Jump to content

Archived

This topic is now archived and is closed to further replies.

Leo Clark

jslibrary.js hacked - avast detected

Recommended Posts

While that is very troubling indeed it does not seem to be entirely related to the hacks. I have another site that was running 3.0.18 that was hacked several times before it was upgraded to 3.0.20. It did not have the base64 injection hack in those files.

I downloaded 3.0.20 on sept 6, 2010 and it has the corrupted files in it.

Share this post


Link to post
Share on other sites

Any release older than 3.0.20 had known security holes and needed to be upgraded. These had been patched.

Share this post


Link to post
Share on other sites
Guest karr1981

For now the only recommendation we can have is to delete the T.php file if it exists. There are no other known security holes.

Our helpdesk software that stores the v3.0.20 files has been updated recently so we expect any exploits have been patched. We know that all server software is up to date and configured to McAfees recommendations so we can't do any more than that.

I'm really very sorry you have experienced this issue.

Hi, we also found the t.php file so have deleted and have fingers crossed.

Cheers.

Share this post


Link to post
Share on other sites

I am very put off by the lack of consideration the so called experts gave to this issue. Not very professional in my opinion. I have come to expect better from this group.

Ian, Please reread the post I made and then a few of your own and tell me I was wrong in any way. I know 99.9999% of the users are unpaid. We all know that. Cubecart is the one place anyone can go and ask for help and the 'cool kids' don't beat you up for it. At least it used to be....

Not sure how else anyone is supposed to read your post ! I think my comments about it still stand. The "experts" on here spend a lot of time trying to help answer questions - I know that many experienced users and commercial providers who used to answer questions on here, no longer do for this exact reason. Community forums like this are great and really help promote what is a great product but some people abuse this and expect to get help for nothing and then make comments like this.

Now, there has been a CubeCart problem that has caused some and maybe most of the problems reported in this thread. I know that Al is gutted by this - however, CubeCart is considerable more secure than many applications available. Believe me, I have seen plenty free and paid applications that clients have installed that have little or no thought for security and when a problem is discovered, the authors take days / weeks / months to fix.

However, what I have been saying still holds true :

1) For this type of problem - your hosting company should be your first port of call. They should have the skills and inclination to help you diagnose the problem. Most of these types of problems can either be prevented in the first place or in the odd case like this where it is introduced as part of an application, should be easily found

2) This problem can and has been caused by several different factors - as I said earlier, I have direct knowledge of two sites just today that have experienced exactly the same type of problem and neither of them are CubeCart sites.

Ian

Share this post


Link to post
Share on other sites
Guest valtam

I also had the T.php, now deleted. Great work to all who found the nasties, thank you to all. Good luck AI.

Interested to hear how they got access to your server, brute force attack? Disgruntled ex-employee? Whoever it was, you are a low life whom it is highly likely hates themselves so much , that they must unleash their anger on innocent web users, pretty sad.

Share this post


Link to post
Share on other sites

3.0.20 will be added back to our downloads system again later today. A number of pieces of bad code have been put into the archive. I will strip them out and upload the archive again later today. I will give it an MD5 signature and build a tool to allow you to verify its signature after download. This way you can be sure it hasn't been tampered with.

Share this post


Link to post
Share on other sites

Ok the 3.0.20 package has been added back to the support helpdesk for download with an MD5 hash of "66cd8cf7653b7cb7dcee9eac0fca2400". Please use this to verify the package before use in the future.

A report will be posted to this forum shortly..

Share this post


Link to post
Share on other sites

A full report has been posted and pinned here:

http://forums.cubecart.com/index.php?showtopic=43052

Share this post


Link to post
Share on other sites
Guest BeachApe

The "experts" on here spend a lot of time trying to help answer questions - I know that many experienced users and commercial providers who used to answer questions on here, no longer do for this exact reason. Community forums like this are great and really help promote what is a great product but some people abuse this and expect to get help for nothing and then make comments like this.

I don't understand why you are taking the stance on being abused - it's not Al thats being complained about. They're just afraid to name you outside of Al. Just as you consider accusations against CC's security without proof is unwarranted, a post to users indicating it's them or their host's fault is no help at all and is actaully the same and original insultive abuse that provides no help at all.

So glad I bypassed the time and cost of changing host's as a possible cure, and knew enough to take the site down to wait and see what develops. Thank the cybergods for guys like Al - he kept asking questions, told us about tangible things to look for, never blaming and found the real gremlin.

To turnover the latter quoted sentence:

Community forums like this are great and really help promote what is a great product but some people abuse this to objurgate users as if it's a proven method of troubleshooting, then become indignant when it's not appreciated. The "users" on such forums spend a lot of time trying to understand answers to questions, try the suggested remedies - but I have seen many experienced users and commercial providers who used to find forums useful, but no longer do because the so-called help is only to be disparaged.

I look forward to the fixed version of CC v3 as part of my evaluation towards paid services. Al, thanks for the restoration of confidence.

Share this post


Link to post
Share on other sites
Guest Shipz

Just thought i'd say thanks to everyone who as taken time out to resolve the issues that have arisen over the last few days.

Without you guys i wouldn't have a clue where to start.

Lets hope that's the last of it.

One last question. Howcome it wasnt until recently that the sites started getting hacked, if the code as been there since i placed it on the host back in November 2010 then why not start causing problems then?

Share this post


Link to post
Share on other sites

"How come it wasn't until recently that the sites started getting hacked?"

I suppose it's better to maximize returns with massive, multi-pronged espionage. Get all your sleeper cells in place (or bugs installed), activate it all at once, then get all that you can before you are discovered. (There are strategies to appreciate with irregularly timed guerrilla attacks, too.)

Share this post


Link to post
Share on other sites
Guest valtam

Whilst on the subject of security, has this recent exploit been patched? http://www.exploit-db.com/exploits/15765/

Share this post


Link to post
Share on other sites

It's not recent, per se. This particular abuse of an improperly cleansed installation of the FCKeditor (according to my extensive research and personal experiments from last week) will afflict and has afflicted numerous applications. The FCKeditor included with CC3 has been properly cleansed of all sample, test, and other unnecessary files since at least 3.0.15 (according to my investigation of the versions I have downloaded).

In addition, key files in the FCKeditor code have been enhanced to conform to CC3 security protocols.

Share this post


Link to post
Share on other sites
Guest valtam

Ok, I have installed this new CC3 3.0.20, when I try to edit a product, I get a number of message boxes pop up and say:

blockc.png

divh.png

flashs.png

pagebrk.png

temm.png

Anyone else getting this on this release? At first I thought it was FKeditor, so I upgraded to the latest FKeditor and the same occurs.

The editor works fine on the General Settings page, but not in the Products sections.

Share this post


Link to post
Share on other sites
Guest BeachApe

Ok, I have installed this new CC3 3.0.20, when I try to edit a product, I get a number of message boxes pop up and say:

blockc.png

Anyone else getting this on this release? At first I thought it was FKeditor, so I upgraded to the latest FKeditor and the same occurs.

The editor works fine on the General Settings page, but not in the Products sections.

Looks like your actually attempting an "Add" product, not "Edit" product. I don't have what your showing here, and I don't know if this matters, while we trying to solve the hack on this thread, Al released some FCKEditor files (where it looks like your having your problem). Maybe walk back through to find his link and try installing the new files?

Share this post


Link to post
Share on other sites

what a nightmare! i also had the t.php and had to follow all of AL's steps to clear the infected files.

now i have to deal with google, avast and stopbadware blocking my website. hope it all cools down now.

all the best to everyone and thanks for the effort!

Share this post


Link to post
Share on other sites
Guest Zomnut

what a nightmare! i also had the t.php and had to follow all of AL's steps to clear the infected files.

now i have to deal with google, avast and stopbadware blocking my website. hope it all cools down now.

all the best to everyone and thanks for the effort!

If it's any consolation, Google cleared my store the same day I asked for it to be reviewed. Hopefully the other two have similar turnover (how much time does a web-crawler really need anyway?)

Share this post


Link to post
Share on other sites
Guest valtam

Looks like your actually attempting an "Add" product, not "Edit" product. I don't have what your showing here, and I don't know if this matters, while we trying to solve the hack on this thread, Al released some FCKEditor files (where it looks like your having your problem). Maybe walk back through to find his link and try installing the new files?

Yeah my bad, was a typo, supposed to be Add product, either way it happens on both. I did think to start a new thread, but because there was a chance the 3.0.20 files had been altered (accidently) prior to being re-upped, I wanted to see if other people who had downloaded the new 3.0.20 had a similar problem, thats what I'm looking for here.

Share this post


Link to post
Share on other sites

what a nightmare! i also had the t.php and had to follow all of AL's steps to clear the infected files.

now i have to deal with google, avast and stopbadware blocking my website. hope it all cools down now.

all the best to everyone and thanks for the effort!

If it's any consolation, Google cleared my store the same day I asked for it to be reviewed. Hopefully the other two have similar turnover (how much time does a web-crawler really need anyway?)

all is good now.

i hope it stays this way

:)

cheers!

Share this post


Link to post
Share on other sites

×
×
  • Create New...