fettlebox Posted May 16, 2016 Share Posted May 16, 2016 Looks like I was hacked. I have a parasite shopinside my store. http://fettlebox.co.uk/images/images/jiaju57.php?/ What should I do? Clear out & reinstall? Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted May 16, 2016 Share Posted May 16, 2016 Until Bsmither or Havenswift comes along, read through this and see if any of it helps you: Quote Link to comment Share on other sites More sharing options...
fettlebox Posted May 16, 2016 Author Share Posted May 16, 2016 Thanks. I had to recover my password last week. I also upgraded to latest version on Saturday. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 16, 2016 Share Posted May 16, 2016 8 minutes ago, fettlebox said: Thanks. I had to recover my password last week. I also upgraded to latest version on Saturday. When you couldn't login, what else did you check / find out ? Quote Link to comment Share on other sites More sharing options...
fettlebox Posted May 16, 2016 Author Share Posted May 16, 2016 Nothing. I put it down to my me but couldn't figure out how. I have a similar scenario to the link post - from the logs I have no added hooks but these snippets. Not an area of the site I've been in before. Got the google one as posted in the linked post. Do I delete these? There are in includes/extra but the 2 smaller ones seems to have been created after I beefed up the password & upgraded. Part of the new CC? I have found the parasites php files but can't figure out where it's inmages are stored. /images/images/jiaju57.php?/imagegen.ashx?class=default&width=960&image=/media/264643/woman-drinking-coffee-in-bed-1920x800.png Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 16, 2016 Share Posted May 16, 2016 The IP and actions are 100% suspect ! The IP address is a TOR exit node - a well known way of hiding the actual IP address of the hacker and all three snippets are suspect. I haven't decoded the "Google" snippet but my guess would be that it facilitates further access. All three snippets need to be deleted from within CubeCart and the includes/extra directory but I believe that due to the extra time that has passed, they were able to add extra back doors into your site and you will need to look very closely at your whole site structure. Ian Quote Link to comment Share on other sites More sharing options...
fettlebox Posted May 16, 2016 Author Share Posted May 16, 2016 I changed the password the same day I was hacked - on Friday. The password is auto-generated & random. There is no further access logged outside of my own IP. The only back doors I have any knowledge of are on houses! How much does it cost to have the structure checked? If this is possible please PM me! Thanks Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted May 16, 2016 Share Posted May 16, 2016 Is your install stock? If so, you could use file difference software and compare a download of your site against the stock code. I use BeyondCompare to do that, as I have heavily edited code. It's pretty straight forward IF your site is stock. It will run a compare and quickly show you which files are different. As for paying, you could pay CC to do it. https://www.cubecart.com/technical-support Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 16, 2016 Share Posted May 16, 2016 5 minutes ago, Dirty Butter said: Is your install stock? If so, you could use file difference software and compare a download of your site against the stock code. I use BeyondCompare to do that, as I have heavily edited code. It's pretty straight forward IF your site is stock. It will run a compare and quickly show you which files are different. It will certainly show stock files that are different or altered and will also help to highlight files in stock directories that are not in the standard distribution but it is certainly not foolproof once hacked. His site had a large number of files uploaded all over the directory structure, many hidden in obscure directories that you wouldnt compare this way - such as in the image sub-directories and cache etc Ian Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted May 16, 2016 Share Posted May 16, 2016 Quote many hidden in obscure directories that you wouldn't compare this way - such as in the image sub-directories and cache etc That makes sense - those files would not be in stock even in a good install, so no way to compare. Sounds like your best course of action is to pay to have it fixed. Sorry. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 16, 2016 Share Posted May 16, 2016 It isnt a bad idea at all and can certainly pick up files changed or added to most stock directories - it is a method often used alongside other methods Quote Link to comment Share on other sites More sharing options...
bsmither Posted May 16, 2016 Share Posted May 16, 2016 "There is no further access logged." An access via backdoor would not be shown in CubeCart's access logs. It would be shown in the web server's logs (Cpanel). Quote Link to comment Share on other sites More sharing options...
fettlebox Posted May 16, 2016 Author Share Posted May 16, 2016 Thanks everyone! Hopefully sorted now. Always busy but will find time to keep up with the upgrades going forward. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted May 17, 2016 Share Posted May 17, 2016 I created a guide which along with this thread may help others: Quote Link to comment Share on other sites More sharing options...
fettlebox Posted September 17, 2016 Author Share Posted September 17, 2016 Google results for my store are saying 'This site may be hacked'. I've non of the indicators above from the time it was hacked. Any ideas please? Quote Link to comment Share on other sites More sharing options...
bsmither Posted September 17, 2016 Share Posted September 17, 2016 Click the link for "This site may be hacked." Please follow the instructions for "Remove this message from your site." During these steps you may be able to learn more why Google did this. Quote Link to comment Share on other sites More sharing options...
fettlebox Posted September 17, 2016 Author Share Posted September 17, 2016 Google reports 2 php files in my root directory. I can't see them via ftp. I I follow & render them from within the google tool They come up with my sites 404 page not found. One appears to be porn related. Is this a false positive maybe? Quote Link to comment Share on other sites More sharing options...
bsmither Posted September 17, 2016 Share Posted September 17, 2016 I have seen reports of /default#.php where # is a number, but this is widespread. So much so, that I think Google is finding these links elsewhere (as opposed to links on your site that point to this URL of your site), and when Google tries them, Google gets a 404 reponse with a web page that needs a page resource that ends in .php. This is what I think, and may be completely off-base. Anyway, do Google's "What can I do about it?" help topic. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted September 18, 2016 Share Posted September 18, 2016 I'd recommend this https://forums.cubecart.com/topic/51310-how-to-clean-up-a-hacked-cubecart-store/ Quote Link to comment Share on other sites More sharing options...
fettlebox Posted September 18, 2016 Author Share Posted September 18, 2016 Thanks - I'm actually in process of downloading the site for comparison with Beyond Compare. My hosting think it's a false positive. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.