zanza

I forwarded all the info to my hosting provider, and they are looking into this now Now that you mention this, I think Occam's razer may actually be in play here. So I am much more leaning towards some sort of server configuration error rather than a malicious hack at this point. I will make the changes in the $glob[] info and I would be pretty sure this is responsible for the weird things happening. Also, one point I forgot which may be what is causing some of this issues, several months ago I installed an SSL cert on my shared hosting server (yes, its possible but a little tricky). I realized it probably was more trouble than it was worth, so let it expire a few months ago. So I would also suspect that somehow this shared SSL cert is causing some havoc with my webhost. Anyways, at this point I am just leaving it at some improper webhost configuration (possibly related to previous shared SSL cert), if I find anything else out interesting in the next few days I will certainly post here and give everyone the updates I really do appreciate all the help and interest show here, thanks a bunch for anyone who replied and showed interest or helped!

Thanks again, yeah as I suspected, both the received headers sequence traces back to my own shared website, so it does appear the "hacking" is localized to other hosts on my shared server. Thanks for the tip about the message-ID. I forwarded a spoofed message ID to my host so they can investigate further, right now it appears the other websites are being used as zombies/drones however I am not sure to what end. The end-game is to probably change the payment/paypal information so they receive the payments to them and our website is left out. Thankfully we don't have that many customers yet so no payment has been intercepted (actually they didnt even get as far to change the payment info, I am just speculating). edit: now I want to change my database password since I believe these people can access my database. If I change my SQL database password, is the "includes/global.inc.php" the only file I have to update with the correct info? thanks, this has turned into a kind of amusing situation as no harm seems to be done so far.

thanks for the reply back Here is what I found out so far. The 2 sites that were being linked from the store PHP mail (on 2 separate occasions, hyper-vpn.com and engladinn.com I found were seen in my store emails), are both on my same shared server IP address. So it appears whatever hack this is (or server error?), is someone ilfiltrating the server and is either using these other sites as drones or the other sites is the actual owner. So, just so everyone knows, I have no reason to think Cubecart was hacked at all, everything is pointing to a server side infiltration so far nothing to do with Cubecart! I made a fake test account today, (after installing 5.2.16), and I did not notice any problems anymore (I am not sure if the upgrade has "fixed" the issue so far or its unrelated and may still occur and I just did not notice it now). I updated my Admin password to a 16 digit very secure hex password. I checked the /includes/global.inc.php and there is no reference to any other site or anything. So as of now, it looks like my webhost server was compromised, I am not sure what angle of attack is going on so far. I assume they have access to my database (since if they have my files the database password is listed in a file). However I checked my admin and the payment modules haven't been altered, so I was thinking they may try to replace the PayPal receive address with theirs to steal customers money, however this hasn't been done. So, it seems with access to the database they would have to be pretty intimate with Cubecart knowledge to actually be able to exploit this, I do not think they ever had access to my admin panel since there are no logs of access other than me (IP address), so unless they deleted admin access logs they probably never got in (which is lucky since I think I foolishly had the same admin password as my database, yes I know this is very stupid!). So as of now, it seems like its a general stupid clone/hack of my ISP on my account, they weren't able to do any damage since that would require skilled knowedge of Cubecart, which I assume they don't have. For them to actually go in and manually edit the Cubecart databse to swap a paypal address seems like it would be pretty difficult, and because paypal offers fairly good security proction, they probably would not have been able to get away with anything. It still remains to be seen how they redirected people. I can access the email headers, what should I be looking for exactly? I compared a good email header, to a spoofed one, and there doesn't seem to be anything of note

Hello, I was running CC 5.2.15 (just upgraded to 5.2.16 today) and noticed a problem recently I think may be a hack. So, I noticed the problem when receive emails from the store after an order confirmation, so for example here is an order email I received (I edited identifying information about the customers) NOTE PLEASE DON"T CLICK ON ANY OF THESE LINKS SINCE I DON"T KNOW IF THEY ARE SAFE A HACKER MAY HAVE PUT THEM IN xxxxxx just placed order number 150217-134808-9488 on 17 Feb 2015, 13:48. This order can be managed online by following the link below. https://hyper-vpn.com/admin.php?_g=orders&action=edit&order_id=150217-134808-9488 Billing address: Email: xxxxxx Shipping address: Item Quantity Cost order 1 €30.00 Shipping: (Flat_Rate: Air Mail Delivery (1-3 days)) €34.00 Discount: €0.00 Subtotal: €300.00 Order Total: €64.00 Kind regards, Your Shop Staff https://hyper-vpn.com Notice, the top of my store logo in the beginning of the message, it was hyperlinking to "https://hyper-vpn.com" Also, if you notice both other links in the message, "order can be manages at online..." and "Kind regards, ...." there are links for https://hyper-vpn.com Now, the "https://hyper-vpn.com" is not our website at all, have never heard of it either. All other previous store emails were normal (giving our real shop URL). So, something has edited our system just recently so that the emails being sent out are replacing our store URL's with other URL's that I have never heard of. Also, I just heard from a customer today that they received a notification with links to a separate address of a site "https://www.englandinn.com/index.php?_a=product&product_id=5" So, something is changing this. Has anyone heard of this before? I am not sure if it is a Cubecart vulnerability, or its from my webhosting providor issues? I upgraded to 5.2.16 just now, does anything think this will solve the problem? Please let me know any input, thanks!