Forum Moderators: mack
I have had my site up and running for about 4 months now. It is a PHP e-commerece site using Oscommerece 2.2 software.
I am not sure if this is the right forum to post this in , so please feel free to move this post.
my problem is with cached page results on MSN and GOOGLE.
I recently did a search on MSN to check my placement for a certain product and clicked the view "cached page" result dated 27/2/06.
The page shown contained links to porn and warez sites , at the very top above my Header in text format, when i viewed source for my page it appears to contain these links in the header code.
If you click on the main search result link , it shows my page as normal , without the links to warez and porn. But all the cached page links do?
I know that probably not many people will want to view the cached page , but it's very worrying as we sell models and toys and have no connection with warez and porn.
Can anyone tell me how these links are appearing?
is it a problem with my site?
any help on where to start looking would be appreciated.
Thanks
If your site/host has been compromised, there may be a cloaking mechanism inserted which would add the links either dependent on IP address or by user agent. If you have a copy of Firefox handy, install the User Agent Switcher extension and visit your site while using a Googlebot user agent. If the unwanted links show up, you have been hacked. If IP addresses are used, try using some of the SE's translation services (which fetch the page from a SE IP address not yours).
(A "hack" of this nature is more successful over a longer term than a defacement as it is feeding off your rankings to boost the other sites, so it is best when it remains undiscovered for a while.)
Obviously if you have been hacked, you need to take your site offline and rebuild from a known good backup on a new server, probably at a new host. There are several known exploits for osCommerce 2.2 - which precise version are you using?
My host denies all knowledge of this and i'm really struggling to find out exactly "where" i should be looking to fix this and what to look for?
Only clue i have is that i recenly added a new page to the site (Osc 2.2) , it's a sitmap , this page appears clean? I don't know if that provides any insight into my problem or not , but hat page was only added in the last few days.
Restoring to a known good backup ... i backed up the enire site about a week ago , before i realised i had a problem , so i dont think my backup will be any good to me.
Any further help would be great , especially anywhere i should start looking?
Many thanks
- How long ago did you install osCommerce?
- Is your installation heavily modified?
- Did you do all the development work yourself or did you use another person/company?
- Is your osCommerce version up to date?
The most likely scenario is that your script is the weak spot, but there is a lesser chance that your server has been hacked via another method. The end result is the same - you are going to have to rebuild the site from a fresh osCommerce package download, and move the site to a new server.
Bear in mind that you don't know how much the hacker has had access to, so you must assume the worst-case scenario that he had full access: cPanel/FTP/email passwords, logins, credit card numbers if you store them...
As a short-term measure, check to see if there is a rogue .htaccess or similar which is prepending a PHP file to your pages, however it may be that your script has been altered, so see if you can find the urls in a file or in your database.
I installed this version of Osc about 2 months or more ago - (2.2 MS2 (051113)
It's modifed quite a bit , it took a long time to get it the way i wanted it , as Osc isn't the most freindly cart for making any "quick" changes to.
I did all the work myself and am i'm trying to think what i could have installed to bring this about.
Fortunatley i don't store crdit card numbers on the server for this very reason , i'd rather leave that to the experts.
I'll go and spend some time digging through all the files , if i don't find anything i'll change hosts and start again.
many thanks for all your help , its very much appreciated.
ip:111.222.333.444
