Wasn't sure where to put this so put it here!
Client noticed unusual behaviour and on inspection of the ftp his index.html page had been removed and an index.php page placed instead. This later page was a clone of the original but with a stack of php code above the
In addition two spurious php files had appeared in the DD folder.
The unusual behavour was that the home page encoding had changed so GBP signs were displayed as
in UTF8
The hosting company are adamant their servers have not been hacked and did a malaware scan of the client's hosting package which was clean.
This may be malaware that had got into the client's PC and been uploaded by Sellerdeck or it may have been due to a malicious POST request (https://perishablepress.com/protect-post-requests/)
Client's PC clean on scanning so looking at the 'perishablepress' page so I added a header to the htaccess to stop limit POST requests based on referrer. There is a legitimate php file on the server handling the 'Ask a Question' feature on the product page so this was exempted.
This seems to have done the trick and ad to cart and checkout all function as does the PSP sequence.
Interestingly this addition to htaccess DID stop add to cart etc:
In addition to the malicious placing of files on the server the intruders are now adding themselves on to verified user on the client's Google account!
This seems to give help about hacked Google accounts: https://support.google.com/accounts/.../6294825?hl=en
Comments and input welcome
Thank you
Client noticed unusual behaviour and on inspection of the ftp his index.html page had been removed and an index.php page placed instead. This later page was a clone of the original but with a stack of php code above the
Code:
<head>
The unusual behavour was that the home page encoding had changed so GBP signs were displayed as
The hosting company are adamant their servers have not been hacked and did a malaware scan of the client's hosting package which was clean.
This may be malaware that had got into the client's PC and been uploaded by Sellerdeck or it may have been due to a malicious POST request (https://perishablepress.com/protect-post-requests/)
Client's PC clean on scanning so looking at the 'perishablepress' page so I added a header to the htaccess to stop limit POST requests based on referrer. There is a legitimate php file on the server handling the 'Ask a Question' feature on the product page so this was exempted.
Code:
# allow POST based on referrer
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /askaquestion\.php [NC]
RewriteCond %{HTTP_REFERER} !(.*)clientdomainname.com(.*) [NC]
# RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* - [F,L]
</IfModule>
Interestingly this addition to htaccess DID stop add to cart etc:
Code:
# deny all POST requests
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .* - [F,L]
</IfModule>
This seems to give help about hacked Google accounts: https://support.google.com/accounts/.../6294825?hl=en
Comments and input welcome
Thank you
Comment