Dear SunShop Customer,
The originating file is called eval.php and it is loaded into the themes/YOURTHEME/ folder where "YOURTHEME" is the actual active theme folder. The attackers who added the malicious code to our news feed somehow get notified that the eval.php is on your server, most likely from server logs, and they use that file to run their own PHP commands on your server. They usually add additional files in an attempt to gain access to your customers financial details, but if you are running SunShop 4.2.5 or later, they will find this task to be very challenging due to the encryption keys. Below if a list of files that have been found in the same folder and various folders in the SunShop directory.
These files have also been reported:
eval.php, dec4.php, term.php, tem.php, xp.php, xps.php, xz.php
If you notice these or any other php files that look out of place, you should delete them or contact us to look into the issue further for you. You can open a ticket at http://www.turnkeywebtools.com/support-redirect.html
Our Database & Our Customers Data:
Because our database was compromised, we are advising that all customers who submitted their FTP or login information to us at any time on the old site and system to update their information immediately and change any FTP control panel or admin login information that we may have had in the system.
It is important to note though that we DO NOT keep any financial information in our databases on our customers. Additionally as an added security measure, we are resetting all account passwords on the legacy system. If you need to request your password you can use the forgot password feature or contact us for assistance.
As we stated if you should have any questions or if you need additional assistance, please feel free to contact support. We simply need your FTP details if you would like us to login and check for these files and remove them. We apologize for any inconvenience this may have caused and we want to assure you we are working hard to correct the problem in any way possible.
*UPDATE - 4/13* Some users are reporting that an admin was created. If you notice this as well you should delete any admins that do not belong in your system.
*UPDATE #2 - 4/13* It is also advised that your mysql database password be changed as an extra precaution.
*UPDATE #3 - 4/13* We have noted the following attack IP addresses. 188.8.131.52 & 184.108.40.206 IP OWNER INFO
Thursday, April 12, 2012