Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Has anyone else seen this hack?


mattjt83

Recommended Posts

Hi fellow forum readers. I thought that I would post this and hopefully help some people out and save them some time. I received an email from a "client" who had setup an account on our site. They asked if I accept paypal payments. We currently do not and it is not listed anywhere on our site. I am pretty suspicious and so I wrote them a nice email back explaining what options are available. In the morning I received an email back from them with a file attached that was supposedly their order. It was a .htm file. Immediately I was very suspicious of this and so instead of opening in my browser I opened it with my html editor and here is what they had changed on my checkout page:

 

<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" class="cufon-active cufon-ready"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><script src="./Delivery Information sweetness and light_files/menu73.js"></script><link rel="stylesheet" type="text/css" href="./Delivery Information sweetness and light_files/widget57.css" media="all">

 

<title>Delivery Information</title>

<meta name="description" content="Delivery Information : Sweetness and Light">

<meta name="keywords" content="Delivery Information">

<!--<base href="https://www.sweetnessandlight.com/">--><base href=".">

<link rel="stylesheet" type="text/css" href="./Delivery Information sweetness and light_files/jquery-ui-1.8.11.custom.css">

<script type="text/javascript" src="./Delivery Information sweetness and light_files/jquery-1.4.2.min.js"></script>

<script type="text/javascript" src="./Delivery Information sweetness and light_files/jquery.tools.min.js"></script>

<script type="text/javascript" src="./Delivery Information sweetness and light_files/jquery-ui-1.8.6.min.js"></script>

<script type="text/javascript" src="./Delivery Information sweetness and light_files/lightbox.js"></script>

 

then they added this:

 

<link rel="stylesheet" type="text/css" href="./Delivery Information sweetness and light_files/stylesheet.css">

<link rel="stylesheet" type="text/css" href="./Delivery Information sweetness and light_files/checkout.css">

<link rel="stylesheet" type="text/css" href="./Delivery Information sweetness and light_files/960_24_col.css">

<script src="./Delivery Information sweetness and light_files/cufon-yui.js" type="text/javascript"></script><style type="text/css">cufon{text-indent:0!important;}@media screen,projection{cufon{display:inline!important;display:inline-block!important;position:relative!important;vertical-align:middle!important;font-size:1px!important;line-height:1px!important;}cufon cufontext{display:-moz-inline-box!important;display:inline-block!important;width:0!important;height:0!important;overflow:hidden!important;text-indent:-10000in!important;}cufon canvas{position:relative!important;}}@media print{cufon{padding:0!important;}cufon canvas{display:none!important;}}</style>

<script src="./Delivery Information sweetness and light_files/Century_Gothic_400.font.js" type="text/javascript"></script>

 

and finally under the body tag:

 

<div style="visibility: hidden; height: 1px; width: 1px; position: absolute; z-index: 100000; " id="_atssh"><iframe id="_atssh889" title="AddThis utility frame" style="height: 1px; width: 1px; position: absolute; z-index: 100000; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; left: 0px; top: 0px; " src="./Delivery Information sweetness and light_files/sh39.htm"></iframe></div><iframe id="checkout-gateway" name="checkout-gateway" src="./Delivery Information sweetness and light_files/checkout.htm" frameborder="0"></iframe>

 

I am not a programmer by any means but this seems highly suspicious. They changed the base href to "." and then the src of everything to ./Delivery Information sweetness and light_files/. I would love it if someone that knows what they are doing could explain what this person was up to. Anyway, everyone should be weary of these types of things. Most of the time I just get the stupid admin/preview/blahblahblah type of attempts on the site but this seemed more elaborate. Hope this helps someone and I would love to hear back from people about this! Thanks.

Matt

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...