CubeCart being used to send spam

[sleepyfrog]

I am using the latest version of cubecart (registered), and have just received the following message from my web hosts:

Please advise as a matter of urgency

____________________________

Dear Customer

Earlier today our system administrators noticed a large amount of spam mail

being sent from your account tvshoppingoutlet.com

Over 65,000 emails were being sent out this morning and as I'm sure you are aware we have a very strict policy on spam and incidents such as this can cause our servers to be blacklisted and in turn have an impact on other customers.

It appears that this mail may have been sent through an exploit in one or more

of the PHP scripts on your system. We would ask that you review the code on your

website to remove any vulnerabilities that may allow the scripts to be abused to

send emails. If the scripts are from a 3rd party software we would advise you

contact the vendor for security patches or updates to their code.

We have disabled the account so the spamming will stop and until such time you say in writing which scripts are insecure and what you will do to make sure this doesn't reoccur. Please contact us with the ticket number shown in the subject line of this email and we can re-activate the account so you can update the scripts.

[Guest EverythingWeb]

What other scripts do you have running on your account?

What version of CC are you running?

[Guest]

Are you using smtp or mail() email settings?

I had this happen with a previous version of cc when I was using mail() but not with the latest version. I got multiple "cubecart administrator" emails that were bogus on about 3 of my sites.

[Guest CheapScotsman]

He did say he was running the latest version (which is 3.0.14)

You need to do some sleuthing and gets some additional information:

a) check all the cubecart files and ensure that nothing has been "changed" in the last day or two. If you don't have proper security on your php, etc files then somebody could have modified them.

[Guest gwyneth]

until such time you say in writing which scripts are insecure

There's also a chance that that this was a phishing attempt, particularly if there was a link to reply to. Worth checking the headers of the email to verify it came from your host, and probably any action should be taken separately from that email--i.e., talking to the host company by phone, or its support chat, etc.

[roban]

I would ask your host for proof in the form of the particular script that is running and is doing the spamming. I seriously doubt that CC is the culprit and if it is what kind of security measures does your host have in place to prevent unauthorized access to your account. Obviously if something is running from CC it is nothing that is a part of CC therefore your host is to blame for not providing adequate security.

[sleepyfrog]

I would ask your host for proof in the form of the particular script that is running and is doing the spamming. I seriously doubt that CC is the culprit and if it is what kind of security measures does your host have in place to prevent unauthorized access to your account. Obviously if something is running from CC it is nothing that is a part of CC therefore your host is to blame for not providing adequate security.

Have checked with host and they have said that the emails were generated from a CC script (not the tell a friend one though)

Am waiting for them to send over the file information but as usual they needed an email back from me and by the time they received it they had gone home!

So much for Pipex support.

[sleepyfrog]

Pipex have now come back and said they can't provide files as it is not their responsibility and would take too long to go through the server logs, but it is definately a php script from the site and no trojans etc have been uploaded.

The only files on the server are the cubecart 3.0.14 ones - so is definately a problem with the cart.

They say it can be in any of the files that send out mail - such as the order notifier, tell a friend or password reminders etc.

I therefore need a list URGENTLY of all the php files within the system that can be used to send out mail so that they can be checked by a third party.

Any help greatly appreciated - the site owner is going ballistic that his site has been disabled at his busiest time of year.

[Guest nightmare]

I have an old version running and it did send spam they say today and stopped my domain.... I have to delete all cubecart files and reinstall store if that is possible... any suggestions on what files to leave on server or what not to delete or reenter after reinstall??

Susanne

ah yea... and it was includes/ordersuccess.php sending spam

[Al Brookbanks]

This was a possibility in older versions but it has been patched for a long time. It only affected servers with register globals on.

If your versions has some code at the top along the lines of:

if (eregi(".inc.php",$HTTP_SERVER_VARS['PHP_SELF']) || eregi(".inc.php",$_SERVER['PHP_SELF'])) {

	echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n</body>\r\n</html>";

	exit;

}

... you are fine. If not.. Add it. :dizzy:

[Guest nightmare]

I had to delete store cause they made me change mySQL password and nothing worked any more..... I know I should have waited

uploading the latest CC now and installing.... I hope I manage to rescue some of my stuff....

Susanne