I was hacked after all! Advice required

[fettlebox]

Looks like I was hacked.  I have a parasite shopinside my store.

http://fettlebox.co.uk/images/images/jiaju57.php?/

What should I do?  Clear out & reinstall?

 

[Dirty Butter]

Until Bsmither or Havenswift comes along, read through this and see if any of it helps you:

 

[fettlebox]

Thanks.  I had to recover my password last week.  I also upgraded to latest version on Saturday.

[havenswift-hosting]

8 minutes ago, fettlebox said:

Thanks.  I had to recover my password last week.  I also upgraded to latest version on Saturday.

When you couldn't login, what else did you check / find out ?

[fettlebox]

Nothing.  I put it down to my me but couldn't figure out how. 

 

I have a similar scenario to the link post - from the logs

 

 

I have no added hooks but these snippets.  Not an area of the site I've been in before.  Got the google one as posted in the linked post.  Do I delete these?  There are in includes/extra but the 2 smaller ones seems to have been created after I beefed up the password & upgraded.  Part of the new CC?

I have found the parasites php files but can't figure out where it's inmages are stored.

/images/images/jiaju57.php?/imagegen.ashx?class=default&width=960&image=/media/264643/woman-drinking-coffee-in-bed-1920x800.png

 

[havenswift-hosting]

The IP and actions are 100% suspect !  The IP address is a TOR exit node - a well known way of hiding the actual IP address of the hacker and all three snippets are suspect.  I haven't decoded the "Google" snippet but my guess would be that it facilitates further access.  All three snippets need to be deleted from within CubeCart and the includes/extra directory but I believe that due to the extra time that has passed, they were able to add extra back doors into your site and you will need to look very closely at your whole site structure.

Ian

[fettlebox]

I changed the password the same day I was hacked - on Friday.  The password is auto-generated & random.  There is no further access logged outside of my own IP.  

The only back doors I have any knowledge of are on houses!  How much does it cost to have the structure checked?  If this is possible please PM me!

 

Thanks

 

 

[Dirty Butter]

Is your install stock? If so, you could use file difference software and compare a download of your site against the stock code. I use BeyondCompare to do that, as I have heavily edited code. It's pretty straight forward IF your site is stock. It will run a compare and quickly show you which files are different.

As for paying, you could pay CC to do it.

https://www.cubecart.com/technical-support

[havenswift-hosting]

5 minutes ago, Dirty Butter said:

Is your install stock? If so, you could use file difference software and compare a download of your site against the stock code. I use BeyondCompare to do that, as I have heavily edited code. It's pretty straight forward IF your site is stock. It will run a compare and quickly show you which files are different.

It will certainly show stock files that are different or altered and will also help to highlight files in stock directories that are not in the standard distribution but it is certainly not foolproof once hacked.  His site had a large number of files uploaded all over the directory structure, many hidden in obscure directories that you wouldnt compare this way - such as in the image sub-directories and cache etc

Ian

[Dirty Butter]

Quote

many hidden in obscure directories that you wouldn't compare this way - such as in the image sub-directories and cache etc

That makes sense - those files would not be in stock even in a good install, so no way to compare. Sounds like your best course of action is to pay to have it fixed. Sorry.

[havenswift-hosting]

It isnt a bad idea at all and can certainly pick up files changed or added to most stock directories - it is a method often used alongside other methods

[bsmither]

"There is no further access logged."

An access via backdoor would not be shown in CubeCart's access logs. It would be shown in the web server's logs (Cpanel).

[fettlebox]

Thanks everyone!  Hopefully sorted now.  Always busy but will find time to keep up with the upgrades going forward.

[Al Brookbanks]

I created a guide which along with this thread may help others:

 

[fettlebox]

Google results for my store are saying 'This site may be hacked'.   I've non of the indicators above from the time it was hacked.  Any ideas please?

[bsmither]

Click the link for "This site may be hacked." Please follow the instructions for "Remove this message from your site." During these steps you may be able to learn more why Google did this.

[fettlebox]

Google reports 2 php files in my root directory.  I can't see them via ftp.  I I follow & render them from within the google tool They come up with my sites 404 page not found.

One appears to be porn related.  Is this a false positive maybe?

[bsmither]

I have seen reports of /default#.php where # is a number, but this is widespread. So much so, that I think Google is finding these links elsewhere (as opposed to links on your site that point to this URL of your site), and when Google tries them, Google gets a 404 reponse with a web page that needs a page resource that ends in .php.

This is what I think, and may be completely off-base.

Anyway, do Google's "What can I do about it?" help topic.

[Al Brookbanks]

I'd recommend this https://forums.cubecart.com/topic/51310-how-to-clean-up-a-hacked-cubecart-store/

[fettlebox]

Thanks - I'm actually in process of downloading the site for comparison with Beyond Compare.

 

My hosting think it's a false positive.