Storesprite.com Shopping Cart Ecommerce Forums  

Go Back   Storesprite.com Shopping Cart Ecommerce Forums > Storesprite Forums > Storesprite Ecommerce Installation Help

Storesprite Ecommerce Installation Help Having trouble installing? This is the one for you.

Sponsored Links
IMPORTANT NOTICE

We kindly ask that all forum users respect the following:
We would appreciate it if you could be patient. Please help each other and most of all take some time to search for the answer to your question! It is very rare that we get a new question so invariably the answer will be here somewhere! Thank you!
Reply
 
Thread Tools Display Modes
  #1  
Old 02-01-2011, 11:51 AM
cerveza cerveza is offline
Member
 
Join Date: Jun 2008
Posts: 89
cerveza is on a distinguished road
Default malware notification from google on website

I am unsure if this is a SS issue with a backdoor in somewhere. But I received the email from google below. I can still access ftp fine and my host so it seems some code has somehow been injected somewhere rather than a password compromise. I am unsure if this is a hosting issue, storesprite issue. Any pointers or anyone else with a similar problem?

Dear site owner or webmaster


We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

http://***** .co.uk/
http://www.******.co.uk/


Here is a link to a sample warning page:


We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser


If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security

Once you've secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmas...y?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.
Reply With Quote
  #2  
Old 02-01-2011, 12:01 PM
Storesprite Storesprite is offline
Administrator
 
Join Date: Jun 2008
Posts: 1,649
Storesprite has disabled reputation
Default

Are you able to give us any more information so that we can take a look (via PM if you like).

I know of 1 storesprite site that had a similar issue - probably over a year ago but after looking into it we concluded that it was not related to code injection but a server compromise (eg. weak or divulged credentials).

Of course we are happy to cast an eye over this for you as we'd like to know if there is a storesprite vulnerability so that we can patch it and / or rule storesprite out as the problem!

What version of SS is it running and what php version? Do you have access to the server logs? Is there a shell login related to the account etc etc....
Reply With Quote
  #3  
Old 02-01-2011, 12:24 PM
cerveza cerveza is offline
Member
 
Join Date: Jun 2008
Posts: 89
cerveza is on a distinguished road
Default

Upon a bit of my own digging someone mentioned about permissions. I double checked mine private/config and they are incorrect they are set to read write execute to all of them ( I am unsure if this was missed when I restored a backup recently) and whether this could be the source of the problem as I know they should be READ only. Also what should the file permissions be on the htaccess file e.g. mine is currently set at 644. Are there any other files that I should double check permissions on that may be vunerable?

Should I restore a previous backup and set permissions correctly and see if that cures the problem.

I will PM more info later if the above does not seem a source of the problem. Many thanks.
Reply With Quote
  #4  
Old 02-01-2011, 01:25 PM
Storesprite Storesprite is offline
Administrator
 
Join Date: Jun 2008
Posts: 1,649
Storesprite has disabled reputation
Default

644 or 775 . . . 774 would work too for .htaccess

After the installation any writable files can be reset back to something more secure and of course delete the install directory.

for Example: Files = 644 and Directories = 755

However, you need to check that cache can be written and also images can be uploaded. The settings you use for these directories will depend upon your particular server environment (phpsuExec etc).

We would also recommend that you disable ftp and only use sftp or ssh if you can get away with it.

I would be interested to know what was infected? Were files uploaded? The more information the better.
Reply With Quote
  #5  
Old 02-02-2011, 08:14 AM
cerveza cerveza is offline
Member
 
Join Date: Jun 2008
Posts: 89
cerveza is on a distinguished road
Default

After speaking to the host, it appears to a permissions issue on the above files, my errror. But will keep posted if not.
Reply With Quote
  #6  
Old 02-02-2011, 09:54 AM
Storesprite Storesprite is offline
Administrator
 
Join Date: Jun 2008
Posts: 1,649
Storesprite has disabled reputation
Default

Are you able to elaborate on the nature of the infection? What files were created and where? How were they uploaded?
Reply With Quote
  #7  
Old 02-03-2011, 08:27 PM
cerveza cerveza is offline
Member
 
Join Date: Jun 2008
Posts: 89
cerveza is on a distinguished road
Default

Code was injected into around a third of the website pages on the site. It was on the homepage and others. The code was 20 lines of javascript which was viewable when looking at the pagesource, which somehow allowed viruses to be uploaded to the visitors computer without them knowing. Thankfully google spotted this and action was able to be taken. I am unsure how this was uploaded etc. Is it be possible to upload code if the permissions were at 777 without ftp access, if so what method could be used?
Reply With Quote
  #8  
Old 02-03-2011, 08:38 PM
Storesprite Storesprite is offline
Administrator
 
Join Date: Jun 2008
Posts: 1,649
Storesprite has disabled reputation
Default

Any chance you could forward us a copy in a plain text file?
Reply With Quote
  #9  
Old 02-18-2011, 08:21 AM
jesseo jesseo is offline
Member
 
Join Date: Mar 2009
Posts: 84
jesseo is on a distinguished road
Default

I've seen attacks like this several times. Change the password of used to access
1. strengthen password to your hosting account
2. strengthen password to your server
3. if possible don't use ftp, it's not secure. instead use sftp.
Reply With Quote
  #10  
Old 02-18-2011, 08:22 AM
jesseo jesseo is offline
Member
 
Join Date: Mar 2009
Posts: 84
jesseo is on a distinguished road
Default

if you try to delete the javascript, does it come back / reappear after a day or so?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:12 PM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
© Copyright 2008 Lamp Design Limited