I found a Backdoor trojan in pure php, did all sorts of horrendous stuff you would expect, was secreted in the images directory and spawned sixty odd php files in the same directory.

I am following your suggestions but I am unsure about a reported EVAL in ../admin/products_with_attributes_stock.php a php file that seems to be completely missing in 1.3.9h

So I am suggesting rebuilding the Zencart completely i.e. a clean install with the best security suggestions I have read. Do I need to clear the database or is this also compromised. In other words if I have the db data can I reuse it so we don’t have to rebuild all the zencart. The data was in 1.3.8a and will be upgraded to 1.3.9h

Thanks so much for all your contributions to Zen Cart. I recently helped a friend recover from a hacked cart where they pretty much did all the things that your Syscheck utility searches out. I removed everything that your utility found and added all updates for the current Zen Cart.

My question, though, is if our site is now secure again after I followed all the steps in your walk-through. Mind you, I did not reinstall the entire site. I merely overwrote all the files that had the eval injection and removed the eval line manually from any of my customized files that were affected. Now, when I use the Syscheck utility, there are no rogue files. The only two that come up are from the add-on FAQ module, but they seem like they use it legitly. (If that’s a word)

P.S. There is no way I could have helped him sort his site out without your utility. Thanks very much! I will recommend he contribute to your cause.