Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

site infected by infected JS:Redirector-H3 [Trj]

dewed

By dewed
in General Support

Recommended Posts

dewed

dewed

Posted
Posted

I'm trying to figure out how my oscommerce driven site is repeatedly getting infected with a trojan loader called JS:Redirector-H3 [Trj]

 

Many .php files are getting their opening php tag appended with code to infect the viewer.

 

I use this perl one liner to clean it.. 

perl -p -i -e 's/<?php.*tmp_lkojfghx.*$/php/g' `find ./ -type f -mtime -4`

the lkojfghx is random though so you have to check an infected file.

 

What I would like to know is the website itself being infected through brute force/java hacks or is it likely one of our workstations that has logged in, in the past is silently infecting files.

Just call me Dewed ...

steve_s

steve_s

Posted
Posted
I'm trying to figure out how my oscommerce driven site is repeatedly getting infected with a trojan loader called JS:Redirector-H3 [Trj]

 

Many .php files are getting their opening php tag appended with code to infect the viewer.

 

I use this perl one liner to clean it.. 

perl -p -i -e 's/<?php.*tmp_lkojfghx.*$/php/g' `find ./ -type f -mtime -4`

the lkojfghx is random though so you have to check an infected file.

 

What I would like to know is the website itself being infected through brute force/java hacks or is it likely one of our workstations that has logged in, in the past is silently infecting files.

download and install site monitor from contributions and add the follwoing to your site

following below is take from a anti cross site scripting from contributions

 

improve security when storing variables into database by not just sql
injection protect them, but also make sure they dont include HTML tags
which without can be a Cross Site Scripting (XSS) vulnerability.
By www.tim-international.net

**********************************************************************

In /catalog/includes/functions/database.php on line ~131

*** Find ***

 function tep_db_input($string, $link = 'db_link') {
global $$link;

if (function_exists('mysql_real_escape_string')) {
  return mysql_real_escape_string($string, $$link);
} elseif (function_exists('mysql_escape_string')) {
  return mysql_escape_string($string);
}

return addslashes($string);
 }

*** Replace with ***

 function tep_db_input($string, $link = 'db_link', $skip_stripping = false) {
global $$link;

// Strip HTML and PHP tags from string
if (!$skip_stripping) $string = strip_tags($string);

if (function_exists('mysql_real_escape_string')) {
  return mysql_real_escape_string($string, $$link);
} elseif (function_exists('mysql_escape_string')) {
  return mysql_escape_string($string);
}

return addslashes($string);
 }

**********************************************************************

WHAT DO I NEED TO THINK OF?

If you for any reason want to store HTML in the database, make sure you
manipulate the tep_db_input() command with the third optional parameter
like the following.

This...

 $example_query = tep_db_query("update myTable set column='". tep_db_input($var) ."' where this='that' limit 1;");

Becomes...

 $example_query = tep_db_query("update myTable set column='". tep_db_input($var, 'db_link', true) ."' where this='that' limit 1;");

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...