A VIRAL Problem!

[Vger]

You should have a virus scanner insatlled on your computer anyway (otherwise why would you download infected files to it), so use that to 'Scan In Files'.

Vger

[Big GEE]

Get the files from our get Zen Cart link at the top of the page ...

It sounds like what ever you are using to install has a serious problem that you should make your hosting site aware of ...

That is not part of the original Zen Cart ...

If you download from here and upload those files and that shows up again ... then there is a more serious issue happening that needs to be addressed ...

Thanks Ajeh,

Yes, yes, I know all that - if you scroll through from the beginning of this thread you'll see that the source of the problem is well documented (along with some of my correspondence quotes with the hosting company). It is NOT A PROBLEM WITH THE ZC CODING - I've pointed this out more than once. There's an exploit script running wild on the Hosgator servers that's hunting down PHP files with CHMOD attributes that it can attack. It inserts the iframe string into those files. When a specific file is viewed in IE any anti viral softawre reports a Hacktool.IE.exploit warning.

Everything is in hand. What I need is a shortcut method to remove the iframe string from all infected files, after which the ZC fileset will be moved to a more secure and clean host company. in the mean time the "shop" site has been closed down to the public.

G

[Big GEE]

You should have a virus scanner insatlled on your computer anyway (otherwise why would you download infected files to it), so use that to 'Scan In Files'.

Vger

Oh goodness this is being over complicated by everyone! The actual inserted iframe string IS NOT A VIRUS. I've obviously got AV software on my computer. However what I need to do is remove the spurious string from all PHP files that have had it inserted by the EXPLOIT SCRIPT ON THE SERVER.

G

[Vger]

Download and install Text Pad, use the Find in Files feature to find all references to that code, and then use replace to replace it with nothing.

Vger

[Ajeh]

Well the easy way is if they are php files with that stuck on them ...

Use the Tools ... Developer's Tool Kit ... and do a search ... iframe does not exist in Zen Cart so it would be a good word to search for in the bottom input box ...

Personally I would use that and Beyond Compare from scootersoftware.com and do an FTP compare of a clean Zen Cart ...

[kobra]

G,

Winmerge will batch compare full folders & sub-folders contained within.

The easiest way that I have found is to FTP your shop folder to your PC and insure that you have the original ZC fileset folder on your PC also.
Then select the open window in winmerge and clear the 2 selection areas.
Then open Winxplorer and navigate to the folder that you want & drag & drop it into one of the winmerge selection areas.
Navigate in explorer to the second folder & drag & drop into the other winmerge area. In winmerge check the sub-folder box and select OK and it will compare all files contained within the folders listing those that are identical and those that are different.
Selecting 'view' and you can select only different files.
This should short cut the # of files that you must have to look at.

[Big GEE]

Download and install Text Pad, use the Find in Files feature to find all references to that code, and then use replace to replace it with nothing.

Vger

Excellent - thank you Vger, I'll download it straight away.

G

[Big GEE]

Well the easy way is if they are php files with that stuck on them ...

Use the Tools ... Developer's Tool Kit ... and do a search ... iframe does not exist in Zen Cart so it would be a good word to search for in the bottom input box ...

Personally I would use that and Beyond Compare from scootersoftware.com and do an FTP compare of a clean Zen Cart ...

Thank you Ajeh - I'll check that out.

G

[Big GEE]

G,

Winmerge will batch compare full folders & sub-folders contained within.

The easiest way that I have found is to FTP your shop folder to your PC and insure that you have the original ZC fileset folder on your PC also.
Then select the open window in winmerge and clear the 2 selection areas.
Then open Winxplorer and navigate to the folder that you want & drag & drop it into one of the winmerge selection areas.
Navigate in explorer to the second folder & drag & drop into the other winmerge area. In winmerge check the sub-folder box and select OK and it will compare all files contained within the folders listing those that are identical and those that are different.
Selecting 'view' and you can select only different files.
This should short cut the # of files that you must have to look at.

Hello kobra,

I could do that BUT a comaprison with a pre installation clean file-set will throw up all the changes between those files and those changed post installation, including bone fide changes.

As I know exactly what the spurious string is what I need is something that will hunt down all occurances of that string in ALL files and then replace it in them with nothing.

It sounds as if Vger has the solution with TextPad.

Many Thanks,

G

[Big GEE]

Be persistent like herpes until they resolve the situation.

They seem to be "Herpes" immune!

Here's the latest response received today:

We understand that such issues can be frustrating, but there is no blame being passed, simply the facts of the matter. To clarify, we do not run PHP in the Apache API, we force it to run in the CGI API, and it makes use of a modified version of the suexec CGI wrapper, called phpsuexec. This means any PHP (or CGI) scripts run as your own user, and not the global web server user (called "nobody") that other hosts are known to use. This offers a lot of advantages, but a primary one is better security by allowing users to set their files to chmod 400, 600, 640, 660, 700, 710, 711, 755, etc. depending on the file, and deny any execute, write/modify or even read access to any other users on the system.

The issue still exists in that it's a shared server. However, that said, we still take measures to deny access to things like find, and many modules and paths and directories via security settings to help prevent the majority of exploits. We take it further by implementing such things as mod_security, we have custom firewalls to prevent scripts/users from binding to local ports to listen for connections with a backdoor, etc., or to connect out over non valid ports as well. We have many settings and restrictions, but being how technology is with web servers and it being a shared server environment, there are still means one could use (though limited) to cause issues with another users' site. So, secure scripts and more appropriate permissions are required for you to have a secure environment for your account--this will effectively prevent all issues from other users/scripts. Only if your own scripts are insecure would a problem be present. Thus, any instructions telling you to set any files or directories to be world write/modify are absolutely unneeded and will only pose a risk.
--
Regards,
Tim Greer
Systems Administrator - HostGator.com, LLC.

This would seem to imply that my scripts are insecure and by extension Zen Cart's. Consequently it's MY fault and not the host!

Zen Cart recommend:

CHMOD 777 for
/cache
/pub
/images
/includes/languages/english/html_includes
/admin/backups
/admin/images/graphs

These to 444 or 644
/includes/configure.php
/admin/includes/configure.php

So how does a new ZC installer square this? By using a reliable and secure host - but Hostgator insist they are!

The only one suffering in all of this is muggins here - with a website down and a cartload of problems to resolve to get it back up - regardless of where I take my hosting business.

G