VWAntigo Posted May 19, 2009 Posted May 19, 2009 Hello! My site has been attacked and infiltrated with malware. After many hours of search & destroy, I finally got rid of it. I noticed a strange spider in my whoisonline for a few hours and the next day, my files were infiltrated with an iframe code. I guess this one is pretty new since I found almost nothing in google about it. All Index-files were added an iframe-code linking to a malware site called bigtopmanagement.cn keep an eye on all files called index.php or index.html (even in includes/languages/yourlanguage/index.html), in the admin-folder or even files that contain the word index and look carefully if you have an iframe-code in these files. Change imediately your ftp-password and repair these files manually. Once google notices the malware-code in your site, it will push it to the dangerous-sites-index and your custumers will get a warning and even not be able to access your site (Firefox). Thats the least you may want. Good luck I found a tool (french) that helped me to find all infiltrated pages: copy and paste this code into the editor and save the file as f.e. check.php After that, place it in the rootdirectory of your site and call it in the webbrowser. Insert the number of days you want to find out which files have been changed in this period of time (example 3 for past 3 days). If changed files show up and you are sure you have not changed anything in this time, you have reason to be suspitious. <?php /* Donne la liste des derniers fichiers créés ET modifiés. Très utile en cas de piratage pour savoir quels fichiers sont ajoutés et ceux qui ont été modifiés. Utile pour comprendre le comportement d'un script ou d'un CMS et voir quels fichiers ont été manipulés. Mettez ce script dans votre hébergement, ouvrez-le avec votre navigateur web, donnez le nombre de jours représentant la période à vérifier, puis le nom du dossier à analyser. Ce script ne va donner la liste que des dossiers à partir du chemin /home/votreloginftp/www/ de votre hébergement mutualisé chez OVH. Crédits: Les 4/5 du code sont l'oeuvre de Linda MacPhee-Cobb (http://timestocome.com) */ $go_back = 0; // affiche résultat ou non $i = 0; // compteur de boucle $dir_count = 0; // initialisation de la boucle $date = time(); // date et heure actuelle $one_day = 86400; // nombre de secondes pour une journée $days = preg_replace("/[^0-9]/i",'', $_POST["jours"]); // nombre de jours à vérifier $path = preg_replace("/[^_A-Za-z0-9-\.%\/]/i",'', $_POST["chemin"]); // chemin de fichier absolu (avec nettoyage contre piratage) $path = preg_replace("/\.\.\//",'', $path); // on interdit la commande ../ define('ABSPATH', dirname(__FILE__)); $path = ABSPATH.$path; // chemin de fichier absolu de votre compte OVH du genre /home/loginftp/www/ etc. $directories_to_read[$dir_count] = $path; // Formulaire pour remonter le temps print "<html><body><h3>Contrôle des derniers fichiers modifiés <br />dans votre hébergement mutualisé chez OVH.</h3>"; print "<table><tr><td>"; print "<form method=\"post\">"; print "<tr><td>Nombre de jours à vérifier 1-99: </td>"; print "<td> <input type=\"text\" name=\"jours\" maxlength=\"2\" size=\"2\"></td></tr>"; print "<tr><td>Nom du répertoire à contrôler: </td>"; print "<td>".ABSPATH." <input type=\"text\" name=\"chemin\" maxlength=\"80\" size=\"30\" value=\"/\" > (mettre un / à la fin)</td></tr>"; print "<tr><td> </td><td><input type=\"submit\" value=\" Vérifier Fichiers \">"; print "</form>"; print "</td></tr></table>"; // Affichage du résultat $go_back = $one_day * $days; print "<br /> Retour sur les <strong>" . ($go_back/$one_day) ."</strong> derniers jours. <br /><br />"; if ( $go_back > 0 ){ print "<table><tr><th>Nom du Fichier</th><th>Date de modification</th></tr>"; $diff = $date - $go_back; while ( $i <= $dir_count ){ $current_directory = $directories_to_read[$i]; // obtenir info fichier $read_path = opendir( $directories_to_read[$i] ); while ( $file_name = readdir( $read_path)){ if (( $file_name != '.' )&&( $file_name != '..' )){ if ( is_dir( $current_directory . "/" . $file_name ) == "dir" ){ // besoin d'obtenir tous les fichiers d'un répertoire $d_file_name = "$current_directory" . "$file_name"; $dir_count++; $directories_to_read[$dir_count] = $d_file_name . "/"; }else{ $file_name = "$current_directory" . "$file_name"; // Si temps modifiés plus récent que x jours, affiche, sinon, passe if ( (filemtime( $file_name)) > $diff ){ print "<tr><td> $file_name </td>"; $date_changed = filemtime( $file_name ); $pretty_date = date("d/m/Y H:i:s", $date_changed); print "<td> ::: $pretty_date</td></tr>"; } } } } closedir ( $read_path ); $i++; } print "</table>"; print "</body></html>"; } // if go_back > 0 ) ?> Credit goes to the original author of this code
Guest Posted May 19, 2009 Posted May 19, 2009 You could also install the following 2 contributions for the future: http://www.oscommerce.com/community/contributions,4441 http://www.oscommerce.com/community/contributions,5914
VWAntigo Posted May 19, 2009 Author Posted May 19, 2009 You could also install the following 2 contributions for the future:http://www.oscommerce.com/community/contributions,4441 http://www.oscommerce.com/community/contributions,5914 Thanks for the hint. Will do that.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.