geodesicsolutions-community / geocore-community

GeoCore Community, open source classifieds and auctions software
MIT License
9 stars 6 forks source link

REDIRECT WEBSITE ISSUE #165

Closed monsat31 closed 2 years ago

monsat31 commented 2 years ago

HELLO I HAVE AN ISSUE AFTER INSTALLING THE 20 V INTO PHP 7.4 after few days i find that the script redirect any user to other spam websites malware can you scan please all the files also have an issue from add new classified ads cant choose the categorie it stop working when choosing one categorie also when add images file to products it cant proceed what can be the problem please www.ortho.tk

jonyo commented 2 years ago

Just visiting the website redirects you? Or you have to click on one of the ad banners? I went to your website and it loaded the page. But you still have the "example banners" on there. Some of them link to the old company website that no longer works, in fact the old company website now redirects to what looks like spam websites. I suspect that is what is happening here.

If that is the case, you can remove (or add your own) the banners in your templates.

If you are new to editing the templates, this section of the wiki can help: https://geodesicsolutions.org/wiki/startup_tutorial_and_checklist/design_configuration/design_tools/start

Then, to replace or remove the banners, this section should help: https://geodesicsolutions.org/wiki/startup_tutorial_and_checklist/design_configuration/specific_html_elements/default_banner_locations

Note: We have actually already replaced the "old" banner examples and links, but it is not released yet. So this will not be an issue in future releases.

If you do not even have to click on anything to get redirected: Note that when I go to your website it works fine. If you get redirected without clicking on anything, you may have malware called a browser hijack on your own computer, that makes it go to other websites when you try to visit certain sites.

monsat31 commented 2 years ago

hello thank you for your anwer i just reinstall the software a gain in a subfolder and point it to the main domain and it does work properly the same as it was before in the main domain but after few days it does redirect without clicking anything

vicos59 commented 2 years ago

Which version of the source code did you download? If you downloaded Beta-4, that has a boatload of bugs in it. If you just downloaded the latest source, you would need to run composer to build the release. If you have don't have the knowledge/experience to build your own releases, I have one I have been providing to people in similar circumstances.

Since I don't have access to build Beta-5 here in the main repo, I uploaded a copy to my private copy of the repo:

https://github.com/vicos59/geocore-community/blob/main/geocore-ce.myBeta5.zip

I've done this several times in the past for people using one of the public file download sites, but the files expire after a few weeks.

Hope this helps.

monsat31 commented 2 years ago

hi i have use the Beta-3 i dont knew if it was free from bugs and ready to use , i have before the official lisence of geocore max 7.6 but it is binded to an old domain name that i do not own for today and their server is out of service , vicos59 what does mean that but the files expire after a few weeks. and does this repo work properly https://github.com/vicos59/geocore-community/blob/main/geocore-ce.myBeta5.zip thanks

monsat31 commented 2 years ago

hi a gain i have this issue also after activate the addon core display and t give what is attached in img coredisplay errot the path coredisplay/common/galleryview.tpl doesnt exist in script file can you fix that pls

monsat31 commented 2 years ago

hi from the beta 5 you share with me i have this issue when acces to the admin panel Sans titre

vicos59 commented 2 years ago

hi a gain i have this issue also after activate the addon core display and t give what is attached in img coredisplay errot the path coredisplay/common/galleryview.tpl doesnt exist in script file can you fix that pls

It looks like you have selected one of the alternate Template sets. I did not upload the template sets. I'll see if I can do that. In the mean time, I suggest that you switch back to the default template set until you get everything working.

vicos59 commented 2 years ago

hi from the beta 5 you share with me i have this issue when acces to the admin panel Sans titre

I have never seen that before. I would follow the clues the error messages are giving you:

  1. Be sure your browser is accepting cookies for that domain.
  2. Check your config.php file and check for what the error message is pointing out, COOKIE_DOMAIN.

Did you install Beta-5 as a fresh install, or did you just upgrade from whatever you had installed before? If this is a brand new site and not an upgrade of an old pre-v20 site, I would start fresh with Beta-5 just to be sure everything is good.

Also, are you following the INSTALL instructions at https://geodesicsolutions.org/wiki/ ?

vicos59 commented 2 years ago

Here's the pre-built source +++ the 3 optional template sets:

https://github.com/vicos59/geocore-community/tree/main/RELEASES/Beta-5

I would get it working with the default templates set before I started messing with any of these.

monsat31 commented 2 years ago

o

hi vicos59 , yes it is fresh install of beta5 you gave with its default template it works from phone but not from desktop so may be it is from my browser ,

monsat31 commented 2 years ago

Thé script need to bé reviewed properly

jonyo commented 2 years ago

@monsat31 The most common cause of that, besides what it says in the actual text of the error message... Is if you have 2 installations, one installed in a sub-domain. When that happens, the cookie from the "parent" domain can get stuck and the subdomain is not able to clear the cookie out.

The easiest is to clear your cookies and refresh the page.

Thé script need to bé reviewed properly

I agree it would help to have more people trying it out and testing it and reporting bugs, I welcome you or anyone that wants to help out!

Just keep in mind that this is now an open source project. The original company that produced it is out of business. All of the time put into working on it is done for no compensation at all. Maybe in the future site owners can pay developers to do what they want, and that work might go back into the project, but at the moment no one is getting paid for any of the work, it is all volunteer time.

Regarding this specific issue, so far the issue seems to be in your installation, though I have not completely ruled out something in the core software since this thing is now over 20 years old (they started in 2001). Anyways, from your own description, it works at first then starts getting spam added.

That sounds like your website is getting hacked. What I ALWAYS say when someone brings this up, is maybe there is something in the software allowing it, so lets get to the bottom of it to hopefully rule that out. You should never assume software is 100% secure, the second you do is the second you stop critically looking for possible issues, that is actually when complacency creeps in and you have a higher chance of security problems.

From your description though, that it works at first, then after a while starts getting redirects added... To me that sounds like 2 possibilities.

  1. Someone is posting malicious ad and is somehow able to include JS that causes redirect. Did you change settings, maybe you allowed all tags in the admin panel or something? If they did this when you still had default settings then that is not the case, by default it will block it. But as the site owner you can allow that kind of thing if you so choose.
  2. Your hosting account is getting hacked - somehow someone is making changes to files on your hosting account that is adding things. It could even be that you have a virus on your own computer that is doing it (or someone else that has FTP access to your hosting account). For this one, I would be interested to be able to see the actual HTML source code (you have to stop it from redirecting, then get a copy of the source code on the page).

I'd be happy to help as I have time (keeping in mind I am not charging for this), the next step is for me to be able to see the "hacked site". That would tell me if one or the other thing above is happening, or if maybe something completely different is happening.

Are you able to restore the hacked version of the files? I can't troubleshoot much if I cannot see it when it is already "hacked".

vicos59 commented 2 years ago

o

hi vicos59 , yes it is fresh install of beta5 you gave with its default template it works from phone but not from desktop so may be it is from my browser ,

The ScreenCap you posted above is not the default template set for sure. The default site looks like this:

Capture

jonyo commented 2 years ago

By the way, I just tried your website and it is redirecting for me. Either you restored it or whatever happened, happened again.. I'll do a little digging to see if I can narrow down what type of "hack" was done just from viewing the page on the client side...

jonyo commented 2 years ago

@monsat31 OK I downloaded a few of the files on the command line, the main file is fine it looks like, nothing inserted "directly" onto the main page itself. So that rules out someone uploading an ad that gets shown on the front page or something.

So then I started looking at the extra JS files loaded and I found it. They got it by replacing your jQuery files with "malicious" JS.

For instance, look at your js/jquery-ui.min.js file, notice how it does not look like normal JS...

So going by what you said, that it was fine at first then after a week it started redirecting you... Your hosting account is hacked. Something is replacing .js files with malicious code. I only looked at one JS file

Contact your host to see if they have recommended steps, this is a little outside the scope of this project.

Just to give you an idea though, a few basic steps you will want to do:

If you do that and a week later they are in again, contact your host again. It could also be an insecure host and another account on a shared host is the culprit. This is especially true for the "small operations" hosting out there, some may not be that good at security.

jonyo commented 2 years ago

By looking for a part of what was in the hacked file, I actually found a very recent article that describes a huge hacking campaign, and your hacked files match exactly what is in the article:

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-massive-hacking-campaign-compromised-several-wordpress-websites-active-iocs

@monsat31 do you have wordpress installed anywhere on your hosting account? If so that might be how they got in. See the link above, and good luck getting it all cleaned up!

It describes exactly what happened on your site. From the linked article:

Once the website had been hacked, the attackers attempted to infect all .js files containing the word jQuery in the name. They inserted code beginning with “/ trackmyposs/eval(String.fromCharCode…”“ ... This campaign targeting WordPress sites begin on May 9th, 2022. In order to hack the website and insert their malicious scripts, attackers are exploiting different vulnerabilities in WordPress plugins and themes.

Note: This means that any file with jquery in the name is now compromised on your hosting account, if you have more websites under the same account, check any that might be using jQuery as they may also be affected.

monsat31 commented 2 years ago

@monsat31 The most common cause of that, besides what it says in the actual text of the error message... Is if you have 2 installations, one installed in a sub-domain. When that happens, the cookie from the "parent" domain can get stuck and the subdomain is not able to clear the cookie out.

The easiest is to clear your cookies and refresh the page.

Thé script need to bé reviewed properly

I agree it would help to have more people trying it out and testing it and reporting bugs, I welcome you or anyone that wants to help out!

Just keep in mind that this is now an open source project. The original company that produced it is out of business. All of the time put into working on it is done for no compensation at all. Maybe in the future site owners can pay developers to do what they want, and that work might go back into the project, but at the moment no one is getting paid for any of the work, it is all volunteer time.

Regarding this specific issue, so far the issue seems to be in your installation, though I have not completely ruled out something in the core software since this thing is now over 20 years old (they started in 2001). Anyways, from your own description, it works at first then starts getting spam added.

That sounds like your website is getting hacked. What I ALWAYS say when someone brings this up, is maybe there is something in the software allowing it, so lets get to the bottom of it to hopefully rule that out. You should never assume software is 100% secure, the second you do is the second you stop critically looking for possible issues, that is actually when complacency creeps in and you have a higher chance of security problems.

From your description though, that it works at first, then after a while starts getting redirects added... To me that sounds like 2 possibilities.

  1. Someone is posting malicious ad and is somehow able to include JS that causes redirect. Did you change settings, maybe you allowed all tags in the admin panel or something? If they did this when you still had default settings then that is not the case, by default it will block it. But as the site owner you can allow that kind of thing if you so choose.
  2. Your hosting account is getting hacked - somehow someone is making changes to files on your hosting account that is adding things. It could even be that you have a virus on your own computer that is doing it (or someone else that has FTP access to your hosting account). For this one, I would be interested to be able to see the actual HTML source code (you have to stop it from redirecting, then get a copy of the source code on the page).

I'd be happy to help as I have time (keeping in mind I am not charging for this), the next step is for me to be able to see the "hacked site". That would tell me if one or the other thing above is happening, or if maybe something completely different is happening.

Are you able to restore the hacked version of the files? I can't troubleshoot much if I cannot see it when it is already "hacked".

Thank you i will try to resolve i have Many versions installed in subdomains i will back for you by wish one get suck ,il testing as Many versions to get thé one wish work fine

monsat31 commented 2 years ago

@monsat31 OK I downloaded a few of the files on the command line, the main file is fine it looks like, nothing inserted "directly" onto the main page itself. So that rules out someone uploading an ad that gets shown on the front page or something.

So then I started looking at the extra JS files loaded and I found it. They got it by replacing your jQuery files with "malicious" JS.

For instance, look at your js/jquery-ui.min.js file, notice how it does not look like normal JS...

So going by what you said, that it was fine at first then after a week it started redirecting you... Your hosting account is hacked. Something is replacing .js files with malicious code. I only looked at one JS file

Contact your host to see if they have recommended steps, this is a little outside the scope of this project.

Just to give you an idea though, a few basic steps you will want to do:

  • Make sure you are not running any old apps on your website that may have known security issues (Note: The latest beta GeoCore has no known security issues)
  • Run a good malware scanner on any computer you use to upload files to your website
  • AFTER scanning your computer for malware, change your FTP / hosting password(s).
  • Now do like you did before, wipe the files and re-upload a fresh copy.

If you do that and a week later they are in again, contact your host again. It could also be an insecure host and another account on a shared host is the culprit. This is especially true for the "small operations" hosting out there, some may not be that good at security.

Hi thanks for your support , i think not only geocore script IS redirect also other one under other domain in thé same Root of hosting , i no hosting provider i run a webserver under vps and try Many and Many PHP scripts maybe one of thèm or Many got backdoors and malicious codes in it i dont knew if thèse backdoors Can infect other domains or folders and thé main Root some of geocore installation not got any of This issue only some bugs in addons not work properly ,i liké This script and have officiel lisence of thé full version before since 2014 I liké to use it again i Hope get thé communauté that Can developp it more and take Care of all issue Come from thé source code , thanks

monsat31 commented 2 years ago

By looking for a part of what was in the hacked file, I actually found a very recent article that describes a huge hacking campaign, and your hacked files match exactly what is in the article:

https://www.rewterz.com/rewterz-news/rewterz-threat-alert-massive-hacking-campaign-compromised-several-wordpress-websites-active-iocs

@monsat31 do you have wordpress installed anywhere on your hosting account? If so that might be how they got in. See the link above, and good luck getting it all cleaned up!

It describes exactly what happened on your site. From the linked article:

Once the website had been hacked, the attackers attempted to infect all .js files containing the word jQuery in the name. They inserted code beginning with “/ trackmyposs/eval(String.fromCharCode…”“ ... This campaign targeting WordPress sites begin on May 9th, 2022. In order to hack the website and insert their malicious scripts, attackers are exploiting different vulnerabilities in WordPress plugins and themes.

Note: This means that any file with jquery in the name is now compromised on your hosting account, if you have more websites under the same account, check any that might be using jQuery as they may also be affected.

I read carefully what you whrite and it IS very important i will back to you by any of issues found on Server side

monsat31 commented 2 years ago

By looking for a part of what was in the hacked file, I actually found a very recent article that describes a huge hacking campaign, and your hacked files match exactly what is in the article: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-massive-hacking-campaign-compromised-several-wordpress-websites-active-iocs @monsat31 do you have wordpress installed anywhere on your hosting account? If so that might be how they got in. See the link above, and good luck getting it all cleaned up! It describes exactly what happened on your site. From the linked article:

Once the website had been hacked, the attackers attempted to infect all .js files containing the word jQuery in the name. They inserted code beginning with “/ trackmyposs/eval(String.fromCharCode…”“ ... This campaign targeting WordPress sites begin on May 9th, 2022. In order to hack the website and insert their malicious scripts, attackers are exploiting different vulnerabilities in WordPress plugins and themes.

Note: This means that any file with jquery in the name is now compromised on your hosting account, if you have more websites under the same account, check any that might be using jQuery as they may also be affected.

I read carefully what you whrite and it IS very important i will back to you by any of issues found on Server side

hi jonyo , you have reason all my js file are turned to crypted code when decode it we find a redirect script that stay turn and turn under “/ trackmyposs/eval(String.fromCharCode…”“ ... i have also wordpress installed maybe i use iligit plugin that the source of this big issue , a question is how to clean all the js files at ones , and how to knew wich file is responsible about all this damaged and how to avoid it next time thanks

jonyo commented 2 years ago

@monsat31 Sorry for the delay, things have been busy lately. No I don't think there is any tools to "undo" the damage. This is where a backup would be a big help, it is always a good idea to take regular backups of your website. If you have a backup, you can restore the files from that as long as the backup is from "before" the files were hacked. If not though, make sure you start making regular backups after you get everything cleaned up so you are prepared if something happens in the future.

If not, I think the only way is to fix it by hand. For any software you can probably find those files and upload them again.

Before you do that though you have to stop the hack - make sure you have somehow locked down the WP installations, you may need to even delete files because even if it is "disabled" the plugin files could be accessible directly and could still "let someone in". It is also possible it added a backdoor somewhere so they can get in again later. Again this is where a backup is best, if you had a backup you should delete all files and re-upload from backup, that way any new files that might be added as a back door get deleted.

jonyo commented 2 years ago

Closing since the original issue has been discovered and not related to the software. Best of luck, I hope you are able to get your website(s) cleaned up!