Spam Injection Problem
I noticed today below the bottom of my store pages (You need to scroll to see this problem)
Several pages of spam links to software for sale. The links are not always there.
I checked my two local computers no viruses or other problems.
I checked my remote server and no problem with forced entry.
So I am thinking some sort of MySql injection perhaps?
What steps should I take now? Note I do plan on upgrading to version 2.08 soon.
The plot thickens:
I clicked on one of the ads and now have the spammers website: but it looks like a perfectly ok site that is being taken advantage of.
Is there any further action we can take by finding their webhost?
Now I have contacted the webhost in Sweden.
No response a couple of hours later - very frustrating I am used to support within 5 minutes at the most.
I have also emailed CS cart to see if it is CS code that is perhaps part of the problem…
Here is the report back from the web host in Sweden.
No word from CS Cart yet.
—+ Skriv inte under denna rad ±–
Hi,
Thank you for the abuse report. Our customer has been hacked and those pages you see linked are to that hacked files (it’s a known bug in the Wordpress software they have installed).
The inserted links on your site is probably due to some bug in your webshop software. You will need to fix this yourself, probably by upgrading to the latest version of the software or contact the creators of the webshop.
Du kan granska och ändra ditt ärende på:
[URL=“http://ticket.levonline.com/view.php?e=david@samhober.com&t=325622”]http://ticket.levonline.com/view.php?e=david@samhober.com&t=325622[/URL]
Med vänlig hälsning
Emil Vikström, teknikavdelningen
…
–
Levonline AB
Norra Stationsgatan 93 - 113 64 Stockholm - Sweden
http://www.levonline.com - support@levonline.com
Have you opened the bottom.tpl in your skin folder to see if you have something out of the ordinary there?
Sometimes, if you put a simple javascript code that call’s another website (for example a statistics web, or a live chat) this code allows them to access this part of your shop.
[quote name=‘E.Qi.Librium’]Have you opened the bottom.tpl in your skin folder to see if you have something out of the ordinary there?
Sometimes, if you put a simple javascript code that call’s another website (for example a statistics web, or a live chat) this code allows them to access this part of your shop.[/quote]
E Qi Librum,
Thank you for your suggestion.
I took a look and did not see anything too strange - see below code for the bottom of the file:
Any more suggestions?
{*** / Leonid ***}
{** /Bottom navigation **}
{** Copyright **}
{$lang.copyright} © {$settings.Company.company_start_year}-{$smarty.const.TIME|date_format:"%Y"} {$settings.Company.company_name}. {*{$lang.powered_by} {$lang.cscart_shopping_cart}
*}
{** /Copyright **}
Snorocket,
Correctly diagnosed the problem for me as not being database driven.
He suggested looking at the major files very carefully with the big clue being which ones had been modified recently.
Sure enough index.php had been modified 2 days ago. I looked at the file and the spam code was there.
I then downloaded a clean file - uploaded and all is well.
Many thanks to my good friend Snorocket for his logical plan of attack.
E Qi Librum, you also were pointing me in the right direction - thank you.
Happy to know that you solved it 