HELP!!!!!

[nutbags.co.uk]

my website is www.nutbags.co.uk hosted on heart internet servers. about 10 days ago I had a series of emails sent using the 'contact us' link on my site simply giving a weblink for "brazilian hair extensions"!! I deleted/ ignored them. Yesterday a customer called to say he had googled my webname to get my contact details and the site listing came up ok but the description it gave of my site was again,brazilian hair extensions! I emailed heart' support team to see if they could help me get rid of it.They have said my site is compromised and have now disabled it.They now say I must remove all files then re upload a clean version of the whole site before they will let it go live again. I haven't backed up my files since the last web update several months ago.Can I save all my customer order info or will that be lost? I cannot remember which CC version I was on but assume it was the latest as I've always updated when requested

[Dirty Butter]

A few questions for you.... Hopefully the answers would hasten someone knowledgeable in helping you:

Have you made any core edits?

Will you be able to recover any mods you are using?

Have you added any new products/images since you backed up everything?

Was it strictly a database backup or the whole site?

Can you open ini.inc.php via FTP or cPanel? If so, about line 68 will give you your current version number.

Your database info hopefully is OK - But I'm not the one to say that with any surety, however.

[bsmither]

Please follow these instructions:

forums.cubecart.com/topic/50277-critical-security-issue-admin-account-hijack/
forums.cubecart.com/topic/50318-code-snippet-exploit/

 

[havenswift-hosting]

All good questions and would be useful to have answers and I am assuming that Heart Internet dont have backups of your site and arent willing to help (part of the problem with cheaper hosting packages as they are less likely to offer any help and server security is often much less)

It is probable that it is only files that have been affected but inserts into the database are also possible and we have seen quite a few on sites hosted at different companies. You also really need to find out how it was done because if you dont plug the hole then it will simply happen again especially if it is down to poor hosting security

I am around off and on for the rest of the evening and if you want to contact me directly, please send a PM

Ian

[nutbags.co.uk]

thanks for the advice. As far as I am aware the only issue arising from the "hacking" is that when googling my webname instead of the description that I've written for my site within the admin pages,it gave an advert for these hair extensions. As requested by Heart I have downloaded all the public files. I found 2 suspicious entries.The first was a file called wigs and secondly in the index.php there was a link to that file in the header line. I have now deleted both of those entries and now as search for the webname comes up with the hair link gone and it now says about my site using cookies.Any idea how I can point it back to where it should be?

I've been on holiday recently so haven't done much on the website such as new products etc. Any clues how they managed to get in?

thanks

Paul

[bsmither]

We have a good clue about how they managed to get in.

Please make all edits discussed in the links above.