Tellox Web Hosting
Please Login or Register


eval(base64_decode hack

eval(base64_decode hack going around the internet,

If your cart “suddenly” stops working as it should with no input from yourselves it could be you have been subject to the latest automated hack.
Some of the more common signs of this are
* Category images stop displaying
* FCK editor refuses to display images folder
* Payment modules stop working
* Checkout process stops working

How will you know?
Open any PHP file on your server, if at the very top you see a line like
Then you have been hacked.

To clean your site you have two options,
1, delete the entire set of PHP files on your server, (this hack will infect every single PHP file regardless of where it belongs, i.e non osC files will also be infected)
And restore from a good back up. This is the best and easy route.

2, You need to find the source of the files that have been placed on your server, they are always hidden well away from the top level, to do this you need to copy the top line and paste it to a Base 64 decoder, I have my own file for this but you will be able to use any of many on the internet, here is one

This will reveal the location of the files you have to remove, note that it could be from 1 file to upto 30, and in some cases they will overwrite the files that should be in the host folder.

Once this is done, and the original files are restored, you have to go through every single PHP file and remove the code from the top line, I suggest you use a search / replace tool for this or its going to take you a very long time!

When this has been done it will be good practice to “drop” your database, and upload a recent backup you took prior to infection, also check that there are no new users on the database, I’ve not come across this yet, but have heard it happens.

Now your site is free on the code, you need to prevent it from happening again.

How to prevent infection.

This is not guaranteed 100% proof but it is going to help stop re-infection.

Change the name of your admin folder to something less obvious.
Delete admin/filemanager.php and associated links.
Ensure that your folder permissions are never set higher than 755
Install some security addons,
Also some ideas from this post can help you,
If you do nothing, and do not rename your admin folder or delete the filemanager.php it is not a question of if, more when.
There is a lot of fragmented help on the forums, I have pulled some of it together here, read up all you can there are a lot of great people posting good information here.

Thursday, March 15, 2012

« Back

View RSS Feed

Quick Navigation

Client Login



Remember Me


Follow Us on Twitter