Help! my site keeps getting hacked

[Guest]

first of all i have the 3.09 version

i keep on finding the index.php ovewritten by another index.php

any ideas how to stop this from happening ?

[Guest EverythingWeb]

Upgrade your version to the latest SECURE version: 3.0.15

If it keeps happening, contact your host and tell them

If they cant help/sort it - move to a more secure host.

[Guest]

ok i was thinking of an upgrade and now it is in the "must do" list.

Has this happened before to other site as well? i searhed the entire forum but i haven't seen anyone with the same problem.

i never had any problems with my host so far.

[Guest devstudent]

Judging form the way the response was written to you...

Upgrade your version to the latest SECURE version: 3.0.15

and based on some posts I have read by other people on the .org site it would seem there were some security issues in older versions that have been addressed and apparently fixed. I've seen a few sites running the newest version that have third party security testing seals on their sites and it doesn't look like they have modified the installation much so the newest version must have fixed some problems. SOmeone else had posted they were unable to get the security tests to pass prior to installing a newer release, though actual versions were not mentioned.

The fact that you never had problems before doesn't really mean anything, no one ever does til a problem pops up. Security professionals will tell you the number one way a web site becomes a victim of an exploit is by not properly managing and updating what they are running on it.

Once a vulnerability to something gets known in the wild then script kiddies will start running bots that automaticly just crawl from server to server like the search engines do, but these automated programs are checking your web site for known vulnerabilities they can exploit, new exploits get released to these people daily and regularly. Its an endless cycle of trying to stay on top of it all, but its also a necessary evil when you decide to save a buck and play your own webmaster that you keep on top of it.

Most people take these attacks personaly, it's usualy nothing personal about it, you just happened to get scanned randomly and automaticly by someones bot and they targeted your site when they seen a vulnerability available to them. You can get mad, slam your fist, scream and shout, but the problem isn't going away.

It's not your host providers responsibilty to monitor everything everyone they are hosting has installed on their servers either, thats your job as the web master. Some of the best hosts out there have more than 40,000+ customers on their servers, it would be impossible for them to monitor everything everyone has installed and run patches for all of them as needed. The rule usualy is, you installed it on your web site, your responsible for making sure it remains updated and secure.

Here's an insider tip for you though, you'll probably now appreciate the value in it. There are third party security company's that you can use for a fee who will actively monitor newly released vulnerabilites and then scan your server for security leaks you may have.

There are probably several out there, two I know of are...

-http://www.hackerguardian.com/

-http://www.qualys.com/

I use Qualys myself, just because they have a pretty solid reputation, and my own major US bank uses them so I figured if they are good enough for my bank they are good enough for me.

There's an effort in place right now that if you handle online ecommerce transactions at any level your going to be required to have your web site tested and certified by a third party security firm like one of these, many banks used for credit card processing already do require this if your going to be using them. You can do a search for the term "PCI" to find out more about this.

If you don't wish to hire a third party like this for now, or can't afford it, then your only other option is the undaunting task of doing all of it yourself, it gets old fast, and its easy to get lazy about it. Two of the best tools you'll find at your disposal for free if trying to keep up with all of this yourself are the SANS web site and the Security Focus web site.

They both alert you to newly released vulnerabilites and fixes usualy for the problems, even work arounds if the vendor with the problem is dragging their feet to get a patch released. Your likely going to find the old version of Cube cart isn't the only vulnerability you have open on your web site right now.

Something else you may find interesting to see for yourself firt hand is to open up your log files and find the page not found error list. You'll be able to quickly tell just by looking at this file how often your server gets scanned for vulnerabilities and see what they were looking for on your server and didn't find. Checking this log file will also give you a good gauge to see what the most common applications out there are for security exploits and what you should defineately stay away from ever installing on your web site, for example, "wordpress" and several of the PHP Message Board programs out there get very heavily targeted just because the vendors of these do such a horrible job in their security efforts of building the software in the first place. I think wordpress though has absolutely got to be the one I see in my logs almost constantly from bots checking to see if its been installed on my servers, and they score very high in new exploits being discovered and released to take advantage of the endless security holes within it.

And if you don't think it's an undaunting task to keep on top of yourself, here's a perfect example for you of what gets released weekly as far as exploits and vulnerabilites. This just happened to come to me in my inbox as I was checking my mail writting the above post. It's too long of a list to paste into a post here so I'm attaching it here instead as a text file.

Some of the exploits noted may be vulnerabilites your not even aware of that you have running on your web site like the OS server specific exploits, typicaly your host provider will, or at least should, be taking care of these for you, I wouldn't count on it though.

Also note as well, the rules on all this also get kind of weird when it comes to making sure you have the latest versions of everything installed. Doing so isn't always a good thing.It's not uncommon to update your software to a newer version to fix a single problem, then have 10 more new problems turn up by installing the update and need to roll back to the older version. Its why back ups are so important, and where experience comes into play for managing your own web site, there just isn't a one rulke fits all situations that you can apply, and not every solution is right for every web site.

List of known vulnerabilites just this week...

security.txt

[Guest]

wow devstudent!

thanks for taking the time to write the answer

i read it all twice!

i know upgrading is the best thing and although it took me 3-4 hours to update i did it.

so far so good.

but i have one more question.

if the older version was exploited

how can i be sure that script is still running and exploits the new version as well?

i checked all folders for tmp files or anything unusual or suspicious

well at least i think i did ;)

[Guest devstudent]

Without knowing the full nature of the exploit and possibly additional vulnerabilities you may have encountered it would be extremely difficult and very lengthy, like we're talking enough pages to fill a book, to fully answer what seems to be a simple question.

Since you did an upgrade and I don't even know what original files might still be in your directories from the old version it would be tough for me to say you could use shell commands to grep or compair files to look for changes. Unless you knew everything to look for as far as odd things in your server logs I'm not sure you'd be completely successful there either.

Your best bet would probably be to take advantage of the free trials the third party security scanners offer and run a free scan on your server, then even if you didn't want to keep the service for future protection, you'd at least have a better degree of confidence things are probably ok for the moment.

-http://www.qualys.com/products/trials/

If you can get everything to pass a security scan now, or at least once you can get everything to pass a security scan if some things fail and you get them fixed, then it would be a good idea to right then and there make a back up of everything and save it somewhere safe. This way, if you have problems in the future you'll have copies of your files to compair to for changes that have been made making a closer inspection of what those changes were and do that much easier.

[Guest Tahoemike00]

I call bull$hit on the supposed security fix on newer versions CC3. I have 3.0.17 and my index.php keeps getting hacked every few hours. I have to keep uploading/ftp a fresh (unhacked) index.php but I have no idea how to stop it. The most ridiculous thing is that CC 3.0.20 is no longer available for download? How f.u.'d is that?!?!

Note: Of course I am referring to the 3.x.x series. yeah, I know just upgrade to the latest and greatest. But if this stupid index hack is fixable, I / we would not have to upgrade. My site WAS working fine up until this security debacle.

[bsmither]

Allow us to ask when it was that you obtained your 3.0.17 package? It is regrettable that for a few months in late 2010 to early 2011, the downloadable CC3 packages (including 3.0.20) were compromised. There are discussions here that detail what you need to look for and replace.

I have been told that Devellion's decision to pull CC3 from the shelves is according to their "business track" (I think I am using the right word). One should see it as similar to not being able to buy Windows XP off the retail shelf anymore. As much as I regret that.

Please see:

http://forums.cubecart.com/index.php?showtopic=43052

Once your site has been infiltrated via this compromise, there may be other files compromised as well. Please compare all your files with a known good backup.

Without any other evidence revealed by your investigations, we can't know for sure if your problems are related to the unfortunate event of the compromised packages.

Please try diligently to get possession of your sites' access logs. By looking at them, you will very likely find the attack vector.

[Robsta]

Wow, this topic is over 4 and a half years old.... why resurrect it?

@Tahoemike00, v3 has been discontinued. You will likely start having compatibility issues on your server due to your hosting upgrading PHP to newer releases, now might be a good time to upgrade to at least v4 so your system remains secure and functional. Firefighting v3 now would perhaps be considered futile considering the compatibility issues you might have coming soon.

[Guest Tahoemike00]

Why resurrect it? Because it just now started (11/2011) happening to my CC3.

Understand V3 will be discontinued. Understand all of your other valid points as well. BUT!! I'm sure there are a lot of people like myself who's installs were running without incident and then BAM! Just wish I could stop the continued hacks until I re-do my store to an upgraded version.

I don't find any of the hacked files that were referenced in the distributed 3.0.20 version in this thread here: http://forums.cubecart.com/index.php?showtopic=43052

So I don't know how my index.php keeps getting injected.

Wow, this topic is over 4 and a half years old.... why resurrect it?

@Tahoemike00, v3 has been discontinued. You will likely start having compatibility issues on your server due to your hosting upgrading PHP to newer releases, now might be a good time to upgrade to at least v4 so your system remains secure and functional. Firefighting v3 now would perhaps be considered futile considering the compatibility issues you might have coming soon.

[bsmither]

Definitely find and scan through your access logs. Get your hosting provider to help with the access logs. It's understandable if they won't or can't help with analyzing any of the PHP code.