shopping cart home page screwed up

[esm]

Guys,

 

Can someone check this cart: http://www.gbfenterprisesllc.com/index.php and tell me what's going on here?

Thanks,

Ed

[Guest]

Ed,

 

I believe the 'Reported Attack Page' warning tells you exactly what is wrong.

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) Seek out experienced help if you feel you can not perform any of the above steps. If you miss any of these steps your site may remain accessible to the hacker.

 

 

 

Chris

[Procommerce]

Your site was not upto date, and was hacked.

 

Besides what was proposed by chris, you might also want to check your access-log.txt to find out where did the attack came from...

[esm]

How do you know that my site was not up-to-date?

 

Where do I find this access-log.txt file?

 

I tried a grep search but I have no idea what kind of string to enter into the search. How am I supposed to know what to search for?

[Guest]

Ed,

 

The most common encryption code used by hackers is eval base64, try using that in the search, it is a good place to start.

 

 

 

Chris

[Procommerce]

The log file is usually stored above your public access folder, together with the error log. Try with forcing to view hidden files in your ftp program.

[esm]

Above the public access folder is one folder called "logs" but it's empty.

[Procommerce]

Sometimes, ftp programs like filezilla might have issues displaying hidden files.

 

Can you try ftp with TotalComander?

[esm]

I found the access log file and there's nothing in that shows any unknown intruder.

 

Just access from the legit website www.bgfenterprisesllc.com

[Procommerce]

Usually you can find some strange "POST" or "sh" lines in the access log... Will have to asume that the hacker obtained root access like you, and worried to edit the logs... Anyhow, did you find the infected code in your files? Did you follow the routine proposed before? Tell us what is your status.

[Guest]

Ed,

 

Your site has already been reported as an attack site, you should follow the instructions above as the site is attacking potential customers when they type in your URL. This is ALWAYS bad for present and future business.

 

 

 

Chris

[esm]

I did go through the instructions and at present the site seems to work fine.

 

My problem now is that I cannot create an admin login. See this post: http://www.oscommerce.com/forums/topic/369441-lost-admin-access-info/

 

Thanks for the help.

 

Ed