Redtube hacker virus issue

[Guest]

Hello fellow Cubecart people,

I have a reoccurring hacker virus that keeps showing up in my cubecart 4.4.2 installation. The hack manages to do the following...

* Adds two new files into the /js directory, which are slider.php and sound.php

* Modifies the root index.php file to include js/sound.php.

When a user adds an item to his shopping cart, he gets the rambling text payload (which, I assume, increases the redtube overall rating in Google).

I've removed the files, but they've come back shortly thereafter. Any suggestions on the most likely place their getting access through? Something with too liberal write permissions?

Thanks,

Roy

[Robsta]

I've removed the 'hack' files, as no need to include those.

The very first thing you should do upon realising your site has been hacked is contact your hosting company. Have you done this? They may have got in via someone else's account.

Then change ALL your hosting passwords: control panel; FTP; email; CubeCart and anything else you have installed. Make sure you're running the latest release of all software you have installed.... v4.4.2 is the latest release of CubeCart, I am referring to any other software.

[Lastwolf]

Both those files are in cubecart anyway, it may have modified them but they are in there.

nvm they are not .php files :P

[Guest]

I've removed the 'hack' files, as no need to include those.

The very first thing you should do upon realising your site has been hacked is contact your hosting company. Have you done this? They may have got in via someone else's account.

Then change ALL your hosting passwords: control panel; FTP; email; CubeCart and anything else you have installed. Make sure you're running the latest release of all software you have installed.... v4.4.2 is the latest release of CubeCart, I am referring to any other software.

I included the files because, from what I could see with their source, they were fairly ordinary (not written in such a way to easily propagate). Also, I was trying to include as much information as possible about the fingerprint of this, so that someone else who might hit on the 'redtube' issue would quickly know where to initially remove the compromised files.

I think someone said that the two PHP files that end up in the /js directory are actually somewhere in the Cubecart hierarchy already? I will need to poke around to see if they're there.

Yes, I did change all the passwords. And, I would assume most ISPs have things in place to keep one user account from making any changes on the other.

So, what I think I was looking for was...

* How to lock down permissions as much as possible in the Cubecart file structure

* Clues on how user/group permissions for the new files might have divulged how they got access (group 'nobody', for instance).

* Any other areas where write permission needs to be enabled, for Cubecart to work, that can still be made safe.

For instance, since the /js directory doesn't normally have PHP files. perhaps something in the .htaccess to tell it not to process .PHP files? Or, a Cronjob that looks for .PHP files in this directory? Or even a checksum of the whole installation, which then sends an email when the checksum changes?

I'm assuming these hacks are done in an automated fashion, hoping to hit a vanilla installation of Cubecart. So any variation that trips up their templated scripts could be a worth defense.

R

[Guest]

One other thing...

I looked in the /cache directory, because of the full write permissions I know this is one place where intrusions might originate. The .htaccess file reads as follows...

Options -MultiViews

ErrorDocument 404 //cache/89651.php

I'm thinking this is not the kosher file that CubeCart would create on default? I am favoring something more traditional, like...

order deny,allow

deny from all

Make sense?

Roy

P.S. Note suspicious owner on the .htaccess file as well in attachment.