I hope someone can help me. When I go on the chainreactionweb forums or email them, I get a canned response telling me "We see no problem" as usual.

One day last week we went into our admin panel, www.jawproducts.com/admin, we noticed our entire page started flashing and then the link changed to say www.scan4ray.something and at the bottom it showed that it was going through a scan of web links that were not ours. then our norton virus package kept popping up saying JS.Downloader blocked. then the screen came up with a popup and said "access denied" - then if we tried to get on again everything came up normal, but if we'd click on links within our admin home page, we'd get "oops link broken"

Chainreaction said that this happened because our configure files were wrong (which cannot be true because our configure files have been the same and working just fine for a long time now). They changed the configure paths and then our site just stopped working, customers were getting "oops link broken" - it looks like it was because they changed the paths and they were no longer following correctly. Again chainreaction said "we see no problems here" even though customers were calling here saying they couldnt' get on our site.

I put back old backups of our configure files that we created and the site is fine, but we are still getting these virus errors. Chainreaction is now telling us this is a problem on our machine becuase they have no problems.

If this is the ONLY link giving us the virus error, does this really mean its a problem on our machine? we are novices so please forgive me, we just don't know what is gonig on.

Hello,

We have investigated this issue on our end thoroughly. The entire web department has looked into it. We see no issue on our end or on your site from our end.

If you could take some screen shots of what you are seeing, and email them to me at sabrina@creloaded.com - perhaps that will shine some light on helping you figure out what's wrong on your end.

Thanks!

You site is going through the same problem as we are fighting.
We have not been able to determine the soure yet.

Here is what we have done to get our sites back up again.
In FTP we sort all the files by date, you will see files with newer dates.
The newest dates we found are the effected files.
Then we ftp up the same files from the original files from CRE.
Do not upload the Config file in includes.

If you open a php file in dreamweaver that has the new date, you will see around 3 lines of code that has been inserted right after the php> tag.

Each of your image files I'll bet have an index.php file in them thats needs to be removed.

If you have any html files, like a sitemap.html file, it will eed to be deleted and re-built.

This is a total pain since every folder you have will have to be looked at for the new date.

Sabrina
We posted at the same time.

We have tried to figure out permission settings for all of the folders since files are being re-written.
But when we but when we tighten them up to much, the site stops functioning. Is there a list anywhere that reviews permission settings?

This virus has never hit the admin section of our site.
Our site is currently 66.B2B 13, we want to go to 6.3.3 to see if it will help, but it seems to still have too many problems after reading the 6.3 forum.

Hello Chiro,

Do you host with us? If so, what is your domain name? Or better yet, please seek help from support@chainreactionweb.com or go to live chat from the creloaded.com home page and click on hosting support.

Another great tool is: http://downforeveryoneorjustme.com/ if this shows your site is up - it's up!

However, we are looking into each issue as it comes to us.

Thanks.

The folder that need to be writable are:

admin/backups
admin/images/graphs
admin/includes/languages
cache
debug
images
includes/languages
library
pub
temp
tmp

The file that needs to be writable is:

includes/header_tags.php

As a best practice, all of the .htaccess files should be set to 444 (read only) to prevent being overwritten. It is critical that this be done in the folders marked as writable, so there is no chance of them being corrupted.

The .htaccess file is used to prevent direct web based execution of files in the various folders. Some folder need to allow web access some do not. But in no case should PHP file be accessed directly except for the catalog or admin root folders.

Here is the latest of our investigation:

It appears that a virus or trojan may be out in the wild on merchant PC's that is able to harvest FTP user/pass info from FTP clients (such as Cute_FTP or Filezilla). We are looking into this possibility and will have more information as we move forward with this very serious issue.

We recommend an immediate password change to prevent any further issues. Changing FTP info for anyone experiencing these issues would be effective in this scenario, but only for a while. The breach needs to be located. It may be a cascading breach, in that we locate the root of the script and disable it. Otherwise, the cycle could start all over again. i.e. changing FTP info would be a band-aid on a gunshot wound.

We are working on finding the breech if it exists but also will advise that anyone who is at an older patch level and not at current patch, upgrade your cart ASAP.

Thank you.

We ended up deleting lots of old files and templates that we were not going to use. Each template hame an image.php file in the language image file if each langauge of each template. I think these were the land mines for lack of a better term.

We did change all of our passwords.

We also had a gentle create a pearl script to look for these in the future.
Next is to install tripwire on the server to tell us when files are being re-written.

we did use this link and it says its not just us, that our site is down. we are getting these broken links again. we're working on the patches too but we dont think this is the reason.

Thanks for responses, for some reason im not getting notifications of the new posts even though my settings are set to get the replies.

we're still having same issue with broken links, esp in the admin side.

We have had to go further into the site to get rid of the landmines left behind.
We had deleted all the templates that we are not using so our template file only has, Content, Default and our current template.

Did you get a chance to look at your files in an ftp program?
If you sort them by date, you will see all the exact time and date the file was over written.

We had to then over write those files with fresh ones from the intial build.
The html and js file are the toughest to fix.

The oddest thing we found in most of the image files all the way down to the image files in templates/lanuges were image.php files.
We removed them.

I use avast and it works great as an anti virus tool.

Make sure you look in every folder, not just in CRE.
This damn thing spreads everywhere.
We have wordpress, smf forums and other supporting socail medias that also got attacked.
Please reset your FTP user password.

Since I suck at typing, give me a ring if you need help 800-955-9795 is the office phone number. Ask for Don.

This might help some folks out there.
Here is the pearl script that was written for our server.
It will need to have the path aurgment changed.

Here are the instructions. Someone please take a look at it.

Hey Michael, I've put together a perl script that I think will help you. When Don called this morning, the first thing I did was go out to the machine and tar up almost everything. So I pulled those down and had some local data to work with.

I saw that there were at least 2 different types of .js infections. I think this is indicative of 2 different vulnerabilities. My first guess would be something with Wordpress templates, and maybe CRE? I'm not sure on that one, and unless we want to take 500 hrs and crawl through all of the code, we're not going to find it (and even then probably not).

In the meantime, this script can help. Please Please Please backup the entire /var/www/vhosts directory before running it. It makes its own backups, but I'm overly cautious. (btw: any files it modifies will also be saved with a .infected extension).

I ran this on my local machine against my test data and it seemed to do the trick. It examines all of the .js, .html, and .php files along /var/www/vhosts (which you can change the root directory in the MAIN section). If it sees certain strings that I think are unique enough to identify the infection, it makes note of the lines theyre on and scrubs the file (after backing it up with a .infected extension).

It also logs everything it does, so be prepared for about a 200MB log file append every time you run it (cleanup.log).

I would first back everything up, then copy the file to /var/www. You can then chmod +x cleanup.pl and cd /var/www then run it with ./cleanup.pl . The log file will sit in the same directory you run it from. It works with full paths, so you can run it from pretty much anywhere though. Also, it uses only standard perl modules so you will not have to visit cpan at all.

As I said, I tested it, but there could always be something I did not foresee, so please make sure you have all of your .php, .html, and .js backed up first.

Please let me know if you have any questions.

-S

ps - The script is _heavily_ commented
ppss - you can remove all of the .infected files once you get ready with this:
cd /var/www/vhosts
find ./ -name '*.infected'|xargs rm

This site will not allow me to attach the pearl file.
If someone in CRE will shot me an e-mail, I will forward it to them.

Thanks guys. i checked files and don't see any image.php

We are still getting "oops, broken link" pages. customers are getting it too, we can't seem to do anything on jawproducts.com or jawproducts.com/admin without getting "oops broken link" even though our configure files are correct and we even verified it with old backups. I don't know what's going on, does this also have to do with the virus?

Oh and chirco, yes we sorted by date and there are no files out of the ordinary.. i don't get it.

I have been dealing with code injection on my sites since late last year. To date I have not been able to determine where it is coming from. The first was the Yahoo Counter.

The latest, just last week, was more difficult than all previous. I had the image.php file in all image directories that I deleted successfully. This time there was also code injected into many js, php and html files. To remove these I went in and checked for file modification dates and that made it reasonably do-able but a real pain. One interesting observation was that the file modification date was changed but not the directory. The injection seemed to do only a few subdirectories deep.

This time Google found the problem before I did and flagged it as containing malware so it was blocked for a few days until Google verified it as clean.

I have suspected that the intrusions were coming from the host side, ixwebhosting, but they keep telling me that it is a vulnerability from my side. I keep changing passwords etc but haven't stopped them yet. Ftp logs do not show any access at the time the code is injected.

I am limiting the machines I use for accessing and have run antivirus etc to make sure this is not coming from my side.

I have examples of the files with the latest injected code if anyone has a need to see. I am running cre 6.2.13.2 pro.

Misery loves company so I'm glad to see this is rising so hopefully someone will figure out where this is coming from.