A VIRAL Problem!

[Big GEE]

Thank you DrByte & Vger.

I've just despatched an urgent message to the folks at the server end with a link to this thread for further info. Hopefully they'll be able to trace the source, and if they can't they should be able to contain the problem. I'm waiting for their response - I'll keep you posted.

G

[JollyJim]

G

Check your images folder. I had a similar problem and found a PHP file had been uploaded into the images folder and this was being called by a virus which in turn propgated itself into other computers. I suspect the initial virus arrives by email and when you connect by FTP it uploads itself to the active directory on the server. From there it infects any computer which loads the site into a browser.

Have a look at the DO NOT IGNORE POST I made some weeks ago in the hacks forum warning people about this.

Hope this helps

JJ

[Big GEE]

G

Check your images folder. I had a similar problem and found a PHP file had been uploaded into the images folder and this was being called by a virus which in turn propgated itself into other computers. I suspect the initial virus arrives by email and when you connect by FTP it uploads itself to the active directory on the server. From there it infects any computer which loads the site into a browser.

Have a look at the DO NOT IGNORE POST I made some weeks ago in the hacks forum warning people about this.

Hope this helps

JJ

Thanks Jim,
Just checked and there are no php files in the "images" folder on the server. I doubt if any e-mails would have slipped past my defences anyway. I've been doing a bit of research and the indicators are that there's a vulnerability on the server side. Probably a rogue script there that's inserting the wilful code into lines of coding in programmes located on the server. I only hope that it's only done it once in the one file otherwise I've got a mess on my hands. I'm waiting for the server staff to come back to me with some info.

I could really do without this

G

[Vger]

You won't want to hear this - but you need to shut your site down until it is resolved. If the trojan is on the server (which I think it is) then removing the code will do nothing - it will reinsert itself. Anyone coming to your site is at risk while this goes on.

Vger

[Big GEE]

You won't want to hear this - but you need to shut your site down until it is resolved. If the trojan is on the server (which I think it is) then removing the code will do nothing - it will reinsert itself. Anyone coming to your site is at risk while this goes on.

Vger

Yes I'd worked that out. Fortunately the site is still in the process of construction so although accessible it's not yet well advertised. The index file is actually a "site under construction" notice. The only people who can access the store are those who are aware of the "shop" directory. However I'll have to shut it down anyway, until the problem is resolved. I'm having trouble getting my hosts (Hostgator) to accept responsibility at present. Here's the latest bit of correspondence from them.

The problem appears the be an exploit through a script running on your account allowing the attackers to modify the files. All files located in the /home/scc123/www/sccambria-online-linux-store/shop/includes/languages/english/html_includes directory are set to 777 which will allow the webserver to modify these files. I would recommend restoring the files and then making sure they are set to 644.

I'll let you know what comes of it. If it is a script on the server that's calling up this virus then everyone with accounts are under threat.

Regards,

G

[Vger]

They're not exactly on the ball, are they? If you had set files with permissions of 777 on our servers you'd have taken your site down (it's not allowed, as it is a security risk), and all you'd have seen would have been a white screen with a "500 - Internal Server Error" notice. Even on folders the highest we allow is 755.

They are correct about two things though:
1. The need to cleanse all files
2. The need to reset permissions on the files to no higher than 644

Vger

[Big GEE]

They're not exactly on the ball, are they? If you had set files with permissions of 777 on our servers you'd have taken your site down (it's not allowed, as it is a security risk), and all you'd have seen would have been a white screen with a "500 - Internal Server Error" notice. Even on folders the highest we allow is 755.

They are correct about two things though:
1. The need to cleanse all files
2. The need to reset permissions on the files to no higher than 644

Vger

My sentiments exactly. Also the ppermissions (if possible) were not set to 777 by me, so one assumes that it's tied up with the functions of the malicious script that placed the iFrame string at the foot of my define_main_page.php file.

Here's the latest reply from them. It seems to me that there's a suggestion here that the iFrame string was in the file when it got downloaded from Zen Cart! The version was absolutely current when I downloaded it, and no way on earth was it there (I hope)! Besides, upgrading the cart is not a solution - it suggests that the iFrame string is present in ALL previous downloads, which of course is a load of bovine excrement.

G

Hi,

This is a very common exploit done on the script itself not on our servers. Just because you downloaded it from there site doesn't mean the script is secure. You will need to edit the code out of your site and upgrade your cart. We see these every day when people do not keep there scripts up to date.

Best Regards,
Alex
HostGator Technical Support

[xt0rt]

You should let 'Alex' know that you no longer want them as a host and arrange to get your Zen site moved over to a Certified Host.

Alot of hosts are a complete joke, it's best to pay a bit more if necessary and actually get decent service.

[Big GEE]

You should let 'Alex' know that you no longer want them as a host and arrange to get your Zen site moved over to a Certified Host.

Alot of hosts are a complete joke, it's best to pay a bit more if necessary and actually get decent service.

That may well be the ultimate solution in the final analysis. However Hosgator is not a small backroom host company. An organisation their size should be on top of this problem.

Out of interest here's excerpts from the last few exchanges we've had. Judging by his attack on ZCs php coding I think someone from the Dev. Team should take this up with someone at Hostgator - who knows how many other ZC users may be fed this poison when their stores get compromised in the same way?

Please don't insult my intelligence like this. To suggest that the spurious
iFrame string was present from original download from the official Zen Cart
website is ludicrous - are you seriously suggesting that all downloads from
that source contain this string? Incidentally the version is up to date and
contains the latest release of the ZC software.

I've checked my original files that were uploaded to your server and they
don't contain this line of malicious coding. The line of code responsible
for the problem was inserted after upload to your server, suggesting to me
that some exploit script is being deployed on your server software. Perhaps
that's the reason you can say " We see these every day when people do not
keep there scripts up to date". This has absolutely nothing to do with
keeping my scripts up to date. The scripts that were contained in my Zen
cart upload to the server were absolutely up to date.

Please investigate further and report your findings back to me. If this
situation can not be resolved in a professional manner I will have no
alternative but to seek another host, seek compensation from Hostgator and
further to advertise this wholly unacceptable stance that you have chosen to
adopt.

Gwilym.

===========================================================


----- Original Message -----
From: "HostGator Support" <[email protected]>
To: <[email protected]>
Sent: 27 June 2006 06:02 PM
Subject: [#CXE-469446]: URGENT!! REQUIRES YOUR IMMEDIATE ATTENTION


> Hi,
>This is a very common exploit done on the script itself not on our
>servers. Just because you downloaded it from there site doesn't mean the
>script is secure. You will need to edit the code out of your site and
>upgrade your cart. We see these every day when people do not keep there
scripts up to date.

> Best Regards,
> Alex
> HostGator Technical Support
>
> Ticket Details
> ===================
> Ticket ID: CXE-469446
> Department: Support
> Status: On Hold
>
>
>

Follow up

Hi,

This was not present during the download. No one ever said it was. Alot of php scripts out there have Exploits allowing remote mysql insertions and or having premissions set to 777 allowing other harmful scripts to be uploaded. This is not done from a "trojan" or a "virus" on our servers. This is due to bad coding and or exploits being found on exsiting scripts. here is a clear example on what can happen. http://www.governmentsecurity.org/archive/t8822.html I highly recommend looking on zen carts fourms and seeing if theres a patch for this if is indeed the newest up to date version.

Best Regards,
Alex
HostGator Technical Support

My last reply:

Fine Alex, you may have a point with older coding, with known issues, that
is not the case with the problem I've highlighted.

Would you care to view this? http://wordpress.org/support/topic/69655

Now I still suggest that there's a malicious script on your servers that
seeks out php files and attacks them by inserting the iFrame string at the
foot of the code. Having me remove the spurious insertions and reloading my
files will not prevent the same thing happening again if that malicious
script that instigates the problem is not properly investigated and found.

Gwilym.

This is not funny - and I'm not going to give up easily on it. If anyone wants to lend some weight feel free to wade in, after all it's ZCart's reputation at stake. Their e-mail address is: support AT hostgator DOT com

Should this thread be relocated elsewhere on this forum?

G

[Kim]

For the third time- This is not coming from Zen Cart - The Trojan is getting into your files that are chmod 777, but the Trojan is ON THE SERVER.