Post by suraj_sella » Tue Jan 23, 2018 8:16 pm

Hello guys,

My hosting provider recently found a virus : "SiteLock-HTML-SEOSPAM-imw.UNOFFICIAL" in my home.twig folder after virus scanning routines, and hence, now ports are blocked :(
All other scanners are finding no kind of virus in the file. How to fix this. Please help.

Last edited by suraj_sella on Wed Jan 24, 2018 7:51 pm, edited 2 times in total.

User avatar
New member

Posts

Joined
Wed Nov 22, 2017 3:57 pm

Post by IP_CAM » Tue Jan 23, 2018 9:47 pm


My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by ADD Creative » Wed Jan 24, 2018 1:00 am

Compare your files against a clean download of your version of OpenCart and any themes or extensions you use. If you don't find anything contact your host for more information.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by suraj_sella » Wed Jan 24, 2018 1:29 pm

IP_CAM wrote:
Tue Jan 23, 2018 9:47 pm
Did you ever have WORDPRESS installed on that server ?
Ernie
https://wordpress.org/support/topic/sit ... l-found-2/
https://www.whitefirdesign.com/blog/201 ... s-malware/
YES I DID!
I have my suspicions about its uninstalling procedure because, i deleted the files from servers and then from trash. Later realized it was installed through softaculous script installer, so i uninstalled wordpress script later. Is there anything i can do with this. Because i have lot of code in home.twig that i cannot compromise with! Thanks a lot for giving me a hint here!

User avatar
New member

Posts

Joined
Wed Nov 22, 2017 3:57 pm

Post by suraj_sella » Wed Jan 24, 2018 1:34 pm

ADD Creative wrote:
Wed Jan 24, 2018 1:00 am
Compare your files against a clean download of your version of OpenCart and any themes or extensions you use. If you don't find anything contact your host for more information.
Nothing very quirky, i just added extra lines of code to home.twig. Also, hosting provider has blocked my ports and saying there's virus. They are not being helpful at all! -_-' Thanks for your valuable time! :)

User avatar
New member

Posts

Joined
Wed Nov 22, 2017 3:57 pm

Post by suraj_sella » Wed Jan 24, 2018 5:00 pm

UPDATE on the issue : So, i replaced different home.twig files including the default opencart home.twig with my so called infected home.twig file. Now, the scanner doesn't give any errors. There must be something wrong with my home.twig file only. How can i check it. If anyone is interested to have a look, i'll send it to them in private message. Please help.

User avatar
New member

Posts

Joined
Wed Nov 22, 2017 3:57 pm

Post by ADD Creative » Wed Jan 24, 2018 7:08 pm

Just post you home.twig here and remove anything you want to heep hidden. That way more people will see it and could offer help. Use the code display </> so it is easier to read.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by suraj_sella » Wed Jan 24, 2018 7:47 pm

ADD Creative wrote:
Wed Jan 24, 2018 7:08 pm
Just post you home.twig here and remove anything you want to heep hidden. That way more people will see it and could offer help. Use the code display </> so it is easier to read.
Thank you! I solved the issue. I mean i don't know what the problem was exactly, but i found the problem and removed it!

User avatar
New member

Posts

Joined
Wed Nov 22, 2017 3:57 pm

Post by suraj_sella » Wed Jan 24, 2018 7:49 pm

So, I solved it! I have no idea how or what happened but here goes :

I started to zero in on the piece of code that was giving the error, by removing parts of the code one by one. and zeroed in on the following, when removed i didn't get the error :

Code: Select all

<li class="list-group-item" style="padding:5px;background-color:transparent;border:0px;"><a href="index.php?route=product/product&path=62&product_id=60" style="border:0px;padding:0px;background-color:transparent">myproduct</a></li>
Upon closer inspection by dissecting this, i found that this worked :

Code: Select all

<li class="list-group-item" style="padding:5px;background-color:transparent;border:0px;"><a href="index.php?route=product/product&path=62&product_id=60" style="border:0px;padding:0px;background-color:transparent">(myproduct)</a></li>
Now, i have no idea how and what happened here, but i suspect the SEOSPAM virus being identified because of "myproduct" being listed under more than one category or subcategory in my website.

If anyone can then please give us a detailed analysis of this post.

Thanks to everyone for their valuable time and suggestions!

User avatar
New member

Posts

Joined
Wed Nov 22, 2017 3:57 pm

Post by ADD Creative » Wed Jan 24, 2018 8:06 pm

If adding brackets around the link text stopped the error and you are sure there is nothing else in the home.twig that shouldn't be there. It's probably just a false positive.

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by suraj_sella » Thu Jan 25, 2018 1:36 pm

ADD Creative wrote:
Wed Jan 24, 2018 8:06 pm
If adding brackets around the link text stopped the error and you are sure there is nothing else in the home.twig that shouldn't be there. It's probably just a false positive.
I'm definitely sure! It was a blunder of a false positive, exactly like you say! ClamAV and SItelock must take note of this here -_-'

User avatar
New member

Posts

Joined
Wed Nov 22, 2017 3:57 pm
Who is online

Users browsing this forum: No registered users and 28 guests