Mudflap Posted March 20, 2009 Share Posted March 20, 2009 After spendng weeks struggling to get a simple store set up to sell a few items for my club, I finally posted a link to it on my website. Within one week I noticed a long list of spam links covering every page of the entire store. I did a search of this site before I posted to see if I could find any similar problems, but could not. I did see a lot of comments about 777 something... but I had no clue what they were talking about. here is a link so you can see what happened: http://www.botwmc.com/store/ If someone can help me understand what happened, how to fix it, and how to prevent further attacks, I would be most greatfull. Please remember I am not an expert at this stuff, so please be gentle. Thanks, MF Link to comment Share on other sites More sharing options...
Guest Posted March 20, 2009 Share Posted March 20, 2009 restore the store with your back up, you have one right? Then read and follow this: http://www.oscommerce.com/forums/index.php?sho...amp;hl=security Link to comment Share on other sites More sharing options...
morehawes Posted March 20, 2009 Share Posted March 20, 2009 I can't see the spam you refer to :-/ Joe MacMan strikes again! Always backup first before listening to me! Link to comment Share on other sites More sharing options...
diy Posted March 20, 2009 Share Posted March 20, 2009 I dont know what i am saying BUT the ouside liks ARE (checked with mozilla addon ) there BUT they dont appear in the source code they point to existing sites and shops for examle this (go to the link at your own risk) http://www.bonavie.com/yellow-aragonite-stretchy-bracelet-pr-16507.html?item-help=31 gets you to a wordpress site which i dont if its an actual site however removing the item-help ..thing http://www.bonavie.com/yellow-aragonite-stretchy-bracelet-pr-16507.html will get to to a working store ??????????????? Really dont know what is happening it may be host related !!! Link to comment Share on other sites More sharing options...
web-project Posted March 20, 2009 Share Posted March 20, 2009 I did see a lot of comments about 777 something... but I had no clue what they were talking about. all this comments are crap, if the server correctly setup, no one can hack it! Simply email to your hosting provider and ask them to install mod_security and proper firewall like csf. Plenty clients are hosted on my server and no one had sort crap or talked crap about chmod 777. Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here! 8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself. Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues. Any issues with oscommerce, I am here to help you. Link to comment Share on other sites More sharing options...
codymaxx Posted March 20, 2009 Share Posted March 20, 2009 After spendng weeks struggling to get a simple store set up to sell a few items for my club, I finally posted a link to it on my website. Within one week I noticed a long list of spam links covering every page of the entire store. I did a search of this site before I posted to see if I could find any similar problems, but could not. I did see a lot of comments about 777 something... but I had no clue what they were talking about. here is a link so you can see what happened: http://www.botwmc.com/store/ If someone can help me understand what happened, how to fix it, and how to prevent further attacks, I would be most greatfull. Please remember I am not an expert at this stuff, so please be gentle. Thanks, MF It looks like you've been hacked. I looked at the source code and it looks like a similar hack that I experienced in one of my Wordpress sites with malicious code inserted in the header.php include. It looks like the malicious script was supposed to hide the links from view but the trick they used didn't work. When I viewed your page source, I noticed this bit of code immediately following the <body> tag, enclosed in script tags, and followed by all the links you're seeing: b='hid';c='den';d=0;a=document.getElementById('mczhc');if(a){a.style.position='absolute';a.style.height=d+'px';a.style.overflow=b+c;} My guess is that you were never meant to see the extra links - they'd be lurking there hidden, sucking up bandwidth and causing the search engines to think their links were legitimately on many other sites to improve their position in searches. Do you have an editor with a "Find in Files" option? If so, I'd recommend downloading the osCommerce code to your PC and scanning for some portion of the phrase above to determine which of your files got hacked. That way, you can at least clean it or restore it from backup. What I DON'T KNOW is how this hack occurs and how to prevent it - very frustrating. If someone can offer additional assistance it would be very much appreciated. I hope this helps. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted March 20, 2009 Share Posted March 20, 2009 I'd start by installing the contributions mention in the how to secure your site link after restoring/reinstalling. Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Mudflap Posted March 21, 2009 Author Share Posted March 21, 2009 Do you have an editor with a "Find in Files" option? If so, I'd recommend downloading the osCommerce code to your PC and scanning for some portion of the phrase above to determine which of your files got hacked. That way, you can at least clean it or restore it from backup. This seemed like a pretty good idea, so I tried it. I downloaded and saved each .php file and searched them. The search did not produce any results. I then tried a search for "hotel" (one of the words in the links) and still nothing. This makes me think the base64_decode in the index.php might be part of the problem because it would not show up as "words" in a search if it were coded. I copied the index.php and sent it to a guy that is going to look at the base64_decode and tell me if there is anything there. Thanks for the help. Link to comment Share on other sites More sharing options...
Mudflap Posted March 21, 2009 Author Share Posted March 21, 2009 I can't see the spam you refer to :-/ Some people can see it, and some can't. The Tech Support guy that works at my site host could not see it either. He had to look at the source code. Link to comment Share on other sites More sharing options...
Mudflap Posted March 21, 2009 Author Share Posted March 21, 2009 restore the store with your back up, you have one right? I tried that, but somehow the backup I made was just a backup of the original template before I started working on it. So that means If I use it I will be starting all over. Link to comment Share on other sites More sharing options...
germ Posted March 21, 2009 Share Posted March 21, 2009 If you've got base64_decode in your PHP it's definitely the problem. That and obfuscated javascript are a hackers best friends... An example here: click me BTW I don't see any "trash" on the page or in the source either. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Mudflap Posted March 21, 2009 Author Share Posted March 21, 2009 BTW I don't see any "trash" on the page or in the source either. Hey... I don't see any "trash" now either.... It's just gone. Maybe someone from tech support found a problem with the host after I called. Hopefully the problem is fixed. Thanks to all who helped me try to fix the problem. Link to comment Share on other sites More sharing options...
codymaxx Posted March 23, 2009 Share Posted March 23, 2009 Hey... I don't see any "trash" now either.... It's just gone. Maybe someone from tech support found a problem with the host after I called. Hopefully the problem is fixed. Thanks to all who helped me try to fix the problem. Looks like the malicious script is gone from the source, most likely fixed by your tech support folks. I suspect it was probably in the includes/header.php file -- so to prevent future infections, you might try making that file read-only (set permission to 444). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.