Aman111 Posted July 31, 2012 Share Posted July 31, 2012 My website hxxp://www.discountbuzzer.com (made in php) is attacked by a hacker. He is daily injecting one to two new viruses. Current list of virus found by Avast Antivirus are: trojan horse malware malicious url iframe-inf js:redirector-yg[trj] js:decode-ac[trj] I am very much confused what to do, some expert please help. (I am a non programmer). (I am new here, if I am wrong somewhere, please excuse). Link to comment Share on other sites More sharing options...
Guest Posted July 31, 2012 Share Posted July 31, 2012 @@Aman111 Follow these steps to clean and secure your website: 1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code. 2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'. 3) Delete the files on your hosting account before uploading the clean files. 4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security. 5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE 6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444 7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list' 8) Remove the .htaccess password protection so your customers can resume making purchases from your website. 9) Monitor your website using the newly installed contributions to prevent future hacker attacks. 10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed. Chris Link to comment Share on other sites More sharing options...
Aman111 Posted July 31, 2012 Author Share Posted July 31, 2012 Ok, Thanx Chris. I will try to follow these steps. I will ask for further help if needed please. Link to comment Share on other sites More sharing options...
shamanix Posted July 31, 2012 Share Posted July 31, 2012 As Chris said above, but remember ALL files in point 2 would also include a complete database dump and you would want to extend your grep command to include 'iframe' and 'script'. (particularly in the 'store name' in the configuration table) Jandy Link to comment Share on other sites More sharing options...
SoulDerNeueWeg Posted July 31, 2012 Share Posted July 31, 2012 Greetings! I also got problems a trojan called Trojan-downloader.js.iframe.czk on my website: http://www.derneueweg-label.com/catalog/ It should have infected my login.php as you can see her: http://img5.fotos-hochladen.net/uploads/sitewebtrojan3qbt40rgup.jpg But I couldn´t find the badcode into the php data. english login.php <?php /* $Id$ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License */ define('NAVBAR_TITLE', 'Login'); define('HEADING_TITLE', 'Welcome, Please Sign In'); define('HEADING_NEW_CUSTOMER', 'New Customer'); define('TEXT_NEW_CUSTOMER', 'I am a new customer.'); define('TEXT_NEW_CUSTOMER_INTRODUCTION', 'By creating an account at ' . STORE_NAME . ' you will be able to shop faster, be up to date on an orders status, and keep track of the orders you have previously made.'); define('HEADING_RETURNING_CUSTOMER', 'Returning Customer'); define('TEXT_RETURNING_CUSTOMER', 'I am a returning customer.'); define('TEXT_PASSWORD_FORGOTTEN', 'Password forgotten? Click here.'); define('TEXT_LOGIN_ERROR', 'Error: No match for E-Mail Address and/or Password.'); define('TEXT_VISITORS_CART', '<font color="#ff0000"><strong>Note:</strong></font> Your "Visitors Cart" contents will be merged with your "Members Cart" contents once you have logged on. <a href="javascript:session_win();">[More Info]</a>'); ?> german login.php <?php /* $Id: login.php 1739 2007-12-20 00:52:16Z hpdl $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License */ define('NAVBAR_TITLE', 'Anmelden'); define('HEADING_TITLE', 'Melden Sie sich an'); define('HEADING_NEW_CUSTOMER', 'Neuer Kunde'); define('TEXT_NEW_CUSTOMER', 'Ich bin ein neuer Kunde.'); define('TEXT_NEW_CUSTOMER_INTRODUCTION', 'Durch Ihre Anmeldung bei ' . STORE_NAME . ' sind Sie in der Lage schneller zu bestellen, kennen jederzeit den Status Ihrer Bestellungen und haben immer eine aktuelle Übersicht über Ihre bisherigen Bestellungen.'); define('HEADING_RETURNING_CUSTOMER', 'Bereits Kunde'); define('TEXT_RETURNING_CUSTOMER', 'Ich bin bereits Kunde.'); define('TEXT_PASSWORD_FORGOTTEN', 'Sie haben Ihr Passwort vergessen? Dann klicken Sie <u>hier</u>'); define('TEXT_LOGIN_ERROR', 'Fehler: Keine Übereinstimmung der eingebenen eMail-Adresse und/oder dem Passwort.'); define('TEXT_VISITORS_CART', '<font color="#ff0000"><b>Achtung:</b></font> Ihre Besuchereingaben werden automatisch mit Ihrem Kundenkonto verbunden. <a href="javascript:session_win();">[Mehr Information]</a>'); ?> Did I not see the badcode or could it be in another data? Or are there other ways to handle this problem? All the best Soul/Der neue Weg Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted July 31, 2012 Share Posted July 31, 2012 There is also a login.php in the root of your shop it may be in there. I am currently disinfecting a site where the injected code is in over 400 files. I hate these hackers. Cheers G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Guest Posted July 31, 2012 Share Posted July 31, 2012 @@SoulDerNeueWeg EVERY file on your server will need to be checked for malicious code. Not just the obvious ones. Chris Link to comment Share on other sites More sharing options...
AdOptimize Posted August 1, 2012 Share Posted August 1, 2012 bad thing! first I would go an hunt/search for base64_decode grep -ril 'base64_decode' . In most cases you get quite a lot of code. 2. go and search for "eval" Now I'm pretty shure you got it. if not.. congrats, the intruder is in the DB . in most cases in products_description. I would say appended at the end but how about loooking at the source code of the infected page.. next step: go to google search for "xtc hack" under my domain and with this keyword you'll find some information in german which helps to secure the baby hope this helps.. and.. it's about an 8h job to clean the whole thing .. don't think this is easy! .. and if you don't secure the shop the guys will be there in minutes. right after you closed your ftp-client Selling to marketplaces is easy with us. Amazon, ebay, Rakuten, Yatego.. Shopolado does it! :) Link to comment Share on other sites More sharing options...
SoulDerNeueWeg Posted August 4, 2012 Share Posted August 4, 2012 Greetings! Thanks to all your answers. I think we found the problem. Now it looks like everything is working on right. Link to comment Share on other sites More sharing options...
Aman111 Posted November 17, 2012 Author Share Posted November 17, 2012 Hello friends, my site was totally scanned and cleaned by some experts. They gave me 5 day guarantee. But sadly, after a weak they started coming again, this time heavy rush! Now the scene is that the site sometimes do not open. Please help, isn't there any permanent solution? discount buzzer dot com. Link to comment Share on other sites More sharing options...
♥14steve14 Posted November 17, 2012 Share Posted November 17, 2012 Hello friends, my site was totally scanned and cleaned by some experts. They gave me 5 day guarantee. But sadly, after a weak they started coming again, this time heavy rush! Now the scene is that the site sometimes do not open. Please help, isn't there any permanent solution? discount buzzer dot com. Read the second post in this thread. It tells you what needs to be done to secure your site. REMEMBER BACKUP, BACKUP AND BACKUP Link to comment Share on other sites More sharing options...
Guest Posted November 17, 2012 Share Posted November 17, 2012 @@Aman111 Yes, your site is infected but it doesn't look like it is an osCommerce site. Hire a professional to clean it anyway and ensure you change all passwords once that is done. Chris Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.