Infection, or Not.

[Krammit]

I have recently been working with a client, and had to remove a pesky injection script attack that was on-going with their service. After it was cleared, the recommended security settings added, the site was good, no issues.

 

About a month later I get a message from the owners saying the site is infected again (RCa2.2) and it came up as a similar injection script, but not as overwhelming as the last. I took the neccessary precautions, and did a clean of the site, yet AVG is still saying its infected. The thing that gets me is, all other software, including Norton, claim the website is 100% clean.

 

Is there a way I can absolutely find out whether or not oscommerce is infection free? A specific program, routine, etc.

Any information is appreciated.

[Guest]

Kenny,

 

You have to check EVERY file for malicious code and the entire server for anomalous files.

 

 

 

 

Chris

[MrPhil]

After cleaning it last time, you did save a backup copy of all the files that should be there on a PC, so you have something to compare against? No? Sigh. Start with looking at the dates and times of all files -- is there anything changed since you last worked on it? Those are the files to investigate thoroughly, after getting rid of any files that magically appeared since your last work on it (excepting product photos).

 

When you say that AVG and Norton disagree on whether the site is clean, are you talking about browser AV/ASW utilities looking at what the site sends to the browser, or are they running on the site and looking at the PHP code, or are you downloading everything and siccing the PC AV/ASW utilities on the files? I can't think of anything in .php files that would trigger them, but binary files (images) could very well give a false positive.

[Krammit]

MyPhil, you shouldn't be so hasty to judge. I do in fact keep working backups of different points in time, to use in case of emergency such as infections. I have also been using the timestamp method of noting file changes since beginning work with this client early this year. To note; no files are mysteriously being modified, all files on the server have the last modified date of when I replaced them with clean setups.

 

I have been using the online versions of virus scanners that promote scanning the webpage every few days. In this result, AVG will constantly state there is 2 compromised pages, and 1 infection type. Norton and all other setups state there is no infection or compromised pages at all.

[Guest]

As a note, AVG is a TERRIBLE scanner especially for online sites.

 

 

 

Chris

[Krammit]

Chris, is there something that you would suggest over the regular scanners?

[Krammit]

Also, I've been monitoring the server for a few days now, there are no malicious or suspicious files on the server, no files are being modified except the .htaccess files.

 

It seems the .htaccess files are being modified, and thumbs.db keep getting placed on the server the same time the .htaccess files are getting modified. Is there somewhere specific I should be looking for something that would be directly attacking and modifying htaccess files?

[Guest]

Kenny,

 

You have a backdoor on your server that is allowing the hacker to run a script that is changing the .htaccess and thumbs.db. Did you check the thumbs.db file for encrypted code ?

 

 

 

Chris

[Krammit]

Yes, there was nothing suspicious within the thumbs.db files. (The thumbs.db files were removed anyway)

However I also downloaded all the 'modified' htaccess files, and they don't show any modification, they are all still their original setup, I would like to imagine if the files were being modified, I would be able to see the modification within my editing software.

[Taipo]

Once you get the site cleaned up I would suggest you give the latest version of the osC_Sec addon a go and that will prevent any future infections.

[Krammit]

Taipo, thank you. I spent a long while working, and added osC_Sec, and for the past few days, everything appears clean.

There are a number of scanners being used currently, including Sucuri, and Website Defender.

 

Now, website defender keeps notifying me of cookies_usage.php, calling it malware due to 'suspicious php code' Now I replaced cookies_usage.php with the stock file that comes with osCommerce, and this still comes up. The code inside the file is 100% normal, but this program is saying it may be an issue. Is there any particular reason as to why?

[Taipo]

Have you also checked the cookie_usage.php files within includes/languages/yourlanguagefile/cookie_usage.php ?

 

If the includes languages file still contains virus code then it could be used to reinfect your main cookie_usage.php file as well.

 

However if both of those are still clean then you might have to talk to the website defender people to ask them why their system is reporting a possible false positive.