly setup, no one can hack it!

 

Simply email to your hosting provider and ask them to install mod_security and proper firewall like csf.

 

Plenty clients are hosted on my server and no one had sort crap or talked crap about chmod 777.

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Link to comment
Share on other sites

After spendng weeks struggling to get a simple store set up to sell a few items for my club, I finally posted a link to it on my website. Within one week I noticed a long list of spam links covering every page of the entire store.

 

I did a search of this site before I posted to see if I could find any similar problems, but could not. I did see a lot of comments about 777 something... but I had no clue what they were talking about.

 

here is a link so you can see what happened: http://www.botwmc.com/store/

 

If someone can help me understand what happened, how to fix it, and how to prevent further attacks, I would be most greatfull. Please remember I am not an expert at this stuff, so please be gentle.

 

Thanks, MF

 

It looks like you've been hacked. I looked at the source code and it looks like a similar hack that I experienced in one of my Wordpress sites with malicious code inserted in the header.php include. It looks like the malicious script was supposed to hide the links from view but the trick they used didn't work.

 

When I viewed your page source, I noticed this bit of code immediately following the <body> tag, enclosed in script tags, and followed by all the links you're seeing:

 

b='hid';c='den';d=0;a=document.getElementById('mczhc');if(a){a.style.position='absolute';a.style.height=d+'px';a.style.overflow=b+c;}

 

My guess is that you were never meant to see the extra links - they'd be lurking there hidden, sucking up bandwidth and causing the search engines to think their links were legitimately on many other sites to improve their position in searches.

 

Do you have an editor with a "Find in Files" option? If so, I'd recommend downloading the osCommerce code to your PC and scanning for some portion of the phrase above to determine which of your files got hacked. That way, you can at least clean it or restore it from backup.

 

What I DON'T KNOW is how this hack occurs and how to prevent it - very frustrating. If someone can offer additional assistance it would be very much appreciated.

 

I hope this helps.

Link to comment
Share on other sites

I'd start by installing the contributions mention in the how to secure your site link after restoring/reinstalling.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Do you have an editor with a "Find in Files" option? If so, I'd recommend downloading the osCommerce code to your PC and scanning for some portion of the phrase above to determine which of your files got hacked. That way, you can at least clean it or restore it from backup.

 

This seemed like a pretty good idea, so I tried it. I downloaded and saved each .php file and searched them. The search did not produce any results. I then tried a search for "hotel" (one of the words in the links) and still nothing.

 

This makes me think the base64_decode in the index.php might be part of the problem because it would not show up as "words" in a search if it were coded.

 

I copied the index.php and sent it to a guy that is going to look at the base64_decode and tell me if there is anything there.

 

Thanks for the help.

Link to comment
Share on other sites

I can't see the spam you refer to :-/

 

Some people can see it, and some can't. The Tech Support guy that works at my site host could not see it either. He had to look at the source code.

Link to comment
Share on other sites

restore the store with your back up, you have one right?

 

I tried that, but somehow the backup I made was just a backup of the original template before I started working on it. So that means If I use it I will be starting all over.

Link to comment
Share on other sites

If you've got base64_decode in your PHP it's definitely the problem.

 

That and obfuscated javascript are a hackers best friends...

 

An example here: click me

 

BTW

 

I don't see any "trash" on the page or in the source either.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

BTW

 

I don't see any "trash" on the page or in the source either.

 

Hey... I don't see any "trash" now either.... It's just gone. Maybe someone from tech support found a problem with the host after I called.

 

Hopefully the problem is fixed.

 

Thanks to all who helped me try to fix the problem.

Link to comment
Share on other sites

Hey... I don't see any "trash" now either.... It's just gone. Maybe someone from tech support found a problem with the host after I called.

 

Hopefully the problem is fixed.

 

Thanks to all who helped me try to fix the problem.

 

 

Looks like the malicious script is gone from the source, most likely fixed by your tech support folks. I suspect it was probably in the includes/header.php file -- so to prevent future infections, you might try making that file read-only (set permission to 444).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...