Site hacked: multiple problems

[milauskas]

Hi All,

 

I just learned a site I built with osC was hacked. I think I've gotten rid of all the malware, suspicious files, etc., but we're having many problems now.

 

1) I can access the catalog index page (leepharmaceuticals.com/catalog) but that's as far as I can get. If I click on a product it goes to a blank page.

 

2) There's a zero at the top of every page. I don't know where it came from, what it means or how to get rid of it.

 

3) When trying to access the admin section (leepharmaceuticals.com/catalog/admin) I get the error: "Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory."

 

This all happened recently. When it first happened I uploaded all the site files from my clean local backup but it hasn't solved the problem. Can anyone help?

 

That zero at the top of each page is really making me angry!

[Jan Zonjee]

2) There's a zero at the top of every page. I don't know where it came from, what it means or how to get rid of it.

Me neither but the interesting part is that in my browser I only see the zero, no page source but when I visit the same page using curl I can "see" the whole page but the cookie part is really suspicious:

/shar/ on an IP-address from which the site is not served? The IP-address 216.25.34.149 is apparently some dedicated hosting (Peer1 from the UK?)

curl -v http:// www . lee pharmaceuticals . com/catalog/index.php?cPath=33 // obfuscated by me
* About to connect() to www . lee pharmaceuticals . com port 80 (#0)
*   Trying 209.237.162.65... connected
* Connected to www . lee pharmaceuticals . com (209.237.162.65) port 80 (#0)

> GET /catalog/index.php?cPath=33 HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Host: www . lee pharmaceuticals . com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 18 Aug 2010 21:14:36 GMT
< Server: Apache/2.2.3 (Red Hat)
< X-Powered-By: PHP/4.4.9
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Set-Cookie: osCsid=ddc7b1cb3d673cde03fb6a8d740bf9cf; path=/shar; domain=216.25.34.149
< Transfer-Encoding: chunked
< Content-Type: text/html
< 
0<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="en">
etcetera, etcetera

[milauskas]

Me neither but the interesting part is that in my browser I only see the zero, no page source but when I visit the same page using curl I can "see" the whole page but the cookie part is really suspicious:

/shar/ on an IP-address from which the site is not served? The IP-address 216.25.34.149 is apparently some dedicated hosting (Peer1 from the UK?)

curl -v http:// www . lee pharmaceuticals . com/catalog/index.php?cPath=33 // obfuscated by me
* About to connect() to www . lee pharmaceuticals . com port 80 (#0)
*   Trying 209.237.162.65... connected
* Connected to www . lee pharmaceuticals . com (209.237.162.65) port 80 (#0)

> GET /catalog/index.php?cPath=33 HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
> Host: www . lee pharmaceuticals . com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 18 Aug 2010 21:14:36 GMT
< Server: Apache/2.2.3 (Red Hat)
< X-Powered-By: PHP/4.4.9
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Set-Cookie: osCsid=ddc7b1cb3d673cde03fb6a8d740bf9cf; path=/shar; domain=216.25.34.149
< Transfer-Encoding: chunked
< Content-Type: text/html
< 
0<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="en">
etcetera, etcetera

 

Hi Jan,

 

At least I'm looking in the right direction. I've never used curl but I'll look it up. Where might I look for this cookie? There shouldn't be anything from the UK since it's hosted by an American company. Is there any way to remove this? I'm just wondering where to look (application_top.php or somewhere else?)

 

I guess I could download the files to my local machine (keeping them separate from my clean files) and do a search in Dreamweaver for the offending code.

 

I also see that zero near the end of your code/quote near the DOCTYPE. Thanks! If you have any ideas on what I might do next, I'm grateful to hear them.

[milauskas]

I did some looking in my records and that IP address is associated with the site so that part isn't suspicious.

 

Can anyone tell me, if I've reuploaded all the site files (which I know are clean), wouldn't that get rid of any offending code? I did that and it's still not working. I'm at a loss.

[♥mdtaylorlrim]

The thing that stands out the most to me is your URL to your admin section. You are still using the directory name 'admin', a clear indication that you did not implement all the security patches recommended for a new osC install.

 

Your best bet is to wipe the site and start over, hoping your database is intact. (It probably is.)

[Jan Zonjee]

At least I'm looking in the right direction. I've never used curl but I'll look it up. Where might I look for this cookie? There shouldn't be anything from the UK since it's hosted by an American company. Is there any way to remove this? I'm just wondering where to look (application_top.php or somewhere else?)

The path for the cookie is set in catalogus/includes/configure.php. If your shop would be in the directory catalog the path /catalog would show in the cookie together with the site itself (not an ip-address unless you are on localhost and use 127.0.0.1). So where /shar and the IP-address is coming from?

 

The IP-address for the cookie and the IP-address where the site is served from don't match (209.237.162.65 versus 216.25.34.149).

[milauskas]

The thing that stands out the most to me is your URL to your admin section. You are still using the directory name 'admin', a clear indication that you did not implement all the security patches recommended for a new osC install.

 

Your best bet is to wipe the site and start over, hoping your database is intact. (It probably is.)

 

Thanks. Yes, you're right. And I did rename the admin directory. The database is intact if I do need to do that, but I want to try everything else first.

[milauskas]

The path for the cookie is set in catalogus/includes/configure.php. If your shop would be in the directory catalog the path /catalog would show in the cookie together with the site itself (not an ip-address unless you are on localhost and use 127.0.0.1). So where /shar and the IP-address is coming from?

 

The IP-address for the cookie and the IP-address where the site is served from don't match (209.237.162.65 versus 216.25.34.149).

 

Thanks again, Jan. I don't know where that /shar & IP come from. One odd thing, I am trying to upload a new version of configure.php and I'm prevented from doing so. I've checked permissions on the catalog and includes folders and they're both 755. I can upload all other files contained in includes. Any idea why I can't upload configure.php.

 

Maybe I do need to start from scratch.

[Jan Zonjee]

One odd thing, I am trying to upload a new version of configure.php and I'm prevented from doing so. I've checked permissions on the catalog and includes folders and they're both 755. I can upload all other files contained in includes. Any idea why I can't upload configure.php.

No, no a clue. But perhaps you can rename the file to configure.txt and delete that one. Upload it under another name and then rename to configure.php? Perhaps the hackers did something to prevent you changing it? Did you check the .htaccess in that directory for nefarious code?