Cs-Cart Hacked? :(

Today I was informed by my web host that my server seems to be compromised and little more digging points it towards cs-cart. Can anyone help me understand what is going on.


  1. Under /shop/ there is a file db1.php which seems to be # 1 cause for the issue. (/shop/ is where cs-cart is installed. The alert caused by db1.php is PHP.RSTBackdoor and information for it can be found at [url]http://www.symantec.com/security_response/writeup.jsp?docid=2005-071322-4217-99&tabid=1[/url]




  2. Under /shop/skins/ there seems to have been created a folder by the name /pro/ and under that the file xh seems to be another thing that is cauzing norton antivirus to cause the alert. The alert caused by this one is ‘hacktool’.



    Any one knows what is going on & how to fix this?



    Thank you for the help.

db1.php is NOT a cscart file. your server is comprimised. You should make a backup of your SKIN files if you made changes.



You should contact your host about this situation.

I have created a new template and have made backup of template and cs-cart database… Am just thinking of asking server admin to reformat the HD and do new start.



Any easier suggestion?

please before reformatting the HD, ask your provider if they can trace where that file came throught.



if it was trhought a CS-cart bug, it should be fixed asap!

Get a copy of your log files too and send them to CS helpdesk for analysis.

I do not have ‘all’ the logs and details in front of me, as I am working on my clients server. However server admin did specify that


was domainname.com your CS cart domain or no?

yes the domainname.com/shop/ is where cs-cart is installed.



P.S. domainname.com is just used to hide actual name, but I am sure you know what I mean.

Yea i do, i just wanted to verify that it was the cs domain that was hacked and now some other one, that had the exploit.

Do you have another software installed on this domain?