mainpage.php contents replaced

**cweb** · 09-21-2010, 03:17 AM

Hi,

I am new to this forum but found it really helpful with this thread. I too have my mainpage contents replaced in August. My host provider did a restore for me to fix it. Then it happened again but luckily I kept a copy in my PC after the first experience so I can update thru the oscommerce admin, phew!

Subsequently, my website cannot be displayed so we discovered there is a new empty file index.html loaded, so that was got rid off. But the next day it is created again so have to get rid again. After reading this thread, I also found there are so many goog*.php files in my image folder and public folder. I was so shock and have got them deleted and block all access except my host and myself. Still not sure any more kept secretly somewhere in the database.

I checked those files mentioned in the thread like checkout_process and etc and they are still the old version so I am not too sure what else to check as file manager in cpanel never gives the last changed dates for files.

Any advice will be really great.

**ridexbuilder** · 09-21-2010, 04:01 AM

Guys, I'm sorry but I really don't get the point of trying to do a thorough post-mortem. The time spent doing it can be used much more fruitfully, IMO.

Look at the wiki for security matters, do the tidy up, then move on.
Attempted hacks (cracks actually) on servers happen every day. Just make sure you close the doors and have a reliable hosting provider.

[An FTP client normally has an option to show the modified column - though it might be an idea to download the cracked site and do an offline compare with a known clean version - assuming that your PC is secured.]

**michael_s** · 09-21-2010, 06:37 AM

Originally Posted by dani

can he/she use define_language.php file?

Current versions of osCmax do not have the define_language.php file anymore, due to the security problems it has. If you still have it in your install, you are using an outdated version of osCmax and should get current with security patches.

**Wolga** · 09-21-2010, 03:11 PM

Originally Posted by ridexbuilder

Guys, I'm sorry but I really don't get the point of trying to do a thorough post-mortem. The time spent doing it can be used much more fruitfully, IMO.

Look at the wiki for security matters, do the tidy up, then move on.

You're right that it would be easier to skip the post-mortem.

I started this thread by asking about this hack and kept searching for others who encountered this hack. I found various threads elsewhere talking about it and after several days of no activity in this thread I posted my findings here.

tcshadow was helpful by mentioning the goog1*.php files and providing a link to the cre loaded forums.

I wanted to contribute search-able content about my findings and trial solutions so others who encounter this will have a little extra info to help them clean up the mess.

I try to keep an eye on, and adhere to security measure posted in the security wiki but this one slipped thought he cracks.

I hope my etiquette is not inappropriate by rambling about my findings and results.

**michael_s** · 09-21-2010, 03:24 PM

Keep on rambling, I cannot speak for anyone else, but I for one appreciate more information than less.

**ridexbuilder** · 09-22-2010, 01:08 PM

I wasn't complaining, so much as reflecting.

The sharing of information is key to a good community.

**tdwuk** · 10-04-2010, 12:53 PM

I was considering security as I am in the process of creating a store, good info in the thread. I think I need to check the wiki link

**dani** · 10-05-2010, 07:54 AM

my site hacked again by goog1 ... file

i set password for admin folder but..

**ridexbuilder** · 10-05-2010, 07:58 AM

You did thoroughly scan your client machines? Your normal anti-vir program, plus for example Malwarebytes, plus one other. This is in addition to following all of the points in the wiki, with regards the server.
If you're on a shared server, maybe it's time to look elsewhere.