suddenly lost all images?

[jilmarieaz]

Hello, My site at sensationsporthorses.com has suddenly stopped showing any of my thumbnail images. I haven't made any changes so not sure what happened as it was working just fine. Anyone have any suggestions on how to fix this?

Jill

[drudel]

Hello, My site at sensationsporthorses.com has suddenly stopped showing any of my thumbnail images. I haven't made any changes so not sure what happened as it was working just fine. Anyone have any suggestions on how to fix this?

Jill

 

I too have the exact same issue. tempodancewear.com.au. I can't find any other info on the net apart from this post.

 

Is this just happening to both of our sites?

 

Somebody.... please... help !!!

[FIMBLE]

Open up a php file and look for the eval hack at the top. i've just cleaned 3 site with the same problem

the code begins with

 

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl.

 

If its there you need to get your site cleaned, or restored from backup deleting the existing one first

Nic

[drudel]

F^&%&^K!!!!!!!! Yes I was just looking at that!

 

Did it get hacked?

 

How do I clean it? My backup is a couple of months old.

[FIMBLE]

Yes you did, you two choices ...

1 - Delete your entire store from the server and use the back to restore.

 

2 - Clean the code from all of your files

 

rename your admin, delete the filemanager

 

Nic

[drudel]

What do u mean delete the filemanager?

 

Also, What is the best way to restore from a backup?

Is there any step by step walk throughs available?

 

Cheers,

Dru

[FIMBLE]

the file manager in your admin section you need to get rid of, delete the file it breaks sites so is of no real value to you.

Nic

[FIMBLE]

there are plenty of posts on the forum here to help you restore your site.

Also you will (may) need to restore your database also.

Nic

[drudel]

Is it pretty safe to day that the only mods to the php files are the top line with the <? /**/eval(base64_decode(..... on it?

If so, if I'm patient enough would I be able to remove all entries and delete filemanager.php, rename admin/password and I'm cool?

 

My last change to the site was only addition of a shite load of products. If I restore from an older copy and use the same database I should be right shouldn't I? Or is my database in jeopardy as well?

 

Dru

[FIMBLE]

First you will have to find the location for the files that have been placed on your server, to do this decode the long string at the top of the php files, run the code through here http://www.opinionatedgeek.com/dotnet/tool...de/Default.aspx this will reveal the location that you need to clean ASAP this will restore your images

 

Change your admin name and the admin / incldes / configure.php defines for admin

 

Then delete the filemanager.php from admin

remove the link to it in admin / includes / boxes / tools.php

Then go through each and every php file to remove the code.

 

Search the forum for help on any aspect of this for more help

Nic

[satish]

There is a security hack with rc2.

All shop owners should rename admin to some unique admin.

Also deleting file manager is recommended.

 

Satish

[drudel]

OK, I've gone through all my files and removed the top entry referring to <?php /**/eval(base64_decode.

Changed admin name and the admin / incldes / configure.php defines for admin

Deleted the filemanager.php from admin

Removed the link to it in admin / includes / boxes / tools.php

Went go through each and every php file to remove the code.

 

So now I'm only missing some maybe half of my thumbnails.

 

Is there a way to check if I'm still vulnerable or if I've cleaned it properly?

[satish]

Apply all the security patches that are on forum.

 

Also remove unwqanted code.

Plus add site monitor contribution so as to keep a watch on the file level activities on Your site.

 

Make sure You also do have site access log so if anything goes wrong further you can get the entry point of hackers looking at the access log file.

 

Also disable ftp when ever You are done and do not see much need of it(as minor correction can be achieved thru cpanel file manager).

 

Also a proper secured server(hosting comapnies who have a strict security policy is recommended).

The more You take care more You are safe but hackers will keep upgrading there skills and try to kack in.

 

 

Satish

 

Satish

[Guest]

Apply all the security patches that are on forum.

 

Also remove unwqanted code.

Plus add site monitor contribution so as to keep a watch on the file level activities on Your site.

 

Make sure You also do have site access log so if anything goes wrong further you can get the entry point of hackers looking at the access log file.

 

Also disable ftp when ever You are done and do not see much need of it(as minor correction can be achieved thru cpanel file manager).

 

Also a proper secured server(hosting comapnies who have a strict security policy is recommended).

The more You take care more You are safe but hackers will keep upgrading there skills and try to kack in.

 

 

Satish

 

Satish

 

I too got hacked GRRRRRR

So I went down the "restore the data base" route.

 

I have tried to restore my database and it hasnt worked. My data base is about 1 month old and when I pressed RESTORE it looked like it was working but then the screen went blank and nothing. I checked my website and I still dont have pictures ! Help! Any ideas?

[FIMBLE]

I too got hacked GRRRRRR

So I went down the "restore the data base" route.

 

I have tried to restore my database and it hasnt worked. My data base is about 1 month old and when I pressed RESTORE it looked like it was working but then the screen went blank and nothing. I checked my website and I still dont have pictures ! Help! Any ideas?

 

 

If its the same hack then you have to first decrypt the hack to find the location of the files placed on your server anywhere between 1 and 30 ish. remove these then you need to remove the code from every single php file on your server

Nic

[drudel]

I decoded mine and it pointed to a language folder (German) and some file within in there. Since I don't use any other language other than English I blew it away and went through ALL php files and removed the top entry that was injected into each file.

 

I didn't do any database changes and all seems OK so far. My thumbnails are all there.

 

I've learn't my lesson.... keep it secure because it's a pain in the but when you have to do clean up!

[maccuda]

Have removed all the code from all the php files (took me more then an hour) and did the other suggestions but am still not seeing the thumbnails for my products.

any other ideas?

 

thanks

[drudel]

Did you decode the entry listed at the top of your code that they injected?

 

This will tell you where the files are that they have placed on your site.

[montana_girl]

Ok - me too- A little question before I mess up what I can't fix...my admin configure file does not have my osc admin user info, but my database user and password info, you want me to change that? don't I need to add a new user for mydatabase in php first? Also- delete the filenames folder and do not bring it back?

[MrPhil]

Apply all the security patches that are on forum.

 

Is there a nice list somewhere of recommended security patches? If it can be "stickied" or "pinned" to the top of the board, that would be quite useful. It might make a nice board of its own (under Support Forums > osCommerce Online Merchant v2.x), with topics on proven code patches, known vulnerabilities and their resolutions, system things you should and shouldn't do (including permissions), how to decode an encoded (e.g., base64) chunk of code to see what files it's referencing, tips and tricks, etc. Putting everything security-related into one place would save a lot of hunting around, and make it easier for people to armor their shops.

[satish]

In the German forum there is an announcement by the German team members about a security problem in the

 

admin for shops using osC 2.2 version RC1 and RC2. The details of how to compromise the admin have not been

 

disclosed (for obvious reasons).

 

For the moment two things can and should be done:

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC

 

(.htaccess cannot be used on a Windows server by the way)

[maccuda]

yes managed to find the files hidden in the english language folder under buttons, sneaky bastards!

deleted those files as well (the decoding thing did not work for me)

now my pictures are back. :)

 

Now crank up my security (i did use .htaccess and other protection but still that was not enough)

[doctoremote]

The problem is YOUR SITE HAS BEEN HACKED ......... REALLY..... :-(

The icons do not appear as files have been changed in the admin area.

The directory has been hacked and files played with.

 

The quick fix for this is the replacement of all the files in the admin area.

So DELETE all the files in the admin folder. Replace them with your site back up folder.

 

Change the name of your admin folder to say 'myadmin1234565'

 

Password protect the folder from linux

Change your log in password

This should stop any new attacks.

 

If your provider does not allow directory password protection then change your hosting provider. Like Taghosting.co.uk

 

Trevor

[MrPhil]

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC

Is it necessary to do both of these? (A) is security-through-obscurity, not foolproof. If I keep the admin tree as 'admin', but add password protection to it (so extra ID and password are needed), shouldn't that be enough? I'm trying to imagine anything a hacker could do to the admin tree from the outside, without having to give a password.