Website hacked! Please help..
 

I recently discovered that my website has been hacked and possibly causing a penalty with google. A noticed that all my pages has hidden links in there when I view source code. Here's an example of one of the pages and if you view the source code and scroll down, you can see a whole bunch of links:

URL REMOVED

Does anyone know how to get rid of these? It seems to be at the bottom so I looked in the following templates but could not find anything:

home.tpl
prnotice.tpl
copyright.tpl
rectangle_bottom.tpl
bottom.tpl

Couldn't find where these links are being inserted?? Please help

** EDIT: Just found out that not ALL pages are affected..it seems to only appear when browsing in each category (including main home page) but does not appear when you display the individual product listing page.

Re: Website hacked! Please help..
 

Considering its after the close of the </html> check your cache directory... I would re-generate the cache files asap... the look through both your FTP logs and Web Logs looking for uploads or http posts that are unusual.

Re: Website hacked! Please help..
 

Sorry, I had to remove your link - until you know for sure what the hack is, don't need everyone here getting a virus.

Check the timestamp on all of the templates - look at the ones that were recently edited. Also change your FTP and other passwords, and get your host to help you determine how they got in.

Re: Website hacked! Please help..
 

Along with the usual FTP changes, also check if you have other scripts on your site that are outdated. In particular, scripts that allow users to upload things. We often see people exploited through forums, blogs and gallery scripts that allow users to upload images or files to the site, than then exploit them.

Check for any outdated scripts on your site and patch them. Also, contact your host. If it was a server side exploit, other users could be affected too.

Re: Website hacked! Please help..
 

I downloaded the entire website to my local hard drive and it did pick up one virus located in skin1/index2.php which I have deleted. No other viruses on there.

I also searched all of the file's contents for reference to some of the code left behind (I searched for the string "rkjswrf23lhsf2") where the code was left behind on the hacked pages and found them in the following files. :

aatig\1.php
aatig\xle.php

I'm no expert in SQL, but looking into those files, they seem to make references to the actual SQL database:


$ot1 = array("<js1ey3452nbds>", "<rkjswrf23lhsf2>", "<pwfcwdfesvf>", "<efskert3sewrt>", "<adsttnmq1>");
$ot2 = array("<aoe4dell231rr>", "<ysgksf02hk91ls>", "<lqwrssbvodf>", "<dsfdl456khwwe>", "<sdioyslkjs2>");
$mpt = "";
$drs = "";

Anyone know what this aatig folder is?? I dont believe this is part of X-Cart?? Renaming the folder did nothing and the unwanted code still shows up..do I need to go into the SQL database to remove it manually?

Re: Website hacked! Please help..
 

There is no index2.php in xcart. There are no php in the skin directory at all. There are no such files or directories in xcart. You should delete these files and directories and any reference to them in any other file.

Re: Website hacked! Please help..
 

OK I managed to fix the problem. The code was in home.php (silly of me not to look there first). I've deleted all the references and folder for aatig as well as index2.php. I did stumble across 3 very large files though in the root directory and was wondering if anyone knows what they are:

core.16138
core.16214
core.16232

Re: Website hacked! Please help..
 

Core files are memory dumps. Basically when the server encounters an error, or if the script you are running exceeds the amount of memory available for use on the server, it will generate a core dump and place the file into the directory where the script was called from.

You can contact your host to evaluate the core dump file, or possibly send to X-Cart for evaluation regarding their software.

If they're older files, feel free to remove the files as the issue that generated them is likely resolved.