Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Weedwaka

Did Someone hack my site ? ( Eval Base64 Decode )

Recommended Posts

i don't know how the hacker got into the site, but when I was going thru the site,

I found some files in cgi-bin/ folder. I downloaded and tried to open them, but all were binary files, I just immediately deleted them all, cause they are not my files for sure.

 

file names :

 

entropybanner.cgi

randhtml.cgi

cgiecho

cgiemail

 

 

if anyone knows these files, please let us know.

 

then I changed the cgi-bin/ folder to 555 permission level.

Share this post


Link to post
Share on other sites

If you are unsure as to how they got into your website, you should take a close look at your security. Do you have the filemanager on your website still? If so, delete that.. rename the admin folder and follow the instructions on the linked pages.. Make your site as safe as you can instead of constantly cleaning it up


A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Share this post


Link to post
Share on other sites
i don't know how the hacker got into the site, but when I was going thru the site,

I found some files in cgi-bin/ folder. I downloaded and tried to open them, but all were binary files, I just immediately deleted them all, cause they are not my files for sure.

 

file names :

 

entropybanner.cgi

randhtml.cgi

cgiecho

cgiemail

 

 

if anyone knows these files, please let us know.

 

then I changed the cgi-bin/ folder to 555 permission level.

 

 

 

Random Banners

Entropy Banner is a banner management system which allows you to include randomly "rotating" clickable images in your web pages. This is particularly useful for "rotating" banner adverts.

Each time a visitor views a page containing the Entropy Banner code, a banner will be selected at random from the banners you have uploaded to the system. Each banner is associated with its own linking code which will take visitors to the appropriate site when the banner is clicked.

Banners can also be assigned a priority level (low, medium or high). For example, a banner of priority "high" will tend to appear more frequently than one of priority "low".

 

Random HTML

The Random HTML generator can be used to pick a text (or HTML) string out of a list of possibilities and insert it into an SSI enabled (.shtml) web page. This is useful for including random text or HTML code in pages so as to produce varied quotes, images or just about anything else.

 

CGI email

CGI Email takes the input of an HTML form and converts it to an email format defined by the author of the form.

 

CGI echo

CGIecho accepts form data, cleans it, and echos it. Very often used in conjunction with cgiemail

 

 

These are all scripts provided by your host for your use on your website...

 

 

If you are not sure what a file does GOOGLE it - saves you dumping files that might be playing a part in running your website!

Share this post


Link to post
Share on other sites

Brady is right: admin/define_language.php can be used to inject arbitrary code into the language files. If you want advance notice of a vulnerability, then here it is. Delete this file before you find out the hard way.

 

Deleting these files can only limit the damage. They are only dangerous if someone can get into your store admin. Your first line of defense should be proper access control on your Admin. That means:

1. Disable directory view on your root directory.

2. Rename your Admin folder. Make it something hard to guess.

3. If possible, put your admin on a different domain. Your hosting service probably gives you a subdomain or user domain with your account. Use that for your Admin and keep it completely out of the catalog domain. You can also buy another domain name for your Admin. Hackers can't hack your store if they don't even know where to look for it.

4. Use .htaccess password protection for your admin. Use a username that is not easily guessed and a strong password.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Hmmmmmm........... seems I was targeted too - very recently at that as well but I can't be sure if it was before or after I removed file_manager and define_language or maybe in between. However I did notice that in the decode the following file were being looked for: public_html/store/admin/fckeditor/editor/filemanager/browser/default/images/icons.

 

I think I have a definite reason now to remove fckeditor and editor. (anyone like to comment on this?)

 

My images and icons were replaced because they were included in my clean back-up

Share this post


Link to post
Share on other sites

Also hacked -- attempting to remedy this, however whenever I remove the code header from the top of the page my site no longer works. For example, I removed the header from my index.php and it no longer loaded. What is the problem way to fix this? :blink:

Share this post


Link to post
Share on other sites

Managed to sort it out by myself -- used the base64 decoder to find the style.css.php files -- turned out the were in a zend folder that was part of an archived old site that I haven't used for around 5 years that was laying around the server. Deleted that, used the shell script to clean all the files. Good as new. Thanks for all the good replies.

 

Just posting those helpful links again since they're scattered throughout multiple pages:

 

base64 decoder (find where the files are); http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

shell script cleanup; http://www.jerryrose.org/osc-cleanup.sh

Share this post


Link to post
Share on other sites

Looks like this club is getting bigger each day - me too - hacked on the 4/9... after reading this thread - thanks to all for great help - i manage to locate and delete all the bugs from - admin/includes/javascript/tiny_mce/themes/advanced/docs/en/images/style.css.php

 

Now (sorry but i`m not very tech) i`m not sure what should I do with Eval Base64 Decode line in each php file. I have started to removing this from my test site but it looks like it is hooked up deeper as i got errors like the one below when i was trying to enter product page:

 

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/ttoefrzd/public_html/test/product_info.php on line 175

 

The biggest problem is that copy of my store is on the same server as the main store and they both were infected (as a matter of fact it was the test store that was holding the bugs). This means that i cant compare this two and bring it back to what was it before.

 

is there any chance someone could give me some advice on this please...

 

what's worse i think that this significantly affected my SEO as from that date number of people visiting my site shrank by almost 40% ....

 

Thank you for your help

Share this post


Link to post
Share on other sites
Managed to sort it out by myself -- used the base64 decoder to find the style.css.php files -- turned out the were in a zend folder that was part of an archived old site that I haven't used for around 5 years that was laying around the server. Deleted that, used the shell script to clean all the files. Good as new. Thanks for all the good replies.

 

Just posting those helpful links again since they're scattered throughout multiple pages:

 

base64 decoder (find where the files are); http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

shell script cleanup; http://www.jerryrose.org/osc-cleanup.sh

 

Hi Chris,

 

sorry for being total layman but how exactly you get the script running?

Share this post


Link to post
Share on other sites

What does the shell script do ?

 

Is there more hacker code besides what is in the top paragraph of each php file ? I deleted all the stand alone files and all the code in the top of the php files. I am still struggling to get mine back up and running again properly.

Share this post


Link to post
Share on other sites

have u read Reiner's posts?


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hi Guys,

 

I cannot change my permission on configure.php - it keeps coming back to 644 - any idea where may be the problem???

 

Thanks

Share this post


Link to post
Share on other sites
Hi Guys,

 

I cannot change my permission on configure.php - it keeps coming back to 644 - any idea where may be the problem???

 

Thanks

 

it worked through cpanel...

Share this post


Link to post
Share on other sites

Try this, create a file chmod.php and add the following code:

 

<?php
chmod('includes/configure.php', 0444);
?>

 

Upload the file to your catalog / admin and call it with your browser. Afterwards you can delete the file(s) from the server.

Share this post


Link to post
Share on other sites

Can someone please give me some directions how to run osc-cleanup.sh script? I`m trying to find some other posts about this but no luck so far and i`m loosing my hopes.... :(

 

Thanks

Share this post


Link to post
Share on other sites

Since we are talking about Hacks. Please assist in the problem below.

 

"Our customers and us only use English Language. Today we noticed our site has changed automatically to Spanish Languages and some of our categories which don't have any spanish names don't show up. We never really put any spanish names in we simply would fill the same english name for spanish. The ones we did are showing up, rest categories don't show. Did we get hacked? I see all products and orders so it seems we are ok but our language is changed. We checked admin and the language is set to English and also set as default. Did someone try to language hack? " Please help

Share this post


Link to post
Share on other sites
Brady is right: admin/define_language.php can be used to inject arbitrary code into the language files. If you want advance notice of a vulnerability, then here it is. Delete this file before you find out the hard way.

 

Deleting these files can only limit the damage. They are only dangerous if someone can get into your store admin. Your first line of defense should be proper access control on your Admin. That means:

1. Disable directory view on your root directory.

2. Rename your Admin folder. Make it something hard to guess.

3. If possible, put your admin on a different domain. Your hosting service probably gives you a subdomain or user domain with your account. Use that for your Admin and keep it completely out of the catalog domain. You can also buy another domain name for your Admin. Hackers can't hack your store if they don't even know where to look for it.

4. Use .htaccess password protection for your admin. Use a username that is not easily guessed and a strong password.

 

Regards

Jim

 

thanks Jim. I just read this today and deleted define_language.php just now. It only made sense to me.

Share this post


Link to post
Share on other sites
Also hacked -- attempting to remedy this, however whenever I remove the code header from the top of the page my site no longer works. For example, I removed the header from my index.php and it no longer loaded. What is the problem way to fix this? :blink:

 

the simple way to fix this is to use a clean copy of index.php and upload it over writing the hacked file. Then everything works fine. You have to do this to every file that is corrupted. The files like the configure.php files and certain ones you changed you will need to be careful to remember which ones so you can clean up that file individually. The problem is that the file is corrupted and you really need a clean file to start with.

Share this post


Link to post
Share on other sites

I thought it was in this thread that I read that the hacker probably looked for the 'This site is powered by osCommerce' to find sites to hack. Where did I read this and the suggestion to remove this from your site? Does anyone remember the thread?

Share this post


Link to post
Share on other sites

Now that my site is all back up and running, I am trying to secure it better.

 

I deleted file manager etc. How do I disable the root directory as quoted above ?

 

How involved is it to rename the admin folder ?

Share this post


Link to post
Share on other sites
How involved is it to rename the admin folder ?

 

http://forums.oscommerce.com/index.php?sho...ic=340995"


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
How do I disable the root directory

 

add:

 

Options All -Indexes

 

to your htaccess


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Your first line of defense should be proper access control on your Admin. That means:

1. Disable directory view on your root directory.

2. Rename your Admin folder. Make it something hard to guess.

3. If possible, put your admin on a different domain. Your hosting service probably gives you a subdomain or user domain with your account. Use that for your Admin and keep it completely out of the catalog domain. You can also buy another domain name for your Admin. Hackers can't hack your store if they don't even know where to look for it.

4. Use .htaccess password protection for your admin. Use a username that is not easily guessed and a strong password.

Regards

Jim

Jim,

 

Moving the admin folder to a subdomain and naming the subdomain something like www.8eMXDAryK8DDVZll.my_domain.com seems like a great idea but obviously this really would effect the cart. What files would need to be changed? Obviously most of the files needing the changes so that this would work is in the back end but what files in the front end would need to be changed? Could you give a step by step list of what to do? Maybe this should be in a completely different thread or is it ok to put it in this thread?

Share this post


Link to post
Share on other sites

For stock osCommerce, the only thing you need to change is admin/includes/configure.php. There's a guide to moving the Admin on here somewhere; I think it was linked earlier in this thread. Basically, you just need to change all of the admin paths in that file to your new paths.

 

If you have added code that doesn't use the standard configure.php you will need to make ther changes to that code as well. This won't be necessary for well-written addons, but some of the ones available here are not.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

×