GwilliamP Posted January 8, 2013 Share Posted January 8, 2013 I have 2 domains running osC RC2A (I know - insecure, update) that are HEAVILY modded. I am waiting/hoping/praying for V3 before updating. Emails go out through a shared server. I started to get 'sending limit exceeded' errors. It looks as if I was being used as a SPAM relay! After a LOT of digging I found that just about every .html file had the following appended after the </html> tag. Here are images of the code. I am not loading the code direct as it looks dangerous. HEX code. I have just completed the clean-up and am waiting to see if that stops the problem. Can anyone tell me what the code is doing? Cheers, Paul. P.S. ALL passwords (hosting CP, FTP, SSH, osC admin, osC admin dir password protection, every email account) changed to strong 12 random character. File permissions set to 644. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted January 8, 2013 Share Posted January 8, 2013 Paul If you find out the date time of the changes you can look in your access logs and probably work out who it was and possibly backtrack and findout how. Did you secure your login as per the rc2a secure thread? If you have just cleansed it and not found and blocked the way they came in last time, they will be back. HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Guest Posted January 8, 2013 Share Posted January 8, 2013 @@GwilliamP I am waiting/hoping/praying for V3 before updating. Can you really afford another two years (guesstimate) of running an insecure site ?? Also, you do realize there won't be an upgrade path from Rc2a to v3 right ? So it will be a NEW site, not an upgrade. Chris Link to comment Share on other sites More sharing options...
GwilliamP Posted January 8, 2013 Author Share Posted January 8, 2013 @@geoffreywalton - It looks like the code has been there for some time. I store monthly backups and have found it over 12 months ago. I do not know how I missed finding it before. My hosted logs do not go that far back. @@DunWeb - Bu**er! I had searched the forum but could not find any indication. I was just being optimistic. 2 years seems an awfully long time. Time to rethink. I don't want to upgrade as I never trust that route as the sites are so heavily modified. I am still curious about the offending code. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted January 8, 2013 Share Posted January 8, 2013 Whatever you decide, check these steps have been done. http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/ Then you can either Leave as is because it is secure. Follow the upgrade path as far as possible. Wait for V3 and transfer when it is available. Cheers G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
germ Posted January 8, 2013 Share Posted January 8, 2013 I don't want to pi$$ on your Post Toasties but you have set "Allow guest to tell a friend" to true in your admin. That allows any wandering robot with SPAM on it's mind to use your store as a SPAM engine. If you want to allow guests that feature you should apply a captcha or some other anti-robot measure. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted January 13, 2013 Share Posted January 13, 2013 Well that's one way to stop the spam - fix it so no one can access the site. I suppose you may suffer a slight decrease in sales though... :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted January 15, 2013 Share Posted January 15, 2013 Now that's more like it... :thumbsup: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.