V4 : Security Issue ? (Urgent Help Needed)


my website have been under attack and malware has been injected.

So my website is not trusted anymore by google.

As my version is the last one, with last updates, I think there must be real security failure…

Adwords told me the following link are corupted :


I restored my shop between the attack and clear teh cache. This file is not present anymore on my ftp server


[url=“brawler.corp.google.com - Google Single Sign On: Sign into corp”]http://www.MYSHOP.com/js/tygh/exceptions.js?ver=4.1.4[/url]

About this one, when I go in the “tygh” REP, I see a file called exception.js (I renamed it exeption.js.old)

Is there a trouble with this file ?

What is thios file made for ?

how can I be sure that the file is now not corrupted ?

Thanks in advance fore your help


Check and remove if needed the files Google says are malware.

but also check the date of the files and directories by sorting the files via ftp in date modified and check any others possibly altered on that same date and if you or anyone on your behalf didnt alter or put them there then get rid of them.

After that change all passwords for any web access you may have, ftp, cpanel etc etc. Then get checked for other instances on same server.

Report to google via the link that the malware has been cleaned.


Thanks John.

I just had a look at my FTP logs.

I found IP's that are not mine (I have a static IP).

I could ban the IPs in my .htaccess, BUT, I wonder if this will affect automatic update from CSCART ???

How can I recognize IP used for updates ?


WOW…. It seems that my FTP have been hacked.

Is there a way for me to be sure that all the files on my server are safe ? (original ones)

I'd like to keep the database but have a new (clean) install of last cscart version (my license number is lifetime).

Is it possible ?

I learned that first of all never check “save password” in your FTP program.

Souds kinda weird it is only on yours and no one else is haveing the same issue maybe if you are on a shared server with 10 or more others which most are nowdays that someone on that server is hacking into yours as well, just a thought

I use Go Daddy and they take a snap shot every day of all my files automatically.

This way I can restore any or all my files from an earlier date. This does not, however erase any new files that may have been placed.

Your breach has nothing to do with cs-cart itself. Either your passwords for your site (I.e. cPanel or FTP passwords) have been compromised or you do not have the proper ownerships/permissions set for your particular hosting environment. Work with your host to set ownerships/permissions and change your passwords for your site access regularly.

1 - Many thanks to all of you for your kind help

2 - “[color=#000000]blessing in disguise”…[/color]. I’m going to search for tools that will help me to survey my FTP space, also re uploaded files, and also tools to restore my website. (any ideas from you are welcome)

3 - I just changed all my passwords and will have a look to FTP logs, just to see if other IP than mine still appears.

4 - Would it help if I delete all the cscart files on my FTP and process a clean CSCART install ? (I think some files could be corrupted. I saw on my FTP logs that “index.php” have been uploaded….

5 - flasher, I just saw your picture and I’m in love with you :shock: (and thing you’re right. My hosting is a shared one…).


[color=#ff0000]6 - Does anyone ever heard of “ftpchk3.php”. I saw that this file have been uploaded on my FTP space then deleted…[/color]

[quote name='leofromfrance' timestamp='1400923886' post='184176']


[color=#ff0000]6 - Does anyone ever heard of “ftpchk3.php”. I saw that this file have been uploaded on my FTP space then deleted…[/color]


That is malicious and password copying your details, then it deletes itself!

Change everything you can, scan all pcs you use to access your webserver for trojans/malware etc etc. They have taken your credentials and will be passing them round to all the other hackers like free sweeties.

NEVER save your ftp passwords to a local pc, always keep em somewhere else


Given the events over the past week with various clients/merchants getting hacked, we are in the process of extending our EZ Admin Helper addon to do file scanning for files in your site. It does not detect signatures. I.e. it is not a malware detector or a virus detector, but it will tell you what files are new to your site and what files in your site have been modified since the last time it ran.

Documentation for EZ Admin Helper can be found here. Note that this new functionality is only available in V4.

It runs fairly quickly on the demo store (maybe 15 seconds) and I'm sure larger stores may take a lot longer, especially if you generate a lot of different thumbnail sizes.

But we feel it will be a valuable addition to the administrative toolbox. Combined with regular site and database backups, and some diligence on the merchant's part, any introduced changes to your site should now be able to be easily detected.

The goal is to tell you what's new or changed and let you decide what to do with that information.

We will publish in the 3rd party forum when the new version is complete.


I use the ithemes security for Wordpress and it does something similar. I get a report whenever any files are changed on my Wordpress installs. It works awesome and I love it. If your addon will do something similar to that, it would be an awesome thing to have installed.



Not familiar with the WP tool. Essentially, when run, it will report any new files, and changed files or any removed files on your site (excluding certain directories like var/cache, var/database, etc… It is part of the larger addon that provides many different admin-type functions such as backing up the DB, backing up your site, clearing the various caches, updating currency rates, etc. Kind of an all in one admin toolkit.

We have created a new version for our EZ Admin Helper for V3 and V4 sites. You can view the announcement at: Security Extension To Ez Admin Helper Addon - Third-Party Add-ons - CS-Cart Community Forums

Having it in place would have identified today's security breach if you were monitoring new and changed file activity.