WebDev22 Posted October 22, 2009 Posted October 22, 2009 We've heard that our link in Google sometimes takes the user to an info.com search results page. We tried it ourselves by doing this and were finally able to duplicate the result. Here's what we did: 1. In Google, we typed in "wolff tanning beds". 2. We clicked on our link (www.wolfftanning.com). 3. This took us to the following page: http://www.info.com/Wolff+Tanning+Bed?cmp=3770&cb=26&affiliate=dca98901f06fc1b00d0a12ca2190c242 4. When you click the back button, it takes you to this page: http://ferdax.com/search.php?links=wolff+tanning+beds Can anyone explain what is happening? It seems our site has somehow been compromised.
BryceJr Posted October 22, 2009 Posted October 22, 2009 If you don't have a relationship with Forex and you didn't do this, yeah you've been compromised. Looking at your index page(source). /products_ship_estimator.php/?fchl=1">forex mechanical system trading /products_ship_estimator.php/?fchl=2">forex mechanical trading system /products_ship_estimator.php/?fchl=3">forex rate india How to secure your site Securing your ADMIN
WebDev22 Posted October 23, 2009 Author Posted October 23, 2009 If you don't have a relationship with Forex and you didn't do this, yeah you've been compromised. Looking at your index page(source). /products_ship_estimator.php/?fchl=1">forex mechanical system trading /products_ship_estimator.php/?fchl=2">forex mechanical trading system /products_ship_estimator.php/?fchl=3">forex rate india How to secure your site Securing your ADMIN Thanks, Bryce.
WebDev22 Posted October 25, 2009 Author Posted October 25, 2009 If you don't have a relationship with Forex and you didn't do this, yeah you've been compromised. Looking at your index page(source). /products_ship_estimator.php/?fchl=1">forex mechanical system trading /products_ship_estimator.php/?fchl=2">forex mechanical trading system /products_ship_estimator.php/?fchl=3">forex rate india How to secure your site Securing your ADMIN BryceJr - How were you able to find which files contact "forex" code? Should we first remove the code, then add those security fixes?
WebDev22 Posted October 26, 2009 Author Posted October 26, 2009 I noticed a folder with a lot of .as files called kampanya and have no idea how it got there.
BryceJr Posted October 26, 2009 Posted October 26, 2009 BryceJr - How were you able to find which files contact "forex" code? Should we first remove the code, then add those security fixes? They were in the index page of your site(view source). If you have a clean backup, restore your files from those. Once cleaned, apply the security tips from the links provided. Anything that does not belong to your site, get rid of it. Some tips: FOLDER permissions no higher than 755 and FILE permissions no higher than 644. Remove file_manager.php and define_language.php from admin. ...more Again, go through the links provided above.
WebDev22 Posted October 26, 2009 Author Posted October 26, 2009 We just added custom code to the site and would love to not to have to restore from backup. Is there another way to get rid of that code?
knifeman Posted October 26, 2009 Posted October 26, 2009 We just added custom code to the site and would love to not to have to restore from backup. Is there another way to get rid of that code? You can just delete the hackers code and new files, but how do you know if you got everything? If the hacker has a backdoor into your site, they will just come in again. Tim
WebDev22 Posted October 26, 2009 Author Posted October 26, 2009 After learning more about this hack, I found this thread, which describes our issue, and will resume the conversation there: http://www.oscommerce.com/forums/topic/344272-did-someone-hack-my-site-eval-base64-decode/.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.