Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Did Someone hack my site ? ( Eval Base64 Decode )


Weedwaka

Recommended Posts

For noobies and those who are nervous about renaming or deleting /admin/file_manager.php :

 

The purpose of the File Manager is to let you edit any program or file within OSC, from within OSC itself. It is accessed through the Tools menu in the Admin area.

 

When you delete the file_manager.php program, its name will still appear in the Tools menu, but if you click on File Manager, the program will not be found. Once the program is gone, hackers will not be able to exploit it.

 

If you are in the habit of using the File Manager to make changes to your site, it's much safer to copy the file to your own system, save it with another name (in case your changes don't work), then get another copy of the file to modify. After you make changes, FTP it up to your OSC site. That way, if you ever have to reinstall from scratch (God forbid), you will have a backup on your own system of any files you have changed.

 

And you'll be safer from hackers.

Link to comment
Share on other sites

  • Replies 154
  • Created
  • Last Reply

Flipping lovely.

 

I got hacked as well.. i found the various style.css.php and the little files that went along with it.. but does ANYONE know of an automated way to search and remove an entire line of code from a server??

 

I was thinking that using SSH access would work, but i am not familiar with the syntax for stuff like this. i figured out how to find and replace within an SSH session, but how do you find and DELETE within an entire directory?

 

Also, you guys should know that this is NOT JUST OSCOMMERCE.. they actually got into my website through wordpress.. LOTS of wordpress users have had this exact same hack..

 

So anyways.. no more SHOULD HAVE DONE and whos fault.. lets figure out how to fix and remove the code and how to close up the hole.

 

p.s. i had no filemanager.php file on my store.

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

I freaking hate hackers.. but the sad thing is, someone WILL buy the hacked info.. they wouldnt do it if there wasnt a market for it..

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

p.s. i found a guy who can use SSH to clean up your files for you.. I did MOST of it myself, and found the root, but clearning the files individually is NOT happening for me.

 

let me know if you need it

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

Has anyone noticed a severe server timeout problem that might be related to this hack?

 

We've had tons of timeouts since late August. The hack appeared and changed all the file dates on 9/4. (Unless it came along earlier and just kicked itself off on 9/4 ...) We've got everything cleaned and working fine (we think), but 3 techs have been unable to find a reason for the sudden timeouts.

 

Anyone else having this problem?

Link to comment
Share on other sites

i did read that this was probably injected earlier as a sleeper and then was waiting for a command.. do not know if it had to do with your timeouts though

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

On further investigating the hack, I was able to decode the file s.php that it had put on the server. It actually needed gzinflate(base64_deoced(...)) 48 times, before the script appeared. What I got then was a well known hacker's tool, c99madshell, just google for it and you know its pretty dangerous. Don't know what the guy was up to on my site with this.

 

If you have been hacked by this, go and look for the additional .php files (s.php, dg.php, in my case also style.css.php) and DELETE them!!!

 

Reiner

 

I found the same files in my cart. I have deleted them and still looking for others and removing the code on each php page. I have not begun experiencing some problems with error codes after doing this. I have shut my site down to the public while I am working on it. Obviously the same hacker.

Link to comment
Share on other sites

Has anyone noticed a severe server timeout problem that might be related to this hack?

 

We've had tons of timeouts since late August. The hack appeared and changed all the file dates on 9/4. (Unless it came along earlier and just kicked itself off on 9/4 ...) We've got everything cleaned and working fine (we think), but 3 techs have been unable to find a reason for the sudden timeouts.

 

Anyone else having this problem?

 

All the files I removed had a 9/4 date.

Link to comment
Share on other sites

OK, so I have restored my original files from my backups, renamed the file_manager.php file,

renamed the admin directory, and edited the includes/configure.php file to reflect this.

 

But now when I try to login to the admin page, it will not stay in secure mode.

 

It goes to http: instead of https: for the login page.

 

If I specify https://my_site.com/new_path_to admin/login.php

it comes up as a secure login page, but after authenticating,

it drops back down into non-secure mode.

 

What might I have missed?

 

Thanks!

Link to comment
Share on other sites

Mine were 9/4 also

 

The good news is that by reading this thread and also these:

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

http://www.oscommerce.com/forums/index.php?showtopic=313323

 

I am actually cleaning up my cart and making it work slowly but surely. I have taken my cart off line publicly until I resolve this and will implement all the security measures suggested before going online again. Changing the admin folder has been a real mess for me, but I haven't given up. I just learned we must also change the name of the file manager php file too. So I will have to figure that one out too.

Link to comment
Share on other sites

For noobies and those who are nervous about renaming or deleting /admin/file_manager.php :

 

The purpose of the File Manager is to let you edit any program or file within OSC, from within OSC itself. It is accessed through the Tools menu in the Admin area.

 

When you delete the file_manager.php program, its name will still appear in the Tools menu, but if you click on File Manager, the program will not be found. Once the program is gone, hackers will not be able to exploit it.

 

If you are in the habit of using the File Manager to make changes to your site, it's much safer to copy the file to your own system, save it with another name (in case your changes don't work), then get another copy of the file to modify. After you make changes, FTP it up to your OSC site. That way, if you ever have to reinstall from scratch (God forbid), you will have a backup on your own system of any files you have changed.

 

And you'll be safer from hackers.

 

Ok. I am convinced that removing the admin/file_manager.php file is a good idea. However, what about the admin/define_language.php ? What's the difference leaving this file and removing the admin/file_manager.php file? If a hacker can get through using the admin/file_manager.php surely a hacker can use the define_language.php.

 

What I don't understand is if a hacker can get into admin/file_manager.php what is preventing a hacker from getting into ANY php file in the catalog? How can they create a hole to get into the catalog at all?

Link to comment
Share on other sites

its not that he can get into all of those files.. its that he got in THROUGH file_manager.. The file manager is a window into the code of your website. Whenever you have a browser related code editor, you leave yourself opened.. All a person needs is to figure out one password, or find one hole into your backend.. then they get into your file manager and open up the whole rest of your website

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Link to comment
Share on other sites

its not that he can get into all of those files.. its that he got in THROUGH file_manager.. The file manager is a window into the code of your website. Whenever you have a browser related code editor, you leave yourself opened.. All a person needs is to figure out one password, or find one hole into your backend.. then they get into your file manager and open up the whole rest of your website

 

Since you know this, and obviously the hacker did too, why didn't the osCommerce code developers know about this hole? This seems very odd that such a hole would exist with the file manager. Can you explain why they can't do this with the define_language.php file? What is the difference between these two files? Why couldn't they also use the define_language.php file to upload a hacker file like they did with the file_manager.php file?

Link to comment
Share on other sites

Just because something is known now, doesn't mean that anyone would be aware of the possibility in the past. No one can know about a hole that may not be there or is not there at the time of writing. A hacker is like an animal that worries at a fence until it makes a hole big enough to get through except the fence in the hackers case is your security. The file_manager.php was no doubt added because it was thought to be a good idea for those people that don't have a editing program - I bet if it was taken out hundreds of people (possibly like yourself a few weeks ago) who haven't been hacked would moan about it, just look at the people here in this thread that have renamed a possibly cancerous file rather than remove it altogether.

 

There are about 11600 articles on security on this forum alone (according to google) that doe not include security addons - and how many of us actually read these security posts? How many of us actually implement these security addons and patches?

 

We all have a duty to ourselves to protect our sites and stores from those that wish to steal from them, it is us that will suffer with an attack so it is us that should defend ourselves in the best way that we can - not someone that wrote a bit of script 9 years ago!

 

What is the difference between these two files?

 

file_manager.php is a program to make changes to your files

 

define_language.php is a file that defines the languages that your site will run under (eg. english, german, spanish etc.)

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites

Well said, too many here seem to think someone else should be resposible for their security, and its someone elses fault they couldn't be bothered to research these matters b4 they got hacked, never mind saying why wasn't I told, why didn't you look?? B)

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Well said, too many here seem to think someone else should be resposible for their security, and its someone elses fault they couldn't be bothered to research these matters b4 they got hacked, never mind saying why wasn't I told, why didn't you look?? B)

I do agree that we are all responsible for our own security measures, and that part of it is to get the needed information from sources like this forum.

I do however think that with just a little effort from the mods it could be made a lot easier for everybody. My suggestion is to have one STICKY topic, only editable by the mods so it won't fill up with discussions about HOW to rename filemanager.php. This topic should simply state in a concise way what measures to take to secure your store. It should have links to the relevant security contributions, and it should be updated whenever a new hack like the one here (seems like most stores have been attacked on September 4th) shows up.

The only thing I'm asking is that this information is put in an EASY to find (not a search on the froum returning 10000+ hits) place, not filled with endless discussions about how to do little things or who's responsibility it is to maintain security, and kept current by the mods.

Do you think this is possible?

 

Best regards

Reiner

Link to comment
Share on other sites

 

Ideally you have a point, but there is only one mod on this forum, he does a great job but I`m sure would not want his task list to increase even futher!!

 

Remember this forum support is all volunteer, so demands that threads are created to make life a little easier for others are not smiled upon.

 

this information is put in an EASY to find
I would say that it is!! You only have to click on tips, there have been at least one post on security on the first page of that for the last 6 months

 

I would strongly advise against just renaming filemanager.php, :o that still leaves the hole wide open!!, just makes it harder for a hacker to find. It should be deleted, it damages files anyway. ;)

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Well this made for a wonderful evening and morning. I got nailed by this too, looks like it hit on the 4th like everyone else. After about 6 hours of editing files (dumb me didn't have a backup since my last mods) it is all cleaned out. Changed my admin folder name, deleted the file_manager.php also. And didn't forget to do a backup after all this! God I hope changing the admin folder and getting rid of that file helps!

Link to comment
Share on other sites

If you're on a *nix type of host & you have shell access the script below will help automate some of the cleanup of the base64_decode infected php files. I found it on another forum unrelated to OSC and modified it a bit. Thanks to the original author!

 

Run the commands & shell script in your store's document root. Even when you're working with an infected set of files it's a must to make a backup of both your files & dbase _before_ you start tinkering around. I've repaired & secured 11+ sites (and counting) this past week that were wrecked with this base64_decode garbage and this script has made my life easier. ymmv.

 

The script is also available here: osc-cleanup.sh

 

osc -at- jerryrose.org

 

 

#!/bin/bash
#
#       remove-infection - Script to remove the XYZ infection from PHP files
#               Luis Esteban    8 December 2008
#
# STEP #1 - create the "yuck" file w/ the base64_decode line that is found at the top of all your php files
# (note:  you might have more than 1 type of base64_decode infection)
#
#    head -1 infectedfile > yuck
#
# STEP #2 - create a list of infected files
#
#    find ./ -name '*.php' | while read FILE; do if grep 'eval(base64_decode' "$FILE"; then echo "$FILE" >> infectedfiles; else echo "$FILE" >> notinfected; fi ; done
#
# STEP #3 - run this shell script to clean up the infected files
# STEP #4 - check for additional base64_decode lines in your files with the following command:
#
#    grep -Iir base64_decode *
#
# STEP #5 - If you've found more base64_decode infected files, delete/rename the files we've created (yuck, infectedfiles, notinfected, cleaned, notcleaned) and REPEAT ALL STEPS


cat infectedfiles | while read FILE
 do
       echo "Cleaning $FILE"
       FILEHEAD=`head -1 "$FILE"`
       YUCKHEAD=`head -1 yuck`
       if [ "$FILEHEAD" = "$YUCKHEAD" ]
         then
               echo "Infected, cleaning ..."
               tail -n+2 "$FILE" > "clean"
                               mv "clean" "$FILE"
               echo "$FILE" >> cleaned
         else
               echo "Not Infected"
               echo "$FILE" >> notcleaned
       fi
 done

Link to comment
Share on other sites

Not really adding anything - except that when you have cleaned it up make sure you save a clean and complete backup.

 

I was infected, probably about the same dates mentioned here, the code injection was into a copy of openads that I was no longer using, from there it moved into virtually every php file on my domain, this includes Osc, phpBB, openads. The only place I did not find it was wordpress.

 

After finding the injection file, I started removing the code by hand but then went to an upgrade of every version I had using the current full file packages available.

 

While it did not bring anything down it did appear to slow the site and file loading considerably. Looking at some of my stats it may also have affected traffic to my site as it went down.

 

Have fun if you have it :-(

 

Geoff

Geoff

 

Telegraph Point 2441

Australia

Link to comment
Share on other sites

I too have been hacked. I have been through evey folder trying to find the files or folders mentioned on this site.

 

I have NOT found anything I did not put on my site, EXCEPT the eval base code, in almost every php file.

 

I am affraid I have missed the intitial file or starting file of the infection/hack.

 

My questions are:

1) Please, could you list the file(s) you found on your sites that was not supposed to be there, and where you found them at.

2) If I do not have any unwanted files on the site, would it be better for me to restore from a backup dated august 28, or to go into every file and just delete the extra eval base code?

3) Would I need to restore the database also? If so, wouldnt I loose all the sales info, new customers, etc after that date (date of backup)?

Link to comment
Share on other sites

My questions are:

1) Please, could you list the file(s) you found on your sites that was not supposed to be there, and where you found them at.

2) If I do not have any unwanted files on the site, would it be better for me to restore from a backup dated august 28, or to go into every file and just delete the extra eval base code?

3) Would I need to restore the database also? If so, wouldnt I loose all the sales info, new customers, etc after that date (date of backup)?

 

My answers are:

 

1a) Please read the 10th or so post in this thread by blueflametuna

1b) To locate the files you can decode the base64 encoded crud at the top of any of the infected files using the decoder on this site:

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

 

Copy/paste the encoded stuff between the single quote marks (not the whole block of php) into the decoder.

 

For example, with this block:

<?php /**/eval(base64_decode('aWYoZnVuY3R --- snipped to make this easier to read --- dkZ29iaCcpO319fQ==')); ?>

 

You would copy only copy this bit of it:

aWYoZnVuY3R --- snipped to make this easier to read --- dkZ29iaCcpO319fQ==

 

The first line of decoded stuff should look something like this:

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/username/htdocs/catalog/admin/includes/languages/english/images/buttons/style.css.php')) ...snip...

 

And this would be the path to the file(s) you need to remove:

/home/username/htdocs/catalog/admin/includes/languages/english/images/buttons/

 

2) If you have a confirmed clean backup, make it so.

 

3) Although it would be nice to restore the dbase to a known clean version you will lose sales info, new customers, etc. At the very least you'll want to make sure there are no new admin users, go through all of the cart settings with a fine tooth comb, etc.

 

osc -at- jerryrose.org

Link to comment
Share on other sites

Jerry

 

Thank you for your response, and posting the link to decode the hack.

 

The hack decode for my site shows all the files in:

if(file_exists('/home/xxxxx/public_html/admin/backups/catalog/admin/includes/languages/espanol/modules/index/style.css.php')){include_once('/home/xxxxx/public_html/admin/backups/catalog/admin/includes/languages/espanol/modules/index/style.css.php').

 

I did look at post 10 with all the files to look for. I wasnt finding any of them in the english part, because they are all in the espanol files.

 

The good news is my august 28th backup was not infected.

 

Once again, Jerry - thank you for your help!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...