Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Cs-Cart Hacked? :( Rate Topic   - - - - -

 
  • Vishal
  • Junior Member
  • Members
  • Join Date: 06-Jul 06
  • 16 posts

Posted 19 October 2006 - 07:23 PM #1

Today I was informed by my web host that my server seems to be compromised and little more digging points it towards cs-cart. Can anyone help me understand what is going on.

1) Under /shop/ there is a file db1.php which seems to be # 1 cause for the issue. (/shop/ is where cs-cart is installed. The alert caused by db1.php is PHP.RSTBackdoor and information for it can be found at http://www.symantec....4217-99&tabid=1


2) Under /shop/skins/ there seems to have been created a folder by the name /pro/ and under that the file xh seems to be another thing that is cauzing norton antivirus to cause the alert. The alert caused by this one is 'hacktool'.

Any one knows what is going on & how to fix this?

Thank you for the help.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 19 October 2006 - 07:39 PM #2

db1.php is NOT a cscart file. your server is comprimised. You should make a backup of your SKIN files if you made changes.

You should contact your host about this situation.
Pimpin' skins since v1.0

 
  • Vishal
  • Junior Member
  • Members
  • Join Date: 06-Jul 06
  • 16 posts

Posted 19 October 2006 - 07:41 PM #3

I have created a new template and have made backup of template and cs-cart database.. Am just thinking of asking server admin to reformat the HD and do new start.

Any easier suggestion?

 
  • krur
  • Senior Member
  • Members
  • Join Date: 07-Jun 06
  • 114 posts

Posted 19 October 2006 - 08:35 PM #4

please before reformatting the HD, ask your provider if they can trace where that file came throught.

if it was trhought a CS-cart bug, it should be fixed asap!
stefano cecere
krur.com - multimedia company
CS-Cart v2.0.12 - italian mods (full translations and data + Banca Sella + Invoices / Fatture)

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 19 October 2006 - 08:37 PM #5

Get a copy of your log files too and send them to CS helpdesk for analysis.
Pimpin' skins since v1.0

 
  • Vishal
  • Junior Member
  • Members
  • Join Date: 06-Jul 06
  • 16 posts

Posted 19 October 2006 - 08:46 PM #6

I do not have 'all' the logs and details in front of me, as I am working on my clients server. However server admin did specify that

Also data was uploaded to /home/httpd/vhosts/domainname.com/httpdocs/shop/images , which indicates that the domainname.com domain in particular has website codew which enabled this exploit to occur.



 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 19 October 2006 - 08:53 PM #7

was domainname.com your CS cart domain or no?
Pimpin' skins since v1.0

 
  • Vishal
  • Junior Member
  • Members
  • Join Date: 06-Jul 06
  • 16 posts

Posted 19 October 2006 - 09:01 PM #8

yes the domainname.com/shop/ is where cs-cart is installed.

P.S. domainname.com is just used to hide actual name, but I am sure you know what I mean.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 19 October 2006 - 09:02 PM #9

Yea i do, i just wanted to verify that it was the cs domain that was hacked and now some other one, that had the exploit.
Pimpin' skins since v1.0

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 20 October 2006 - 12:11 PM #10

Do you have another software installed on this domain?