Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Weedwaka

Did Someone hack my site ? ( Eval Base64 Decode )

Recommended Posts

I decoded one of the files call cnf.txt. I think this is the hacker's configure file. Here are one of the

pearch.net/in.cgi?15&parameter=$keyword&se=$se&seoref=%ref%&HTTP_REFERER=%self_url%&default_keyword=%kw

 

 

I don't know how the hacker sniffed into the server. But have been convinced that sniff thru session id. I found the hackers redirect the traffic to many sites like spam or ad financial websites using pearch.net.

 

The target sites are not only OSCommerce, but they are anyone who has these in the URL;

 

sid; phpsessid; cakephp; oscsid; phpkitsid; xcid; sessionid;

Share this post


Link to post
Share on other sites
For stock osCommerce, the only thing you need to change is admin/includes/configure.php. There's a guide to moving the Admin on here somewhere; I think it was linked earlier in this thread. Basically, you just need to change all of the admin paths in that file to your new paths.

 

If you have added code that doesn't use the standard configure.php you will need to make ther changes to that code as well. This won't be necessary for well-written addons, but some of the ones available here are not.

 

Regards

Jim

 

Ok, I have a couple of questions in moving the admin folder from the catalog to a subdomain:

 

In the admin/includes/configure.php these items need changing from the following which is the current settings:

 

 define('DIR_FS_DOCUMENT_ROOT', '/home/43/dnumber/htdocs/my_folder/catalog/');
define('DIR_WS_ADMIN', '/catalog/admin/');
define('DIR_FS_ADMIN', '/home/43/dnumber/htdocs/my_folder/catalog/admin/');

 

My current store already exists in a subdomain:

 

store.my-site.com

 

I will be moving the admin folder to another subdomain:

 

vg8utuwX4.my-site.com

 

In the above examples, how would the admin/includes/configure.php be changed so it will still work with the database from another subdomain?

Wouldn't this create a problem with the database? Please explain.

Share this post


Link to post
Share on other sites

DIR_FS_DOCUMENT_ROOT is the filesystem root for your account. It should be something like /home/43/dnumber/htdocs/.

 

DIR_WS_ADMIN is whatever you need to add to DIR_FS_DOCUMENT_ROOT to get the path to your admin files. if your current store is in my_folder/catalog/, you will need to move your admin out of that folder to another location. That is, if your store is now in /home/43/dnumber/htdocs/my_folder/catalog/, you could move your admin to /home/43/dnumber/htdocs/some_folder/something_else/. DIR_WS_ADMIN would then be /some_folder/something_else/

 

DIR_FS_ADMIN needs to be the complete path to your admin files. In the above example, it would be /home/43/dnumber/htdocs/some_folder/something_else/.

 

If you have DIR_FS_DOCUMENT_ROOT set as you have shown, you may also need to change DIR_FS_CATALOG to the full path to your catalog files.

 

The database is on a separate server. It may be running on the same physical machine as the web server or it may be on a separate physical machine. In any case, if your database settings work from your current location they will work from the new one.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites
DIR_FS_DOCUMENT_ROOT is the filesystem root for your account. It should be something like /home/43/dnumber/htdocs/.

 

DIR_WS_ADMIN is whatever you need to add to DIR_FS_DOCUMENT_ROOT to get the path to your admin files. if your current store is in my_folder/catalog/, you will need to move your admin out of that folder to another location. That is, if your store is now in /home/43/dnumber/htdocs/my_folder/catalog/, you could move your admin to /home/43/dnumber/htdocs/some_folder/something_else/. DIR_WS_ADMIN would then be /some_folder/something_else/

 

DIR_FS_ADMIN needs to be the complete path to your admin files. In the above example, it would be /home/43/dnumber/htdocs/some_folder/something_else/.

 

If you have DIR_FS_DOCUMENT_ROOT set as you have shown, you may also need to change DIR_FS_CATALOG to the full path to your catalog files.

 

The database is on a separate server. It may be running on the same physical machine as the web server or it may be on a separate physical machine. In any case, if your database settings work from your current location they will work from the new one.

 

Regards

Jim

 

Jim,

 

That is so cool! I have set up the admin folder in another subdomain, with a completely different web site so that a hacker would have to be a super genius to find it now. And everything works, except for Site Monitor. I get an Error 404 when I click on Site Monitor. Hopefully I can figure that one out, but if you have any ideas, I would be grateful. What a wonderful idea to completely move the admin folder out of the site! Thanks so much for the tip.

Share this post


Link to post
Share on other sites
i don't know how the hacker got into the site, but when I was going thru the site,

I found some files in cgi-bin/ folder. I downloaded and tried to open them, but all were binary files, I just immediately deleted them all, cause they are not my files for sure.

 

file names :

 

entropybanner.cgi

randhtml.cgi

cgiecho

cgiemail

 

 

if anyone knows these files, please let us know.

 

then I changed the cgi-bin/ folder to 555 permission level.

 

Please, where is the cgi-bin/ folder?

Share this post


Link to post
Share on other sites
add:

 

Options All -Indexes

 

to your htaccess

 

Sam,

 

I am adding this to my htaccess file but am curious what this does? Why do we want to disable root directory view? Is it on a web browser that it is disabled?

Share this post


Link to post
Share on other sites

cgi-bin is not a part of osC but may be on your site, possibly in your public_html directory - just remember it could be an essential part of your site's working before you start denying access to it

Share this post


Link to post
Share on other sites
add:

 

Options All -Indexes

 

to your htaccess

 

These are going to be dumb questions but;

 

Which htaccess file ? Just the admin or all of them ? Do I just paste that line anywhere in the file ?

Share this post


Link to post
Share on other sites
Jim,

 

That is so cool! I have set up the admin folder in another subdomain, with a completely different web site so that a hacker would have to be a super genius to find it now. And everything works, except for Site Monitor. I get an Error 404 when I click on Site Monitor. Hopefully I can figure that one out, but if you have any ideas, I would be grateful. What a wonderful idea to completely move the admin folder out of the site! Thanks so much for the tip.

Site Monitor is one of those addons that has its own configuration. You'll need to make the same changes to sitemonitor_configuration.php that you made above. If you have the same version I do; other versions may have the config data in a different place.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites
Sam,

 

I am adding this to my htaccess file but am curious what this does? Why do we want to disable root directory view? Is it on a web browser that it is disabled?

If you don't disable this or put a valid index file in every directory, the web server will present a list of every file in the directory. You really don't want to make it that easy for the hackers. You could go around putting an empty index.php in every directory, but this is easier.

 

Put this in the .htaccess in the root of your web space. This may be a folder named public_html or html_docs or htdocs or www or something similar. It depends on how the server is set up. If there isn't a .htaccess file in that folder, create one.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Massive thanks to Germ and Spooks for all the help on this thread. I found the infection whilst securing my site on Spooks other thread! Taking advice from Germ with a pot of coffee and a bit of *nix to solve the problem.

Share this post


Link to post
Share on other sites

I had this same hack happen to my website as well, I find a file that someone wrote for another forum to clean that. I ran it on mine and it worked fine.

 

<?php
/*********************************************************************************
* kb_scan.php                                                                    *
* ------------------------------------------------------------------------------ *
* This file can be used to check for file infections using the recent krisbarteo *
* exploit. If any infections are found, this should also be able to fix them.    *
**********************************************************************************
* Utility version:                1.0                                            *
* Utility by:                     Fustrate                                       *
* Testing:                        JBlaze                                         *
* Exploit Info:                   Sarge                                          *
* File Traversal:                 SlammedDime                                    *
* Detection Query:                SleePy                                         *
* ============================================================================== *
* Instructions: Upload this file to the root of your SMF installation, alongside *
* SSI.php and index.php, and navigate to it in your browser.                     *
*********************************************************************************/


class FileChecker
{
var $_dir = '';
// Since the exploit also looks for phtml and php3, so do we.
var $_include = array('php', 'phtml', 'php3');
var $_results = array();

function FileChecker()
{
	$this->_dir = dirname(__FILE__);
}

function run()
{
	set_time_limit(300);
	$this->_run($this->_dir);
}

function _run($file)
{
	if (substr($file,-1) == '.')
		$file = substr($file,0,-1);

	if (is_file($file) && is_readable($file))
		return $this->_checkFile($file);
	elseif (!is_dir($file) || !$dir_handle = opendir($file))
	{
		trigger_error('Unable to open directory: ' . $file);
		return;
	}

	while(($filename = readdir($dir_handle)) !== false)
	{
		if (($filename == '.') || ($filename == '..'))
			continue;

		$extension = array_pop(explode('.', $filename));
		$real_path = $file . DIRECTORY_SEPARATOR . $filename;

		// Are we going to skip this file?
		$skip_file = (($this->_include !== false) && !in_array($extension, $this->_include)) ? true : false;

		if(is_file($real_path) && is_readable($real_path) && !$skip_file)
		{
			// No reason to scan this file, unless you infected it yourself...
			if ($filename === 'kb_scan.php')
				continue;

			$this->_checkFile($real_path);
		}
		elseif(is_dir($real_path))
			$this->_run($real_path);
	}
	closedir($dir_handle);
}

function _checkFile($filepath)
{
	$contents = file($filepath);

	if (preg_match("~/\*\*/eval\(base64_decode\(~i", $contents[0]))
	{
		$results['infected'] = true;

		if (isset($_GET['fix']))
		{
			// We're going to do a straight preg_replace on the full contents
			$contents = implode("", $contents);

			// Stripsearch, err, strip the php eval
			$data = preg_replace("~<\?php /\*\*/eval\(base64_decode\('([a-zA-Z0-9+=/]+)'\)\); \?>\r?\n?~i", "", $contents);

			// Let's try to chmod the file to 755 or 777... 
			@chmod($filepath, 0755);

			$fp = @fopen($filepath, 'w');

			// Write it, or at least attempt to.
			if ($fp){
				fwrite($fp, $data);
				fclose($fp);
			}

			// Now try to reset permissions - 644 will be good, methinks.
			@chmod($filepath, 0644);

			$test = file($filepath);

			$results['fixed'] = !preg_match("~/\*\*/eval\(base64_decode\(~i", $test[0]);
		}
		else
			$results['fixed'] = false;
	}
	else
		$results = array(
			'infected' => false,
			'fixed' => true,
		);

	$base = basename($filepath);

	// A list of possible NEW files, taken from the exploit itself.
	$possibles = array('db.php', 'dg.php', 's.php', 'style.css.php', 'los.php', 'r0x.php');

	// Is this a potential exploit file? Also checks for fully numeric filenames and no-extension files.
	$results['possible'] = in_array($base, $possibles) || preg_replace("~([0-9]+)\.php~", "", $base) == '' || strpos($base, '.') === false;

	$this->_results[str_replace($this->_dir . '/', '', $filepath)] = $results;
}

function results()
{
	if (empty($this->_results))
		return false;
	else
		return $this->_results;
}
}

$file_test = new FileChecker();
$file_test->run();

$results = $file_test->results();

$checkDB = false;

// Let's check the database with SleePy's query...
if (!isset($_GET['noquery']) && isset($smcFunc))
{



}
else if (!isset($_GET['noquery']))
{


mysql_free_result($result);
}

echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
	<title>SMF KB Scan Utility</title>
	<meta name="robots" content="noindex, nofollow" />
	<style type="text/css">
		body
		{
			background-color: #e5e5e8;
			margin: 0;
			padding: 0;
		}
		body, td
		{
			color: #000000;
			font-size: small;
			font-family: verdana, sans-serif;
		}
		div#header
		{
			background-image: url(Themes/default/images/catbg.jpg);
			background-repeat: repeat-x;
			background-color: #88a6c0;
			padding: 22px 4% 12px 4%;
			color: white;
			font-family: Georgia, serif;
			font-size: xx-large;
			border-bottom: 1px solid black;
			height: 40px;
		}
		div#content
		{
			padding: 20px 30px;
		}

		div.panel
		{
			border: 1px solid gray;
			background-color: #f6f6f6;
			margin: 1ex 0 3ex 0;
			padding: 1.2ex;
		}
		div.panel h2
		{
			margin: 0;
			margin-bottom: 2ex;
			padding-bottom: 3px;
			font-size: 14pt;
			font-weight: normal;
		}
		em
		{
			font-size: smaller;
		}
		table
		{
			border: 1px dotted black;
			border-top: none;
		}
		td
		{
			border-top: 1px dotted black;
		}
		.safe
		{
			background-color: #d1f7bf;
		}
		.infected
		{
			background-color: #ffbbbb;
			font-weight: bold;
		}
		.possible
		{
			background-color: #fdd7af;
			font-style: italic;
		}
		.example
		{
			border: 1px dotted black;
			padding: 5px;
		}
	</style>
</head>
<body>
	<div id="header">
		<div title="\'Fustrate is my hero!\' -JBlaze">SMF KB Scan Utility</div>
	</div>
	<div id="content">
		<div class="panel">
			<h2>Below are the results of the scan:</h2>
			<br />
			<span class="example safe" title="Uninfected">Uninfected</span> 
			<span class="example possible" title="This file might be from the exploit...">Possible</span> 
			<span class="example infected" title="This file is infected!">Infected!</span><br />
			<br />
			If this finds any infected files, <a href="kb_scan.php?fix">click here</a> to try to fix them. <strong>Make sure you back up your files before trying to fix anything!</strong><br />
			<br />';

if ($checkDB)
echo '
			<div class="infected example">
				Please check your database - there is a good chance the themes table is infected!<br />
				Remember to make a backup before making any changes. This can either be done in your hosting control panel, or with the help of your host.
			</div>
			<br />';

echo '
			<table cellpadding="5" cellspacing="0" width="100%">';

// alphabetical order, shall we?
uksort($results, 'strnatcasecmp');

foreach($results as $name => $result)
{
echo '
				<tr class="', ($result['infected'] && !$result['fixed']) ? 'infected' : ($result['possible'] ? 'possible' : 'safe'), '">
					<td>', $name, '</td>
					<td>
						', $result['infected'] ? ($result['fixed'] ? 'This file was cleaned.' : 'This file is infected!') : ($result['possible'] ? 'This file is a possible exploit.' : ' '), '
					</td>
				</tr>';
}

echo '
			</table>
		</div>
	</div>
</body>
</html>';
?>

 

I modified it to work for Oscommerce, supposedly it finds the files that the hacks places on your website

 

Just paste the above into a new php file, (may need to be called kb_scan.php)

From what I've read it scans your files for the matching byval, sets permissions to max, delete byval, then resets to 644

 

~Edit again..

 

I did notice after running this that 10-20 connections (probably zombie bot net) all connected to my website in an hour and all performed the same actions. I assume it was checking to see if the hack was still installed

Share this post


Link to post
Share on other sites

I usually check my source code (browser) every few days. On 9-7-2009, I found this little treat waiting for me at the very top of every php document: redirects and list of links to 18 pages of WordPress blogs, written in gibberish, with the last dated 9-6-2009. The addresses would be something like "jrsalescompany.com/catalog/?fz17, etc. I checked my server logs, and found massive file alterations at 0814, Sept 4th. I also found unauthorized access at that same time, with nice little base64 codes added to the top of every .php. Excerpts from the server log: Actual copies:

 

- - [04/Sep/2009:08:14:34 -0700] "POST

jrsalescompany.com/catalog/admin/file_manager.php/login.php?action=save

HTTP/1.1" 302 5 "http://jrsalescompany.com/catalog/" "Mozilla/5.0

(Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910

Firefox/3.0.7"

(getting inside)

 

- [04/Sep/2009:08:14:34 -0700] "GET

jrsalescompany.com/catalog/admin/file_manager.php?info=main.inc.php&osCAdminID=b2490caa2ee0ac1c0d989764dcf25e47

HTTP/1.1" 302 5 "http://jrsalescompany.com/catalog/" "Mozilla/5.0

(Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910

Firefox/3.0.7"

(uploading their junk)

 

- [04/Sep/2009:08:14:35 -0700] "GET

jrsalescompany.com/catalog/admin/login.php?osCAdminID=b2490caa2ee0ac1c0d989764dcf25e47

HTTP/1.1" 200 3707 "http://jrsalescompany.com/catalog/" "Mozilla/5.0

(Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910

Firefox/3.0.7"

(stealing Admin login info? Stole a session ID?)

 

 

 

- [04/Sep/2009:20:13:21 -0700] "GET

jrsalescompany.com/catalog/main.inc.php HTTP/1.1" 404 1703 "-"

"Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.7)

Gecko/2009021910 Firefox/3.0.7"

(calling up their uploaded junk-take notice of timestamp difference)

 

The attacker created 35 events in the log. Apparently, it reads to me that the person came in and hacked in, uploaded whatever they needed, probably stole an admin password, created their permanent backdoor, executed their program, went upstairs to eat some of mommy's fabulous meat loaf, came back down to the basement, took a nap, and came back 12 hours later to check up on it, and executed it again.

 

All of it was logged from this IP address: 94.142.129.147

 

The IP is registered to a hosting provider in Estonia, according to WHOIS. However, no amateur would neglect to spoof his IP, so it is unreliable.

 

I have sent my whole report, including all the logs, and all info I could get on that IP to the FBI. A lot of you already have seen this kind of info. For all of you, put the feelers out. Ask. Seek. Find. Use it. Report whatever you find. Maybe, MAYBE, we'll get lucky and someone will become a 'person of interest' in this whole shenanigan.

 

Restore was good for me. No problems. I am a little unsure of the lasting effects. I have heard talk about possible virus contamination, but my virus/spam/mal/rootkit/firewall stuff shows nothing. However, I would advise that a person take no chances. Change passwords frequently. Database, FTP, admin, weekly, at least. Login only with SSL. A person might contact their virus protection agent and explain the situation, and see if their system detects that sort of thing.

 

On a personal note: I have a party planned for these persons: Cake and Frappuccino at 1930. Firing squad at 1945. ;)

Share this post


Link to post
Share on other sites

On a personal note: I have a party planned for these persons: Cake and Frappuccino at 1930. Firing squad at 1945. ;)

Reverse the times and save the good stuff for yourself.

 

They aren't worth it.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

- - [04/Sep/2009:08:14:34 -0700] "POST

jrsalescompany.com/catalog/admin/file_manager.php/login.php?action=save

HTTP/1.1" 302 5 "http://jrsalescompany.com/catalog/" "Mozilla/5.0

(Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910

Firefox/3.0.7"

(getting inside)

 

- [04/Sep/2009:08:14:34 -0700] "GET

jrsalescompany.com/catalog/admin/file_manager.php?info=main.inc.php&osCAdminID=b2490caa2ee0ac1c0d989764dcf25e47

HTTP/1.1" 302 5 "http://jrsalescompany.com/catalog/" "Mozilla/5.0

(Windows; U; Windows NT 5.1; en; rv:1.9.0.7) Gecko/2009021910

Firefox/3.0.7"

(uploading their junk)

 

 

file_manager.php?

 

See I've been hacked in signature below

Share this post


Link to post
Share on other sites

germ- we'll schedule them both for 1930. Dinner AND a show!

 

newtest- I hear you sayin it- shame on me ;) At least it won't happen again (until they figure out another exploit). I have just recently started playing ball with OSC a couple of months ago, which has been great to work with. Being a noob to this software, I wasn't aware of its vulnerabilities at the time. Should have checked up on it before putting work into it. Live and learn.

I hit up the forums to read up on it right after the attack. Valuable information source from fellow operators. I deleted file manager and define languages, deleted links, before I uploaded my backups. I already had .htaccess on my 'admin' directory (my own, not the commented out one that comes with it), but they didn't seem to have a problem bypassing the popup login box (i get 403 if not valid). I always login via https, but I suspect that login info was sniffed somehow. They probably had the .ht login info, but not the admin info. Once they got to the osc login, thats where they started their real work. BTW, .htaccess and word are set to deny all, so not viewable. I tried, just to make sure.

 

 

Thank you to the OSC forums for the security info!

 

BTW, I have heard that this "automated" crime spree has affected over 1 million sites (most were non-osc sites, like WordPress blogs, etc).

Share this post


Link to post
Share on other sites

germ- we'll schedule them both for 1930. Dinner AND a show!

Count me in!

:lol:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

I found this in our source code. Any idea where to go to get rid of it?

 

<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"><div style="display:none">
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=0'>forex managed funds</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=1'>forex mechanical system trading</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=2'>forex mechanical trading system</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=3'>forex rate india</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=4'>forex signal service</a> 

Share this post


Link to post
Share on other sites

I found this in our source code. Any idea where to go to get rid of it?

 

<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"><div style="display:none">
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=0'>forex managed funds</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=1'>forex mechanical system trading</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=2'>forex mechanical trading system</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=3'>forex rate india</a> 
<a href='http://www.wolfftanning.com/products_ship_estimator.php/?fchl=4'>forex signal service</a> 

 

Click the link in my signature below, you will find help in that post

Nic


Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Share this post


Link to post
Share on other sites

I received this reply from a ticket I opened with our hosting company and am not sure it's relevant:

 

Please scan your PC with both an updated AV and Malware scanner.

 

MalwareBytes ( http://www.malwarebytes.org/ ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

Microsoft recently released an AV/Malware package at: http://www.microsoft.com/security_essentials

Hijack this: http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

 

Information about how to further clean the computer can be found googling info.com and redirect.

Share this post


Link to post
Share on other sites

Has anyone who has been hacked had issues with customer's credit card information?

Unless your site is PCI Compliant ( <= it's a link, click it to read more) you aren't supposed to be storing that info.

 

Besides, do you really think anyone would admit that publicly even if it was true?

:unsure:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Okay, I believe we've plugged all the holes, deleted File Manager, renamed Admin, etc. Does it make sense to manually delete all instances of <? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdv...? Using DW, I tried doing a Find and Replace but kept getting "invalid quantifer *".

Share this post


Link to post
Share on other sites

I can't figure out why I can't do a sitewide "Find and Replace" using Dreamweaver. I keep getting that same invalid quantifer * alert box. Any ideas? The other option is manually going through 900+ files. Unfortunately restoring a previous backup would wipe out a bunch of new development so that's not a good option.

Share this post


Link to post
Share on other sites

×