Site getting hacked every week

Hi,



My site is getting hacked almost every week.



Pc has been scanned, no problems.

Password has been reset.



What else can i do to prevent site being hacked every time?



Files beiing hacked:

<br />
./images/thumbnails/1461/120<br />
./images/thumbnails/1461/120/info.php<br />
./images/thumbnails/6622<br />
./images/thumbnails/6622/library.php<br />
./images/thumbnails/3862<br />
./images/thumbnails/3862/counter.php<br />
./images/thumbnails/5391/120<br />
./images/thumbnails/5391/120/lastsystem.php<br />
./images/thumbnails/1322/40<br />
./images/thumbnails/1322/40/counter.php<br />
./images/thumbnails/22/40<br />
./images/thumbnails/22/40/lan.php<br />
./images/thumbnails/5294/80<br />
./images/thumbnails/5294/80/t.php<br />
./images/thumbnails/158/120<br />
./images/thumbnails/158/120/library.php<br />
./images/thumbnails/4044/50<br />
./images/thumbnails/4044/50/library.php<br />
./images/thumbnails/5041/80<br />
./images/thumbnails/5041/80/news.php<br />
./images/thumbnails/486<br />
./images/thumbnails/486/lastsystem.php<br />
./images/thumbnails/934/120<br />
./images/thumbnails/934/120/state.php<br />
./images/thumbnails/4001/50<br />
./images/thumbnails/4001/50/lastsystem.php<br />
./images/thumbnails/0/30<br />
./images/thumbnails/0/30/bg.php<br />
./images/thumbnails/28/120<br />
./images/thumbnails/28/120/lastsystem.php<br />
./images/thumbnails/2223<br />
./images/thumbnails/2223/back.php<br />
./images/thumbnails/7961/120<br />
./images/thumbnails/7961/120/template.php<br />
./images/thumbnails/587/30<br />
./images/thumbnails/587/30/template.php<br />
./images/thumbnails/144<br />
./images/thumbnails/144/state.php<br />
./images/thumbnails/602<br />
./images/thumbnails/602/state.php<br />
./images/thumbnails/6399/80<br />
./images/thumbnails/6399/80/lan.php<br />
./images/thumbnails/75<br />
./images/thumbnails/75/faq.php<br />
./images/thumbnails/75/120<br />
./images/thumbnails/75/120/state.php<br />
./images/thumbnails/430/30<br />
./images/thumbnails/430/30/news.php<br />
./images/thumbnails/2104/120<br />
./images/thumbnails/2104/120/counters.php<br />
./images/thumbnails/483/50<br />
./images/thumbnails/483/50/t.php<br />
./images/thumbnails/8339<br />
./images/thumbnails/8339/template.php<br />
./images/thumbnails/3996/50<br />
./images/thumbnails/3996/50/news.php<br />
./images/thumbnails/433/40<br />
./images/thumbnails/433/40/t.php<br />
./images/thumbnails/4052<br />
./images/thumbnails/4052/back.php<br />
./images/detailed/1381<br />
./images/detailed/1381/library.php<br />
./images/detailed/2113<br />
./images/detailed/2113/counters.php<br />
./images/detailed/3132<br />
./images/detailed/3132/counter.php<br />
./images/detailed/435<br />
./images/detailed/435/lastsystem.php<br />
./images/detailed/6053<br />
./images/detailed/6053/counters.php<br />
./images/detailed/1108<br />
./images/detailed/1108/counters.php<br />
./images/detailed/2521<br />
./images/detailed/2521/t.php<br />
./images/detailed/8081<br />
./images/detailed/8081/faq.php<br />
./images/detailed/1402<br />
./images/detailed/1402/counters.php<br />
./images/detailed/3767<br />
./images/detailed/3767/library.php<br />
./images/detailed/2108<br />
./images/detailed/2108/back.php<br />
./images/detailed/8344<br />
./images/detailed/8344/bg.php<br />
./images/detailed/3324<br />
./images/detailed/3324/counter.php<br />
./images/detailed/1449<br />
./images/detailed/1449/template.php<br />
./images/detailed/1679<br />
./images/detailed/1679/lastsystem.php<br />
./images/detailed/2556<br />
./images/detailed/2556/template.php<br />
./images/detailed/470<br />
./images/detailed/470/back.php<br />
./images/detailed/547<br />
./images/detailed/547/state.php<br />
./images/detailed/2130<br />
./images/detailed/2130/library.php<br />
./images/detailed/2152<br />
./images/detailed/2152/library.php<br />
./images/detailed/2777<br />
./images/detailed/2777/faq.php<br />
./images/detailed/2595<br />
./images/detailed/2595/counter.php<br />
./images/detailed/498<br />
./images/detailed/498/lan.php<br />
./images/detailed/6002<br />
./images/detailed/6002/bg.php<br />
./images/detailed/2771<br />
./images/detailed/2771/lastsystem.php<br />
./images/detailed/7280<br />
./images/detailed/7280/template.php<br />
./images/detailed/4483<br />
./images/detailed/4483/back.php<br />
./images/detailed/5268<br />
./images/detailed/5268/info.php<br />
./images/detailed/8237<br />
./images/detailed/8237/template.php<br />
./images/detailed/5266<br />
./images/detailed/5266/template.php<br />
./images/detailed/8177<br />
./images/detailed/8177/t.php<br />
./images/detailed/2009<br />
./images/detailed/2009/lan.php<br />
./images/detailed/1472<br />
./images/detailed/1472/state.php<br />
./images/detailed/5453<br />
./images/detailed/5453/t.php<br />
./images/detailed/8070<br />
./images/detailed/8070/lastsystem.php<br />
./images/detailed/5199<br />
./images/detailed/5199/news.php<br />
./images/detailed/1478<br />
./images/detailed/1478/news.php<br />
./images/detailed/555<br />
./images/detailed/555/lan.php<br />
./images/detailed/8179<br />
./images/detailed/8179/counters.php<br />
./images/detailed/3362<br />
./images/detailed/3362/template.php<br />
./images/detailed/1530<br />
./images/detailed/1530/back.php<br />
./images/detailed/428<br />
./images/detailed/428/lan.php<br />
./images/detailed/543<br />
./images/detailed/543/t.php<br />
./images/detailed/2218<br />
./images/detailed/2218/counters.php<br />
./images/detailed/1284<br />
./images/detailed/1284/template.php<br />
./images/detailed/633<br />
./images/detailed/633/faq.php<br />
./images/detailed/500<br />
./images/detailed/500/back.php<br />
./images/detailed/5786<br />
./images/detailed/5786/info.php<br />
./images/detailed/7031<br />
./images/detailed/7031/back.php<br />
./images/detailed/541<br />
./images/detailed/541/template.php<br />
./images/detailed/8343<br />
./images/detailed/8343/lastsystem.php<br />
./images/detailed/2164<br />
./images/detailed/2164/info.php<br />
./images/detailed/3726<br />
./images/detailed/3726/counter.php<br />
./addons/bestsellers/database<br />
./addons/bestsellers/database/lastsystem.php<br />
./addons/rss_feed<br />
./addons/rss_feed/controllers/customer<br />
./addons/rss_feed/controllers/customer/state.php<br />
./addons/rss_feed/news.php<br />
./addons/data_feeds<br />
./addons/data_feeds/lastsystem.php<br />
./addons/tags/schemas/permissions<br />
./addons/tags/schemas/permissions/counter.php<br />
./addons/tags/controllers<br />
./addons/tags/controllers/info.php<br />
./addons/polls<br />
./addons/polls/bg.php<br />
./addons/recurring_billing/controllers/customer<br />
./addons/recurring_billing/controllers/customer/library.php<br />
./addons/discussion/schemas/permissions<br />
./addons/discussion/schemas/permissions/counters.php<br />
./addons/sms_notifications<br />
./addons/sms_notifications/counter.php<br />
./addons/reward_points<br />
./addons/reward_points/template.php<br />
./addons/reward_points/schemas/menu<br />
./addons/reward_points/schemas/menu/info.php<br />
./addons/attachments<br />
./addons/attachments/lan.php<br />
./addons/access_restrictions<br />
./addons/access_restrictions/faq.php<br />
./addons/access_restrictions/controllers<br />
./addons/access_restrictions/controllers/counters.php<br />
./addons/seo/database<br />
./addons/seo/database/lastsystem.php<br />
./addons/customers_also_bought/schemas<br />
./addons/customers_also_bought/schemas/info.php<br />
./addons/news_and_emails/js/func.js<br />
./addons/gift_certificates/schemas/promotions<br />
./addons/gift_certificates/schemas/promotions/news.php<br />
./addons/product_configurator/js<br />
./addons/product_configurator/js/lan.php<br />
./addons/exim_store/core/classes<br />
./addons/exim_store/core/classes/back.php<br />
./addons/exim_store/controllers/admin<br />
./addons/exim_store/controllers/admin/back.php<br />
./addons/price_list/lib<br />
./addons/price_list/lib/counters.php<br />
./addons/supplies/js/func.js<br />
./addons/buy_together/controllers<br />
./addons/buy_together/controllers/t.php<br />
./lib/json<br />
./lib/json/template.php<br />
./lib/js/colorpicker/js<br />
./lib/js/colorpicker/js/lan.php<br />
./lib/js/colorpicker/images<br />
./lib/js/colorpicker/images/counters.php<br />
./lib/js/jquery/jquery.min.js<br />
./lib/js/tools/tooltip.min.js<br />
./lib/js/jqueryui/jquery-ui.custom.min.js<br />
./lib/js/appear/jquery.appear-1.1.1.js<br />
.htaccess<br />

```<br />
<br />
The created files are size 0. htaccess redirects to external malware site.<br />
<br />
Now i've added the following code to htaccess to see if this helps:<br />
<br />
```php
<br />
<files .htaccess><br />
order allow,deny<br />
deny from all<br />
</files><br />

I'm just thinking that my cscart developer has a ftp login too. Maybe his computer got infected with a virus that grabbed the FTP details.

I just changed his password too.

Is anything else installed with the cart? I had a problem with a guy's site that had a Wordpress install that wasn't kept up to date. There was a vulnerability in it and somehow hackers were able to get in and change the .htaccess file. They kept putting in redirects that made it so that if a person came from a search engine, they were redirected to some Russian site.



I ended up figuring out it was the WP site because I completely removed the WP site from the server, fixed the .htaccess file and the problem didn't come back.



Since the WP site was what was messed up, I put the content into a new install and put it back on the server. Haven't had a problem since.



So anyways, if you have any other systems installed, you might want to check on them.



Thanks,



Brandon

My experience is that most infections come from Wordpress that is in the same site. Once an infection is “in”, it's very hard to find it and get rid of it.



The best solution I've found (assuming you are running in suPHP and not DSO) is to ensure that all directories are mode 750 with an owner/group correct for your site. I then change all php files to be mode 640 (again with owner/group being correct). Javascript file (.js) should also be mode 750.



In severe cases, I have had to make the php files mode 440 but then you have to change these back when you do an upgrade. The most obvious infection I've seen is where eval'd code is inserted at the top of index.php files through the site. The change in modes prevents those files from being writable and hence the infection can't re-infect.

Where do you host? Are you using windows as your OS? I suggest, change to Linux such as Centos 6.x or Redhat. Start a clean install and move the admin to other name like barca390 or could be anything.

Something like this in an .htaccess file would do the trick:

AddType text/plain .php5 .php4 .php .php3 .php2 .phtml



This tells Apache to interpret those file extensions as plain text files instead of interpreting the PHP code.

[quote name='grayloon' timestamp='1358271268' post='152873']

Something like this in an .htaccess file would do the trick:

AddType text/plain .php5 .php4 .php .php3 .php2 .phtml



This tells Apache to interpret those file extensions as plain text files instead of interpreting the PHP code.

[/quote]



Hi,



Thanks for your suggestion.



With this setup you can have php script named script.php and it will work as php code

You can also have script.php.anything and it will still execute as php code (if seccond extension is not conflicting with other handlers)



With this setup:



SetHandler application/x-httpd-php5





You are actually limiting script filenames to end with defined extensions.

can someone tell me is this correct on htacess



php_flag engine off





deny from all



Allow from all

Options -Indexes



or has someone hacked my site ?

[quote name='lawnmowertech' timestamp='1425425967' post='207000']

can someone tell me is this correct on htacess



php_flag engine off





deny from all



Allow from all

Options -Indexes



or has someone hacked my site ?

[/quote]



What CS-Cart version do you use?