Cubecart or webserver hacked?

[zanza]

Hello, I was running CC 5.2.15 (just upgraded to 5.2.16 today) and noticed a problem recently I think may be a hack.

 

So, I noticed the problem when receive emails from the store after an order confirmation, so for example here is an order email I received (I edited identifying information about the customers)

 

NOTE PLEASE DON"T CLICK ON ANY OF THESE LINKS SINCE I DON"T KNOW IF THEY ARE SAFE A HACKER MAY HAVE PUT THEM IN

 

xxxxxx just placed order number 150217-134808-9488 on 17 Feb 2015, 13:48.

This order can be managed online by following the link below.

https://hyper-vpn.com/admin.php?_g=orders&action=edit&order_id=150217-134808-9488

Billing address:


Email:
xxxxxx Shipping address:
  Item Quantity Cost order 1 €30.00   Shipping: (Flat_Rate: Air Mail Delivery (1-3 days)) €34.00   Discount: €0.00   Subtotal: €300.00   Order Total: €64.00

Kind regards,

Your Shop  Staff
https://hyper-vpn.com

 

 

 

Notice, the top of my store logo in the beginning of the message, it was hyperlinking to "https://hyper-vpn.com"

Also, if you notice both other links in the message, "order can be manages at online..." and "Kind regards, ...." there are links for https://hyper-vpn.com

 

Now, the "https://hyper-vpn.com" is not our website at all, have never heard of it either.  All other previous store emails were normal (giving our real shop URL).  So, something has edited our system just recently so that the emails being sent out are replacing our store URL's with other URL's that I have never heard of.  Also, I just heard from a customer today that they received a notification with links to a separate address of a site "https://www.englandinn.com/index.php?_a=product&product_id=5"

 

 

 

So, something is changing this.  Has anyone heard of this before?  I am not sure if it is a Cubecart vulnerability, or its from my webhosting providor issues?  I upgraded to 5.2.16 just now, does anything think this will solve the problem?

 

Please let me know any input, thanks!

[bsmither]

Very strange.

 

Do you know how to read the headers of an email? They are typically not shown, and getting them to show is sometimes tricky - depending what you use to read emails. We would like to see what clues may be in them. You may have to make a fake purchase to get emails sent to you as a customer.

 

We assume you have checked the admin, Store Settings, Advanced tab.

 

Does this order actually exist? 150217-134808-9488 Do you typically ship Air Mail?

 

Also, please look for this file, /includes/global.inc.php, and see if there are any mention of these URLs.

[zanza]

Very strange.

 

Do you know how to read the headers of an email? They are typically not shown, and getting them to show is sometimes tricky - depending what you use to read emails. We would like to see what clues may be in them. You may have to make a fake purchase to get emails sent to you as a customer.

 

We assume you have checked the admin, Store Settings, Advanced tab.

 

Does this order actually exist? 150217-134808-9488 Do you typically ship Air Mail?

 

Also, please look for this file, /includes/global.inc.php, and see if there are any mention of these URLs.

 

thanks for the reply back

Here is what I found out so far.

The 2 sites that were being linked from the store PHP mail (on 2 separate occasions, hyper-vpn.com and engladinn.com I found were seen in my store emails), are both on my same shared server IP address.  So it appears whatever hack this is (or server error?), is someone ilfiltrating the server and is either using these other sites as drones or the other sites is the actual owner.  So, just so everyone knows, I have no reason to think Cubecart was hacked at all, everything is pointing to a server side infiltration so far nothing to do with Cubecart!

 

I made a fake test account today, (after installing 5.2.16), and I did not notice any problems anymore (I am not sure if the upgrade has "fixed" the issue so far or its unrelated and may still occur and I just did not notice it now).

 

I updated my Admin password to a 16 digit very secure hex password.

 

I checked the /includes/global.inc.php and there is no reference to any other site or anything.

 

So as of now, it looks like my webhost server was compromised, I am not sure what angle of attack is going on so far.  I assume they have access to my database (since if they have my files the database password is listed in a file).  However I checked my admin and the payment modules haven't been altered, so I was thinking they may try to replace the PayPal receive address with theirs to steal customers money, however this hasn't been done.

 

So, it seems with access to the database they would have to be pretty intimate with Cubecart knowledge to actually be able to exploit this, I do not think they ever had access to my admin panel since there are no logs of access other than me (IP address), so unless they deleted admin access logs they probably never got in (which is lucky since I think I foolishly had the same admin password as my database, yes I know this is very stupid!).

 

So as of now, it seems like its a general stupid clone/hack of my ISP on my account, they weren't able to do any damage since that would require skilled knowedge of Cubecart, which I assume they don't have.  For them to actually go in and manually edit the Cubecart databse to swap a paypal address seems like it would be pretty difficult, and because paypal offers fairly good security proction, they probably would not have been able to get away with anything.

 

It still remains to be seen how they redirected people.

 

I can access the email headers, what should I be looking for exactly?  I compared a good email header, to a spoofed one, and there doesn't seem to be anything of note

[bsmither]

The headers would give a Received: sequence. As the email goes from server to server, each receiving server prepends a Received statement from and by the machine names.

 

So, the bottom-most Received should mention the server and/or account where the email originated.

 

Also, the Message-ID should be able to let your hosting provider determine who/what constructed the email.

[zanza]

The headers would give a Received: sequence. As the email goes from server to server, each receiving server prepends a Received statement from and by the machine names.

 

So, the bottom-most Received should mention the server and/or account where the email originated.

 

Also, the Message-ID should be able to let your hosting provider determine who/what constructed the email.

Thanks again, yeah as I suspected, both the received headers sequence traces back to my own shared website, so it does appear the "hacking" is localized to other hosts on my shared server. 

 

Thanks for the tip about the message-ID.  I forwarded a spoofed message ID to my host so they can investigate further, right now it appears the other websites are being used as zombies/drones however I am not sure to what end.  The end-game is to probably change the payment/paypal information so they receive the payments to them and our website is left out.  Thankfully we don't have that many customers yet so no payment has been intercepted (actually they didnt even get as far to change the payment info, I am just speculating).

 

edit:  now I want to change my database password since I believe these people can access my database.

If I change my SQL database password, is the "includes/global.inc.php" the only file I have to update with the correct info?

 

thanks, this has turned into a kind of amusing situation as no harm seems to be done so far.

[bsmither]

"Is the /includes/global.inc.php the only file I have to update with the correct info?"

 

Correct. But let's review how you suspect they have access to your database now. Do you think they managed to find the password, or are they accessing it through some other means?

 

If they found the password, what can we do to make it so that they can't find it again.

 

And if by other means, how would changing the password fix that?

[Al Brookbanks]

Thanks for taking the time to post your findings. CubeCart automatically detects the store URL and other paths. It may just be that the server is reporting them incorrectly. I say this because you mention the domains are relevant to the server in some way.

You can forcefully specify the paths be adding two lines to you includes/global.inc.php file...

$glob['rootRel'] = '/store/';
$glob['storeURL'] = 'http://www.example.com/store';

Replace the values above with your actual values and all should be ok.

[havenswift-hosting]

Hi

It would be interesting to know what conclusions your hosting company (would be good to know who they were ?) come back with although to be honest none of the possibilities would give me much confidence in their ability to look after the server and your hosting !

The server incorrectly reporting the domain could be due to a corruption (either due to a server level hack or other cause) of Apache configuration files or it could be due to a wider server level hack affecting most / all accounts on the server. If your hosting company is not running suPHP or suExec then a single compromised / hacked account can lead to any / all accounts being vulnerable. This is even more important when you look at some of the recent large scale vulnerabilities such as the so called WordPress "soak soak" vulnerability which has led to hundreds of thousands of Websites being hacked and, where the server isnt secure, the ability to hack other websites or server resources due to priviledge escalation.

If the problem is caused by your website being hacked then upgrading CubeCart would temporarily remove the issue as the files would be overwritten but if they have your database password then it is likely they also have access to your hosting control panel (this is common with soak soak for example) and your problems will come back.

I would need more information to say with more certainty and if you dont want to add this publicly, then by all means PM me

Ian

[zanza]

I forwarded all the info to my hosting provider, and they are looking into this now

Thanks for taking the time to post your findings. CubeCart automatically detects the store URL and other paths. It may just be that the server is reporting them incorrectly. I say this because you mention the domains are relevant to the server in some way.

You can forcefully specify the paths be adding two lines to you includes/global.inc.php file...
 

$glob['rootRel'] = '/store/';
$glob['storeURL'] = 'http://www.example.com/store';

Replace the values above with your actual values and all should be ok.

 

 

Now that you mention this, I think Occam's razer may actually be in play here.  So I am much more leaning towards some sort of server configuration error rather than a malicious hack at this point.

 

I will make the changes in the $glob[] info and I would be pretty sure this is responsible for the weird things happening.

 

Also, one point I forgot which may be what is causing some of this issues, several months ago I installed an SSL cert on my shared hosting server (yes, its possible but a little tricky).  I realized it probably was more trouble than it was worth, so let it expire a few months ago.  So I would also suspect that somehow this shared SSL cert is causing some havoc with my webhost.

 

Anyways, at this point I am just leaving it at some improper webhost configuration (possibly related to previous shared SSL cert), if I find anything else out interesting in the next few days I will certainly post here and give everyone the updates

 

I really do appreciate all the help and interest show here, thanks a bunch for anyone who replied and showed interest or helped!

[havenswift-hosting]

Also, one point I forgot which may be what is causing some of this issues, several months ago I installed an SSL cert on my shared hosting server (yes, its possible but a little tricky).  I realized it probably was more trouble than it was worth, so let it expire a few months ago.  So I would also suspect that somehow this shared SSL cert is causing some havoc with my webhost.

 

Anyways, at this point I am just leaving it at some improper webhost configuration (possibly related to previous shared SSL cert), if I find anything else out interesting in the next few days I will certainly post here and give everyone the updates

Installing an SSL certificate on a shared hosting server is extremely easy and something we do for all our CubeCart E-Commerce hosting clients and they are certainly not more trouble than they are worth. In my opinion, EVERY single CubeCart customer should be using an SSL certificate on their store

However a SSL certificate is configured or even misconfigured (if that is even possible at a server level which I dont believe it is !), it certainly wouldnt be causing this issue only a major issue within the Apache httpd config file could possibly cause this

Ian