Jump to content

Archived

This topic is now archived and is closed to further replies.

Kelleren

Hacked every day for more than a week

Recommended Posts

Okay..

 

I'm just about to sit down and cry.

 

Every day for more than week now I've been hacked.

 

I'm writing here to share and hopefully get some input and help.

 

I am more than willing to pay for help - this website is my sole source of income and has grown to be a medium sized company with a real life store conntected to it and more.

 

...It all started with my site posting a security warning regarding some forwarding to a malware site.

 

I cleaned up all index.php files on the server which had an iframe code in them.

 

I changed all passwords etc.

 

A few days passed and every morning the site was down with the same error - the header_tags.php file was missing (deleted) in my includes/functions folder and some days there was a new file called _html_output.php (with a _ in front).

 

Some days I can fix it by just copying over a backup of the header_tags.php - one day though there were more errors and I had to copy the entire backup.

 

After the first attempt I started increasing security - I renamed my admin, added .htaccess files to the admin as well as images folder and includes - I checked permissions.

 

Hack happened again next day - same thing - header_tags.php removed from functions.

 

Every day since the hack I've run sites that test if the site is clean - they all flag me as green.

 

Next day I moved every single installation away from the server except for the oscommerce folder to exclude the option of people getting in elsewhere. I also again changed all passwords.

 

I was hacked again, this was yesterday.

 

I then got a hold of a programmer from this forum, during the evening he's been helping me install the 5 security addons from the thread on these forums - the only one missing which will be up today is sitemonitor.

 

We installed all those and he did a quick manual sweep and was unable to find anything.

 

The security was on during the night (except for sitemonitor) and yet again this morning - same thing - header_tags.php deleted and the site was down.

 

I contacted my host for the 10th time - he checked the ftp logs and informed me that noone had gained entry through the ftp (at least from what he could see) apart from me and the programmer.

 

I haven't been able to sleep much - I wake up several times during the night and check the website to see if it's up - and that has helped me narrow down the time of the attack.

 

Today the attack happened between 08.48 and 09.30 GMT+1 - yesterday I checked at around 09.00 no problems and then the site was down at 09.59.

 

So it seems the attack happens at pretty much the same time - always deleting the same file.

 

This is quite far beyond my understanding of programming - hopefully sitemonitor will be up today to give me an understanding of what is going on.

 

If anyone at all has any quetions, advice or the skills to help I will gladly pay hourly fees - this is the worst thing that has happened in many years.

 

I should add that my version of OSC is osCommerce 2.2-MS2 - upgrading all is a problem as I have many installed addons - however if I can upgrade some single files and close the hole that would be a start.

 

 

I would also like to get some help finding a program that can search through my files on the site - I haven't been able to search for string except manually going through all files and I don't really know what to look for.

 

Frustrated and broken..

Share this post


Link to post
Share on other sites

I know this is not what you want to hear....But my suggestion is to make a brand new site from scratch using osCommerce 2.31 and then import in products, orders and customers from the old site.

Share this post


Link to post
Share on other sites

I am seriously considering that.

 

Problem is that I'm in the middle of december, most important month of the year - and I have so many custom modules installed it will take alot of time and cost me quite alot to get them all moved and installed on the new site.

 

For now I hope I can find some help mere.

 

MIchael

Share this post


Link to post
Share on other sites

Well the most common hack problems seems to be due to one of these:

 

1. File/Folder permissions

 

2. Hacker uses one of these admin files to add in code: file_manager.php or define_languages.php

 

Fixes:

 

1. Make sure the permissions are set correctly, find a hosting which allows securer file/folder settings and in "extreme" hacker prone cases you can make all un-writable and then just make the needed ones "writable" just when you need them. for instance the images folder which only need to be writable when you add a new product.

 

2. Rename the admin folder, add-in a .htaccess password in addition to the ordinary admin login and delete these 2 admin files: file_manager.php and define_languages.php.

Share this post


Link to post
Share on other sites

"he did a quick manual sweep"

 

Not good enough. EVERY file needs to be looked at LINE by LINE.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

"he did a quick manual sweep"

 

Not good enough. EVERY file needs to be looked at LINE by LINE.

 

I agree - I will find someone to do so once all the 5 security modules has been installed.

 

I have allready fixed permissions & deleted those files - did that day 1!

 

Thanks for the help so far.

 

Michael

Share this post


Link to post
Share on other sites

It happened again today - even after we took even more steps to secure - I think the site is about as safe now as it gets.

 

I was watching the time as it has been happening in the same time frame.

 

At 09.27am the file header_tags.php was removed from the folder - and the error message

 

Warning: require_once(includes/functions/header_tags.php): failed to open stream: No such file or directory in /path_to/includes/header_tags.php on line 14 Fatal error: require_once(): Failed opening required 'includes/functions/header_tags.php' (include_path='.:/path_to/php/') in /path_to/includes/header_tags.php on line 14

 

was shown.

 

I quickly reuploaded the file and as the logs show the site was back up 30 seconds later.

 

4 minutes later, at 09.32 a new file was created in the functions folder named "gw_replace_file.php" - it had exactly the same size and apparently contents as the backuped up header_tags.php that I just copied to the site.

 

Again I spoke with the host and they told me noone had access the ftp but me an my programmers during that timeslot.

 

I'm absolutely mindboogled with this - we keep securing and this keep happening - at apparently the exact same time every day.

 

this new gw_replace_file.php has not been there before and nothing shows up when I search google for the filename.

 

As before I am more than willing to pay for any help from people knowledgeble about a situation like this.

 

Michael

Share this post


Link to post
Share on other sites

It happened again today - even after we took even more steps to secure - I think the site is about as safe now as it gets.

 

 

 

 

Errr.... Might be safe from the outside but it's definitely not from the inside - the horse is gone you're left with the Trojans...

 

 

You need to get rid of every single file that you have on your website in one go - if you have a clean back up then close your store for 2 or 3 hours and back up - don't take short cuts - delete everything and reinstall your clean back up then change your user-name and password on your database.

 

If that doesn't work then you need to install the latest version - even without all the add-ons it has to be better than what you have at the moment.

 

I understand you need the Christmas business but weigh up how much business you'll lose in your quiet 4 hours against how much business you'll lose if you get a "Warning, reported attack site" show up on your url...


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

In principle I agree completely.

 

If I had a feeling that I would be risking the customers data I would close and reinstall.

 

However it all strikes me as odd - no sites report me malicious, and all that happens is at the clock every day this file is deleted (well and today that new identical file was created).

 

This is the header_tags.php file that keeps getting deleted - if anyone can see a reason why please let me know - it's located in includes/functions

 

<?php
/*
 $Id: header_tags.php,v 1.6 2007/01/10 by Jack_mcs - http://www.oscommerce-solution.com

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce
 Portions Copyright 2009 oscommerce-solution.com

 Released under the GNU General Public License
*/ 

////
//used to add new pages without adding a lot of code
function tep_header_tag_page($file) {
 global $tmpTags, $languages_id;

 $header_tags_array = array();
 $sortOrder = array();

 $pageTags_query = tep_db_query("select * from " . TABLE_HEADERTAGS . " where page_name like '" . $file . "' and language_id = '" . (int)$languages_id . "'");
 $pageTags = tep_db_fetch_array($pageTags_query);

 if ($pageTags['append_root'])
 {
   $sortOrder['title'][$pageTags['sortorder_root']] = $pageTags['page_title']; 
   $sortOrder['description'][$pageTags['sortorder_root']] = $pageTags['page_description']; 
   $sortOrder['keywords'][$pageTags['sortorder_root']] = $pageTags['page_keywords']; 
   $sortOrder['logo'][$pageTags['sortorder_root']] = $pageTags['page_logo'];
   $sortOrder['logo_1'][$pageTags['sortorder_root_1']] = $pageTags['page_logo_1'];
   $sortOrder['logo_2'][$pageTags['sortorder_root_2']] = $pageTags['page_logo_2'];
   $sortOrder['logo_3'][$pageTags['sortorder_root_3']] = $pageTags['page_logo_3'];
   $sortOrder['logo_4'][$pageTags['sortorder_root_4']] = $pageTags['page_logo_4'];
 }

 if ($pageTags['append_default_title'] && tep_not_null($tmpTags['def_title'])) $sortOrder['title'][$pageTags['sortorder_title']] = $tmpTags['def_title'];
 if ($pageTags['append_default_description'] && tep_not_null($tmpTags['def_desc'])) $sortOrder['description'][$pageTags['sortorder_description']] = $tmpTags['def_desc'];
 if ($pageTags['append_default_keywords'] && tep_not_null($tmpTags['def_keywords'])) $sortOrder['keywords'][$pageTags['sortorder_keywords']] = $tmpTags['def_keywords'];
 if ($pageTags['append_default_logo'] && tep_not_null($tmpTags['def_logo_text']))  $sortOrder['logo'][$pageTags['sortorder_logo']] = $tmpTags['def_logo_text'];

 FillHeaderTagsArray($header_tags_array, $sortOrder);

 //if nothing else is set, force the page name and default settings, if present   
 $path_parts = pathinfo($_SERVER['PHP_SELF']);
 $pageName = substr($path_parts['basename'], 0,strpos($path_parts['basename'],'.')) . ' ';
 $pageName = ucwords(preg_replace("/[^A-Za-z0-9]/", " ", $pageName));

 if (! tep_not_null($header_tags_array['title'])) $header_tags_array['title'] = $pageName . (tep_not_null($tmpTags['def_title']) ? HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $tmpTags['def_title'] : '');
 if (! tep_not_null($header_tags_array['description'])) $header_tags_array['description'] = $pageName . (tep_not_null($tmpTags['def_desc']) ? HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $tmpTags['def_desc'] : '');
 if (! tep_not_null($header_tags_array['keywords'])) $header_tags_array['keywords'] = $pageName . (tep_not_null($tmpTags['def_keywords']) ? HEADER_TAGS_SEPARATOR_KEYWORD . ' ' . $tmpTags['def_keywords'] : '');
 if (! tep_not_null($header_tags_array['logo']))  $header_tags_array['logo'] = $pageName . (tep_not_null($tmpTags['def_logo_text']) ? HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $tmpTags['def_logo_text'] : '');

 return $header_tags_array;
}

function FillHeaderTagsArray(&$header_tags_array, $sortOrder)
{
 if (count($sortOrder) == 0)
   return;

 $sortOrder = MultiKeySort($sortOrder);

 if (isset($sortOrder['title']))       $header_tags_array['title'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ', $sortOrder['title'])), ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION);
 if (isset($sortOrder['description'])) $header_tags_array['desc'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ', $sortOrder['description'])), ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION);
 if (isset($sortOrder['keywords']))    $header_tags_array['keywords'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_KEYWORD . ' ', $sortOrder['keywords'])), ' ' . HEADER_TAGS_SEPARATOR_KEYWORD);
 if (isset($sortOrder['logo']))        $header_tags_array['logo_text'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ', $sortOrder['logo'])), ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION);
 if (isset($sortOrder['logo_1']))      $header_tags_array['logo_text_1'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ', $sortOrder['logo_1'])), ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION);
 if (isset($sortOrder['logo_2']))      $header_tags_array['logo_text_2'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ', $sortOrder['logo_2'])), ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION);
 if (isset($sortOrder['logo_3']))      $header_tags_array['logo_text_3'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ', $sortOrder['logo_3'])), ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION);
 if (isset($sortOrder['logo_4']))      $header_tags_array['logo_text_4'] = ltrim(tep_db_prepare_input(implode(' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ', $sortOrder['logo_4'])), ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION);
}

function GetCategoryAndManufacturer($sortOrder, $pageTags, $defaultTags, $catStr, $manStr, $product = false)
{
 global $category_depth, $current_category_id, $languages_id;;

 $type = 'top'; //not used
 if ($category_depth == 'nested' || $category_depth == 'products') 
   $type = 'cat';
 else if (isset($_GET['manufacturers_id'])) 
   $type = 'man';  

 if (($type == 'cat' || $type == 'top') && ($pageTags['append_category'] || $defaultTags['default_logo_append_group'] || $defaultTags['default_logo_append_category']))
 {
   if ($category_depth == 'nested' || $category_depth == 'products' || $product)
   {
     $the_category_query = tep_db_query($catStr);
     $parentStr = '';

     if (HEADER_TAGS_ADD_CATEGORY_PARENTS == 'Duplicate Categories' && $product && tep_db_num_rows($the_category_query) > 1) //selected product is in multiple categories
     {
       $ctr = 0;
       $lastCatPos = (tep_db_num_rows($the_category_query) - 1);

       while ($the_category = tep_db_fetch_array($the_category_query))
       {
         $parentStr .= $the_category['htc_title_tag'] . '  ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ';
         if ($ctr++ == $lastCatPos - 1) //don't add the last one since it will be done below
           break;
       }

       tep_db_data_seek($the_category_query, $lastCatPos);
       $the_category = tep_db_fetch_array($the_category_query);
       $header_tags_array['category'] = $the_category['htc_title_tag'];  //save for use on the logo
     }
     else 
     {
       $the_category = tep_db_fetch_array($the_category_query);
       $header_tags_array['category'] = $the_category['htc_title_tag'];  //save for use on the logo

       if (HEADER_TAGS_ADD_CATEGORY_PARENTS == 'Full Category Path') 
         $parentStr = GetCategoryParentString($current_category_id, $languages_id);
     }  

     if (tep_not_null($the_category['htc_title_tag']))
     {
       $catTitle = tep_not_null($parentStr) ? ($parentStr . $the_category['htc_title_tag']) : $the_category['htc_title_tag'];  
       $sortOrder['title'][$pageTags['sortorder_category']] = tep_not_null($sortOrder['title'][$pageTags['sortorder_category']]) ? $sortOrder['title'][$pageTags['sortorder_category']] . ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $catTitle : $catTitle;
       $sortOrder['logo'][$pageTags['sortorder_category']] = tep_not_null($sortOrder['logo'][$pageTags['sortorder_category']]) ? $sortOrder['logo'][$pageTags['sortorder_category']] . ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $catTitle : $catTitle;
     }
     if (tep_not_null($the_category['htc_desc_tag']))
     {
       $catDesc = tep_not_null($parentStr) ? ($parentStr . $the_category['htc_desc_tag']) : $the_category['htc_desc_tag'];  
       $sortOrder['description'][$pageTags['sortorder_category']] = tep_not_null($sortOrder['description'][$pageTags['sortorder_category']]) ? $sortOrder['description'][$pageTags['sortorder_category']] . ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $catDesc : $catDesc;
     }
     if (tep_not_null($the_category['htc_keywords_tag']))
     {
       $catKeywords = tep_not_null($parentStr) ? (str_replace(HEADER_TAGS_SEPARATOR_DESCRIPTION, HEADER_TAGS_SEPARATOR_KEYWORD, $parentStr) . $the_category['htc_keywords_tag']) : $the_category['htc_keywords_tag'];  
       $sortOrder['keywords'][$pageTags['sortorder_category']] = tep_not_null($sortOrder['keywords'][$pageTags['sortorder_category']]) ? $sortOrder['keywords'][$pageTags['sortorder_category']] . ' ' . HEADER_TAGS_SEPARATOR_KEYWORD . ' ' . $catkeywords : $catKeywords;
     }
   }
 }

 if ($type == 'man' && ($pageTags['append_manufacturer'] || $defaultTags['default_logo_append_group'] || $defaultTags['default_logo_append_manufacturer']))
 {
   $the_manufacturer_query= tep_db_query($manStr);
   $the_manufacturer = tep_db_fetch_array($the_manufacturer_query);
   $header_tags_array['manufacturer'] = $the_manufacturer['htc_title_tag'];  //save for use on the logo

   $sortOrder['title'][$pageTags['sortorder_manufacturer']] = '';
   $sortOrder['logo'][$pageTags['sortorder_manufacturer']] = '';
   $sortOrder['description'][$pageTags['sortorder_manufacturer']] = '';
   $sortOrder['keywords'][$pageTags['sortorder_manufacturer']] = '';

   if (tep_not_null($the_manufacturer['htc_title_tag']))
   {
     $sortOrder['title'][$pageTags['sortorder_manufacturer']] = tep_not_null($sortOrder['title'][$pageTags['sortorder_manufacturer']]) ? $sortOrder['title'][$pageTags['sortorder_manufacturer']] . ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $the_manufacturer['htc_title_tag'] : $the_manufacturer['htc_title_tag'];
     $sortOrder['logo'][$pageTags['sortorder_manufacturer']] = tep_not_null($sortOrder['logo'][$pageTags['sortorder_manufacturer']]) ? $sortOrder['title'][$pageTags['sortorder_manufacturer']] . ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $the_manufacturer['htc_title_tag'] : $the_manufacturer['htc_title_tag'];
   }
   if (tep_not_null($the_manufacturer['htc_desc_tag']))
   {
     $sortOrder['description'][$pageTags['sortorder_manufacturer']] = tep_not_null($sortOrder['description'][$pageTags['sortorder_manufacturer']]) ? $sortOrder['title'][$pageTags['sortorder_manufacturer']] . ' ' . HEADER_TAGS_SEPARATOR_DESCRIPTION . ' ' . $the_manufacturer['htc_desc_tag'] : $the_manufacturer['htc_desc_tag'];
     $sortOrder['description'][$pageTags['sortorder_manufacturer']] = $the_manufacturer['htc_desc_tag'];
   }
   if (tep_not_null($the_manufacturer['htc_keywords_tag']))
   {
     $sortOrder['keywords'][$pageTags['sortorder_manufacturer']] = tep_not_null($sortOrder['keywords'][$pageTags['sortorder_manufacturer']]) ? $sortOrder['title'][$pageTags['sortorder_manufacturer']] . ' ' . HEADER_TAGS_SEPARATOR_KEYWORD . ' ' . $the_manufacturer['htc_keywords_tag'] : $the_manufacturer['htc_keywords_tag'];
   }
 }
 return $sortOrder;
}

function GetCanonicalURL()
{
 $parts = explode("&", $_SERVER['QUERY_STRING']);
 $cnt = count($parts);

 if ($cnt == 1 && basename($_SERVER['PHP_SELF']) === FILENAME_DEFAULT) //home page
    return StripSID(tep_href_link('/', $args, 'NONSSL', false) );

 $args = tep_get_all_get_params(array('action','currency', tep_session_name(),'sort','page'));
 return StripSID(tep_href_link(basename($_SERVER['PHP_SELF']), $args, 'NONSSL', false) );
}

function GetCategoryName($category_id, $language_id) {
 $category_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where categories_id = '" . (int)$category_id . "' and language_id = '" . (int)$language_id . "'");
 $category = tep_db_fetch_array($category_query);

 return $category['categories_name'];
}

function add_separators(&$item) 
{ 
 $item = $item . '  '. HEADER_TAGS_SEPARATOR_DESCRIPTION . '  '; 
} 

// Build a string of the parent categories properly separated
function GetCategoryParentString($current_category_id, $languages_id)
{
 $parentCats = array();
 $parentCatsNames = array();
 tep_get_parent_categories($parentCats, $current_category_id);
 $parentCats = array_reverse($parentCats);

 foreach ($parentCats as $pc)
   $parentCatsNames[] = GetCategoryName($pc, $languages_id);

 array_walk($parentCatsNames, 'add_separators'); 
 $csv = implode(" ", $parentCatsNames);
 return $csv;
}

function MultiKeySort($k)
{
 if (! is_array($k))
  $k = array();

 foreach ($k as $key => $val)  
 {  
   ksort($val);  
   $k[$key] = $val; 
 } 
 return $k;
}

//Remove the session ID for canonical tags
function StripSID($url)
{
 $sidName = tep_session_name();
 if (isset($_GET[ $sidName ]))
 {
   if (($sid = strpos($url, $_GET[ $sidName ])) !== FALSE)
   {
      $SidLength = strlen($_GET[ $sidName ]) + strlen( $sidName ) + 2; // to account for the "?" and "="     
      return substr($url , 0, - $SidLength );
   }
 }
 return $url;
}

function ReadCacheHeaderTags(&$header_tags_array, $filename, $languages, $id)
{
  global $language;
  return ( (HEADER_TAGS_ENABLE_CACHE == 'None') ? false :  ReadCacheFromDB($header_tags_array, 'header_tags_' . $filename . '_' . $language . '_cache_id_' . $id) ); 
//   return ( (HEADER_TAGS_ENABLE_CACHE == 'false') ? false :  read_cache($header_tags_array, 'header_tags_' . $filename . '_' . $language . '_cache_id_' . $id) ); 
}

function ReadCacheFromDB(&$data, $name, $gzip = 0)
{
  $gzip = ( HEADER_TAGS_ENABLE_CACHE == 'GZip' ? true : false );
  $name = serialize($name);
  $name = ( $gzip == 1 ? base64_encode(gzdeflate($name, 1)) : $name );

  $cache_query = tep_db_query("select * from " . TABLE_HEADERTAGS_CACHE . " where title = '" . $name . "' limit 1");

  if (tep_db_num_rows($cache_query) > 0)
  {
     $cache = tep_db_fetch_array($cache_query);
     $cache = ( $gzip == 1 ? @gzinflate(base64_decode($cache['data'])) : stripslashes($cache['data']) );
     $data = unserialize($cache);
     return $data;
  }
}

function WriteCacheHeaderTags($header_tags_array, $filename, $languages, $id)
{
  global $language;

  if (HEADER_TAGS_ENABLE_CACHE != 'None')
  {   
     ob_start();  
     $cache_output = $header_tags_array; //ob_get_contents();
     ob_end_clean();

     if (tep_not_null($cache_output))
         WriteCacheToDB($cache_output, 'header_tags_' . $filename . '_' . $language . '_cache_id_' . $id);
//      write_cache($cache_output, 'header_tags_' . $filename . '_' . $language . '_cache_id_' . $id);
  }
}

function WriteCacheToDB($data, $name)
{
  $gzip = ( HEADER_TAGS_ENABLE_CACHE == 'GZip' ? true : false );
  $name = serialize($name);
  $name = ( $gzip == 1 ? base64_encode(gzdeflate($name, 1)) : $name );

  $data = serialize($data);
  $data = ( $gzip == 1 ? base64_encode(gzdeflate($data, 1)) : addslashes($data) );

  $cache_query = tep_db_query("select 1 from " . TABLE_HEADERTAGS_CACHE . " where title = '" . $name . "' limit 1");

  if (tep_db_num_rows($cache_query) == 0)
      tep_db_query("insert into " . TABLE_HEADERTAGS_CACHE . " ( title, data ) values ('" . $name . "', '" . $data . "')");
  else
      tep_db_query("update " . TABLE_HEADERTAGS_CACHE . " set data = '" . $data . "'");
}
?>

Share this post


Link to post
Share on other sites

I would delete everything and start from scratch, the customers database can be backed up by going to phpmyadmin and backing up that table thats the root I would go.

 

I also for one would block port 21 and go with SFTP which is part of SSH, more secure.

 

You have to make it so that it's harder to hack your site.

 

Another thing you can do is completely lock the admin folder until needed.

 

Did you check access log on server?

Share this post


Link to post
Share on other sites

Everyone here is talking about "files" where the problem could easily be the server .. is it a shared server?

 

Why haven't the server techies checked the logs to find out how the bad code is being introduced?

 

Does the server have mod_security?

 

Does it have a firewall?

 

Does it have all the other fundamental security settings?

 

Basically if the hacker has got into the server changing files etc. won't make a jot of difference.

Share this post


Link to post
Share on other sites

Eventually this turned out to be the hosting company had installed a security system that deleted files it assessed as being "suspicious".

 

The first level support had not been told about this so were unable to help.

 

Nothing appeared in the access logs and naturally enough there were no suspicious files anywhere on the server.

 

I am now in possession of a neat little ftp script that can be run on a local pc that check if selected files exist on a web site and copies any missing ones. This is only necessary if the hosting package does not have cron included. Also pc must not go into hibernation otherwise as you would expect scheduled jobs will not run.

 

Don't you just love hosting companies.

 

HTH someone

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Please delete this thread - as things turned out we were never hacked - cause was an error from my host.

 

Site is secure now as ever.

 

Michael Keller

Share this post


Link to post
Share on other sites

Please delete this thread - as things turned out we were never hacked - cause was an error from my host.

 

Site is secure now as ever.

 

Michael Keller

 

 

Michael,

 

I'm curious as to who your host is. I had similar issues in Nov and Dec and I'm still working on reestablishing the site.

 

Kim

Share this post


Link to post
Share on other sites

>please delete this thread - it is hurting my ranking on google and since I was never hacked that hardly seems fair!<

Share this post


Link to post
Share on other sites

Michael,

 

 

Threads are never deleted. However, if posts on this thread stop, it will eventually be buried in the archives.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

×