Fake URL injection in homepage - nop 3.00 site.

Hi Team,

Yesterday it happened again. This time it changed the link of the logo picture replacing the site name by www.ly.com.

Once the cache is cleaned, the original link to ww.mystore.com is restored.
It's not very severe, but I think it maybe a further problem when the shop is open if a wrong picture is seen by the customers.

I have informed the hosting, and they affirm the server is ok, with updated sw and no virus.
The  environment is shared hosting, nop 3.4, nop-template Art factory + free nop-ajax plugins

About the same time, in the control panel log appeared an error. I don't know if it is related to the problem
'The controller for path 'css/css' was not found or does not implement IController'

In the server logs, there are tons of GET and POST commands. My IP is 5.10.X.X
There are a couple of scans done by Morfeus Fu**ing Scanner (**=ck), but I guess the relevant stuff is the following two Ip's activity:

183.60.48.25 China Telecom Guangdong
2015-01-02 17:57:54 W3SVC52 asphost77 5.10.X.X GET / - 80 - 183.60.48.25 HTTP/1.1 - - - www.baidu.com 200 0 64 0 146 531

115.159.26.138  Tencent cloud computing (Beijing) Co., Ltd.
2015-01-08 19:13:18 W3SVC52 asphost77 5.10.X.X GET / - 80 - 115.159.26.138 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:29.0)+Gecko/20100101+Firefox/29.0 - - www.ly.com 302 0 0 571 181 406

2015-01-08 19:13:20 W3SVC52 asphost77 5.10.X.X GET /storeclosed - 80 - 115.159.26.138 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:29.0)+Gecko/20100101+Firefox/29.0 Nop.customer=a6ad3121-d6d9-4064-9288-16110cee4ca3 - www.ly.com 200 0 0 9335 251 1109

Since the store is closed to public, the only forms that can be found are email and password in login and register pages, and newsletter email.
What do you think? Maybe some kind of XSS attack?

I'm not a programmer, so the only thing I can access is asking the hosting to block the IP ranges from the ISPs, but maybe others can try fron different IPs.

I would appreciate very much any idea of how can I solve this problem. (code patch, hosting that can avoid this by mean of special measures...)

Thank you very much.

Kind regards,

Antonio

Hi Antonio,

I also think its caused by some js injected on to your page.

Is this happening to just your website? Or also to other sites you open in same browser?

Did you checked with your system / browser for infections?

If you can share the markup (source code) of the page you see in browser, it will be easier to find the cause and fix it.

Hi jariwalakrunal,

Thanks as always for your help.
I saw it from different PCs, and mobile devices, even different Internet connections, so I think is not on my side.

This is the brownser code of my store logo, showing the changed link to www.ly.com instead of my store

https://drive.google.com/file/d/0B2nQNW7Afa5BeTVuRG5hZEpxU0U/view?usp=sharing

I asked the hosting to block the suspicious IPs, but they told me that it's not possible in a shared hosting, because maybe other users are not interested in blocking them ??

So I'm moving to another hosting, hoping to block that IPs...

Kind regards,
Antonio

Hi Antonio,

Can you share the full source code of the page generated in private - that might give me some idea on what is happening on your page.

Also share your domain name!

Krunal

Hi jariwalakrunal,

Thanks for your help.
I'm very sorry, since the code was restored after the cache cleaning, I have no further infected code to show...

Sorry for not to writing the site url.
It's a personal e-shop with my wife, and I wouldn't like to appear the site's name reporting possible attacks...it could be no good for business if customers find it in google. i hope you understand.

I have moved to another hosting, and I will pay attention if it happens again, to advise in the forum and try to get the code.

Thanks again for your help.

Kind regards,
Antonio

No problem, inform us if you face the issue again.

We've just had the same problem, with image URL:s being changed on one of our sites. nopCommerce 3.40 with Simplecheckout, Nivoslider and SpeedFilters plugins. After a simple site restart the URL:s were restored.

In our logs we could also note the "Morfeus Fu**ing Scanner"...

/JT

We are running 3.5, having the same problem. Base url is being changed randomly to different other sites. Clearing the cache might help for a little while, sometimes even that wouldn't work, a restart of IISvc is required. Web server is 2012 IIS8.5 with all the latest service packs. This has become a major issue preventing us from going forward with NopCommerce platform.  Experts please help!!!

Same thing here! storeUrl is changing.
This is the second time so far.
At first time it was an IP (I thought I did something wrong so I didnt care)
This time it is "http://dns.cloud.ph/".

I am using bunch of plugins including one for the watermarks which changes the images on the fly, but I decompiled the plugin dll and nothing there to change the store URL or a js.

Worst case I will check all the plugins
I dont know where else to look, It will be great for the community to find the reason

Hello

I am not sure if that might happen;

Most of the changed URLs look like spam spiders or whatever they r.

Is it possible that they change the header for the "HTTP_HOST" while visiting or posting to our site, because that is what GetStoreHost(bool useSsl)
method uses in the WebHelper.cs to get the storeLocation.

So if that is possible, while the store cache is empty and those crawler visits our site, the storelocation being set by their host.
And it rarely happens so that kinda makes sense to me.

Is it possible? any idea?