Site Hacked - again!!!

Back in November, my site was hacked and they were able to lock out the admins and upload some php hack scripts to the server. That was with 1.3.5 (my fault for not upgrading).



Now I am running the latest (2.0.12), but on 1/23/10, someone was able to inject new users into the database. In looking at the log files for the server, they have someone’s admin password and have logged into the admin page.



I have changed passwords again and am going to read every post on security to figure out what is the best way to stop them.



Any quick suggestions?

Is there any easy way to block every IP address except a few from the admin panel?



-golfcart

The “Store Access - Administration panel” was a real easy fix (for now). I looked up the ranges of the 4 ip address we use in this area and blocked everything else in the world. If the hacker wants to get into the admin file, we will need to move to where I am.



Hopefully he does not have the database password and can not change the information directly form the tables. Last time someone was able to upload a php file that he then was able to browse the files and could open the config file and see the database name & password.



I have also added image verification to everything so hopefully he can not inject and code directly to the database again via the forms.

Can you change your database password? I’m not sure what kind of server you are on, but a firewall like apf would help. Do you have a host that can help?

The bad news is that “most” sql injection is not done from the form or admin controls though some is done that way but it’s not as typical and much less frequently the case.



Without looking at your logs, I couldn’t tell you the exact method of attack and there are unfortunately far too many ways to do what you describe to speculate though there are many things you could do to prevent this from being a future problem. The extent of the measures you can take to protect yourslf depends on your access level to the server though. If you are on a shared hosting plan, your options would be much more limited than if you are on dedicated server but you could still do a great deal irregardless.



Aside from increasing the security situation on your server, you should also scan your home computer for viruses and trojans just to make certain that the compromise wasn’t done via your own connection being monitored and your passwords stolen as this is an increasingly popular method of attack these days!



Incidentally and mainly just a side footnote for your information, image verification is of little use as most automated hacking tools and bots are all capable of reading and understanding such image often even better than a live human typical can do. Though it doesn’t hurt anything to use it so may as well have it than not have it but it’s effectiveness might be questionable.



With a little bit better overview of your currently hosting situation, I could tell you a lot more specifically your options and the best plan of action on this whether that be code modifications, firewall, modules such as Suhosin or modsecurity, system or php upgrades, or any of about a hundred other items.

Every password has been changed (including database name).



I started logging the sessions and http/https request via the shopping cart.

Hello Steve,



Per Spiral,

[QUOTE]you should also scan your home computer for viruses and trojans just to make certain that the compromise wasn’t done via your own connection being monitored and your passwords stolen as this is an increasingly popular method of attack these days![/QUOTE]



I would make sure you don’t overlook this statement!



Make certain you have the best antivirus scanner you can obtain with virus updates current installed on your local PC’s. Then run a complete system scan! Personally, we now only use ESET Smart Security on our PC’s & have for the last 2-3 years. However, prior to that we used Kaspersky for a few years and it was pretty decent as well. (Just not on the same playing field as ESET)



[url]http://www.eset.com/smartsecurity/[/url]

I ran the Microsoft Onecare on the 4 computers that access the site. Didn’t find anything.

[url]http://onecare.live.com/site/en-US/center/howsafe.htm?s_cid=mscom_msrt[/url]

[quote name=‘Golfcart’]I ran the Microsoft Onecare on the 4 computers that access the site. Didn’t find anything.

[url]http://onecare.live.com/site/en-US/center/howsafe.htm?s_cid=mscom_msrt[/url][/QUOTE]



Also check your computer and other also may computers get virus and key logger inside :frowning:



My Idea use: kaspersky, avg, norton, mcafee to check



Hope this can help you



Regards

I have McAfee on my PC and have ran that also. I also have Security Task Manager and I know my PC is not running service that is infected.



It looks like the hacker is back. He did the changes without logging into the admin page. Somehow he has changed the settings in the database for the credit card (not to remove #) and has corrupted the PayPal Pro file and it will not process the cards.



I am going to have to drop CS-CART and look for another cart. I REALLY LIKE CS-CART AND DO NOT WANT TO SWITCH.



Somehow the hacker is able to upload something to be able to access my site. I just can’t find out how.

Why is this Cs-Cart’s fault? Install another cart and don’t improve your security and you’ll get hacked again. :confused:

I have all the security set for CS-CART and the hacker is still getting in.



Is there some other settings then what CS-CART requires for the folders?

/catalog 777

/images (and all subdirectories) 777

/skins 777

/var (and all subdirectories) 777



seems to leave it kind of open.

I agree with Ogia on this one, it seems kind of unfair to blame CS-Cart since you are the only one having problems.



I don’t know squat about security so I really can’t help you, but you might try a couple of things.



First, take a look at your host and see if the problem lies there.



Then, if the host is secure, why not set up a new installation with a new database and then just export and import your products? I would think you would be able to move over your images folder with no problem, but like I said I’m not a security expert.



Once that is done you would hopefully have a new installation of CS-Cart with a new database with new passwords and be secure.



I don’t know if this helps, but maybe it will,



Brandon

It first started when I was running 1.3.5 (back in November).



My web host set me up a new area and i installed a fresh copy of 2.0.10 (and now have dome the two upgrades as soon as they came out).



Earlier this week, I noticed that someone was able to inject users via a script (since I had some users with incomplete data and a bunch of junk in some of the fields).



The hacker is NOT getting into the site via the admin page since I have locked out every IP address (except for the one in my local area).



The hacker is turning off the (remove cc) and the e-mail to the admin. Now he has corrupted the PayPal Pro module so it does not process any cards.



My database does not allow remote access. I have been looking at every file on my site to find maybe a hacked page that allows him access.



Last time he uploaded a file to the catalog directory and was able to run a script that showed him every file on the site. I ran the php file and was able to browse to every file and read the config file.



My web host has been very helpful in trying to recover from this, but how can I monitor him and figure out what he is doing?



I have download the server logs (including the ssl) and have been looking at every entry. Can’t see hoe someone is doing it (but I am not an IT guy). I know Visual Basic and ASP, and enough of CS-CART php and smarty to make changes, but what is the best way to Lock down the site?

[QUOTE]I have all the security set for CS-CART and the hacker is still getting in.

Is there some other settings then what CS-CART requires for the folders?

/catalog 777

/images (and all subdirectories) 777

/skins 777

/var (and all subdirectories) 777

seems to leave it kind of open.[/QUOTE]



Steve, especially since this is the 2nd time this has happened, & on two different platforms of CS-Cart, you obviously now have a very serious issue. I would highly suggest that you directly request assistance from someone that has the knowledge to quickly locate where these vulnerabilites are in your current setup & quickly close them up for you. Let’s face it, you don’t have time to be the Lone Ranger & fix this in time on your own!



Spiral appeared to have offered assistance to you, you may want to consider taking him up on that even if there is a fee involved unless someone else jumps on & offers you some quick assistance.



Also, there has been loads of recent posts in the CS-Cart forums over the last several weeks related to folder & file permissions, and the settings you mentioned above are not what has been recently recommended…



And no, changing carts is not going to fix your problem, it may provide a temporary fix, but only until the same vulnerability you have is located and used again on the next cart you get running.



PS: I like your golf cart accessories, I need to get me one them custom carts one of these days! :wink:

Golfcart,



First, your situation sounds very frustrating and I wish you the best.



Next your folders are not set correctly for the most safety, even CS cart admits that their default suggestions are just that. So you need to change your settings.



Look at Zeke’s statements in the bug tracker threads on permissions



Then, consider a brief timeout and have all customers leave your website and visit PayPal to make their payments. This reduces your security problem to zero for now and allows you to fix things with less stress.



Finally, get help - in this case I would suggest CS Cart to start. Give then FTP access and ask them to do whatever needs to be done to lock down your site.



Wishing you all the best - keep smiling and keep going!

Golfcart-



have you reviewed this thread:

[url]http://forum.cs-cart.com/showthread.php?t=15083[/url]



Bob

I have sent an e-mail to my web host to see about non-DSO PHP. I don’t know what that is or if we are using it.



I have deleted all the skins I am not using (and all from the skins_repository - I have a copy of all).

I have deleted the other files I know I do not need.

I have blocked all IP addresses from the admin page (and renamed the page).

I have included the htaccess recommendations.

I have included the image verification.

I have changed the database username & password.

I have changed all the admin logins to the shopping cart.

I uninstalled all the addons that were are not using - and removed some that we were using.



I read all the postings (and bug tracker) info on permissions & security. Need some help in understanding it (sent a message to Sprial - yes I need help and know I do).



I was not trying to bad mouth CS-CART earlier (I really like it and don’t want to replace it) - there is not another cart out there that works as nice and has all the features… The owner is thinking about going to a managed software site and having them host it and maintain the software. I do this as a hobby and am not an IT person.



Now if someone wants to ship uranium anywhere in the world, I am the expert on that. I am a member of the ANSI N14.1 Nuclear Materials - Uranium Hexafluoride - Packaging for Transport committee, writer of USEC’s UF6 Handling Practices Manual (if you look at the cover to the manual on the url, I am the person in the lower right hand corner) and other things relating to shipment of radioactive material.



BUT THIS HACKING IS PI$$ING ME OFF



Had to vent again - sorry - going to drink a glass of homemade wine and go to bed.



Hopefully tomorrow after I get off work there will be some more posts for me to review and make more changes. My web hosting company is installing a backup from a few days back and I have made all these changes to that version.

I think you need to change another hosting. The hosting get best review like hostgator.com, liquidweb.com, ehostpros.com



I’m recommend you use VPS or dedicated server it will better for you



Regards

[quote name=‘Golfcart’]I read all the postings (and bug tracker) info on permissions & security. Need some help in understanding it (sent a message to Sprial - yes I need help and know I do).[/QUOTE]

Sorry about that. Texas Trophy (Tool Outfitters here) just paged me on your behalf and told me that you were needing to reach me and gave me the link to this thread just now.



I have been very busy the past few days and have not had much spare time to visit the forums here the past few days.



I will take a look at your private messages and see what I can do for you.

[quote name=‘Spiral’]Sorry about that. Texas Trophy just paged me on your behalf and told me that you were needing to reach me and gave me the link to this thread just now.



I have been very busy the past few days and have not had much spare time to visit the forums here the past few days.



I will take a look at your private messages and see what I can do for you.[/quote]



lol - “consider it fixed then”