My website is attacked by a hacker, please help.

[Aman111]

My website hxxp://www.discountbuzzer.com (made in php) is attacked by a hacker.

He is daily injecting one to two new viruses. Current list of virus found by Avast Antivirus are:

 

trojan horse

malware

malicious url

iframe-inf

js:redirector-yg[trj]

js:decode-ac[trj]

 

I am very much confused what to do, some expert please help. (I am a non programmer).

(I am new here, if I am wrong somewhere, please excuse).

 

 

​

[Guest]

@@Aman111

 

Follow these steps to clean and secure your website:

 

1) Lock down your site by using an .htaccess password so your customers are not attacked by the hackers code.

 

2) FTP all of the files to your local machine and use a program like WinGrep to identify and remove all malicious and anomalous files containing hacker code. Look for keywords such as 'base64','eval','decode'.

 

3) Delete the files on your hosting account before uploading the clean files.

 

4) FTP the clean files back to your hosting account and read and implement the security patches and contributions found in these two threads. Admin Security and Website Security.

 

5) Change all of your passwords: FTP, CPANEL, STORE ADMIN and DATABASE

 

6) Make sure File and Directory Permissions are set correctly. Directories no higher than 755, Files no higher than 644 and the TWO configure.php files no higher than 444

 

7) If your site has been 'black listed' as an attack site by Google, then log into Google Webmaster Tools and submit the site to be re-indexed and verified to be removed from the 'black list'

 

8) Remove the .htaccess password protection so your customers can resume making purchases from your website.

 

9) Monitor your website using the newly installed contributions to prevent future hacker attacks.

 

10) If you feel you can not perform any of the above steps, you should seek professional help to ensure all malware is removed.

 

 

Chris

[Aman111]

Ok, Thanx Chris. I will try to follow these steps. I will ask for further help if needed please.

[shamanix]

As Chris said above, but remember ALL files in point 2 would also include a complete database dump and you would want to extend your grep command to include 'iframe' and 'script'. (particularly in the 'store name' in the configuration table)

 

Jandy

[SoulDerNeueWeg]

Greetings!

I also got problems a trojan called Trojan-downloader.js.iframe.czk on my website: http://www.derneueweg-label.com/catalog/

It should have infected my login.php as you can see her:

http://img5.fotos-hochladen.net/uploads/sitewebtrojan3qbt40rgup.jpg

But I couldn´t find the badcode into the php data.

 

english login.php

 

<?php

/*

$Id$

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

define('NAVBAR_TITLE', 'Login');

define('HEADING_TITLE', 'Welcome, Please Sign In');

 

define('HEADING_NEW_CUSTOMER', 'New Customer');

define('TEXT_NEW_CUSTOMER', 'I am a new customer.');

define('TEXT_NEW_CUSTOMER_INTRODUCTION', 'By creating an account at ' . STORE_NAME . ' you will be able to shop faster, be up to date on an orders status, and keep track of the orders you have previously made.');

 

define('HEADING_RETURNING_CUSTOMER', 'Returning Customer');

define('TEXT_RETURNING_CUSTOMER', 'I am a returning customer.');

 

define('TEXT_PASSWORD_FORGOTTEN', 'Password forgotten? Click here.');

 

define('TEXT_LOGIN_ERROR', 'Error: No match for E-Mail Address and/or Password.');

define('TEXT_VISITORS_CART', '<font color="#ff0000"><strong>Note:</strong></font> Your "Visitors Cart" contents will be merged with your "Members Cart" contents once you have logged on. <a href="javascript:session_win();">[More Info]</a>');

?>

 

 

german login.php

 

<?php

/*

$Id: login.php 1739 2007-12-20 00:52:16Z hpdl $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

define('NAVBAR_TITLE', 'Anmelden');

define('HEADING_TITLE', 'Melden Sie sich an');

 

define('HEADING_NEW_CUSTOMER', 'Neuer Kunde');

define('TEXT_NEW_CUSTOMER', 'Ich bin ein neuer Kunde.');

define('TEXT_NEW_CUSTOMER_INTRODUCTION', 'Durch Ihre Anmeldung bei ' . STORE_NAME . ' sind Sie in der Lage schneller zu bestellen, kennen jederzeit den Status Ihrer Bestellungen und haben immer eine aktuelle Übersicht über Ihre bisherigen Bestellungen.');

 

define('HEADING_RETURNING_CUSTOMER', 'Bereits Kunde');

define('TEXT_RETURNING_CUSTOMER', 'Ich bin bereits Kunde.');

 

define('TEXT_PASSWORD_FORGOTTEN', 'Sie haben Ihr Passwort vergessen? Dann klicken Sie <u>hier</u>');

 

define('TEXT_LOGIN_ERROR', 'Fehler: Keine Übereinstimmung der eingebenen eMail-Adresse und/oder dem Passwort.');

define('TEXT_VISITORS_CART', '<font color="#ff0000"><b>Achtung:</b></font> Ihre Besuchereingaben werden automatisch mit Ihrem Kundenkonto verbunden. <a href="javascript:session_win();">[Mehr Information]</a>');

?>

 

 

 

Did I not see the badcode or could it be in another data? Or are there other ways to handle this problem?

 

All the best

Soul/Der neue Weg

[♥geoffreywalton]

There is also a login.php in the root of your shop it may be in there.

 

I am currently disinfecting a site where the injected code is in over 400 files.

 

I hate these hackers.

 

Cheers

 

G

[Guest]

@@SoulDerNeueWeg

 

EVERY file on your server will need to be checked for malicious code. Not just the obvious ones.

 

 

 

Chris

[AdOptimize]

bad thing!

 

first I would go an hunt/search for base64_decode

grep -ril 'base64_decode' .

 

In most cases you get quite a lot of code.

2. go and search for "eval"

 

Now I'm pretty shure you got it.

if not..

congrats, the intruder is in the DB . in most cases in products_description.

I would say appended at the end

 

but how about loooking at the source code of the infected page..

 

next step:

go to google search for "xtc hack" under my domain and with this keyword you'll find some information in german which helps to secure the baby

 

hope this helps..

and.. it's about an 8h job to clean the whole thing .. don't think this is easy! .. and if you don't secure the shop the guys will be there in minutes. right after you closed your ftp-client

[SoulDerNeueWeg]

Greetings!

Thanks to all your answers. I think we found the problem. Now it looks like everything is working on right.

[Aman111]

Hello friends, my site was totally scanned and cleaned by some experts. They gave me 5 day guarantee.

 

But sadly, after a weak they started coming again, this time heavy rush! Now the scene is that the site sometimes do not open.

 

Please help, isn't there any permanent solution?

discount buzzer dot com.

[♥14steve14]

Hello friends, my site was totally scanned and cleaned by some experts. They gave me 5 day guarantee.

 

But sadly, after a weak they started coming again, this time heavy rush! Now the scene is that the site sometimes do not open.

 

Please help, isn't there any permanent solution?

discount buzzer dot com.

 

Read the second post in this thread. It tells you what needs to be done to secure your site.

[Guest]

@@Aman111

 

 

Yes, your site is infected but it doesn't look like it is an osCommerce site. Hire a professional to clean it anyway and ensure you change all passwords once that is done.

 

 

 

Chris