Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

New Hack Rate Topic   - - - - -

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 20 May 2014 - 11:12 PM #1

Just dealt with one of my client's sites that was hacked (actually 2 of them were). I believe this was an inside job from an employee that was discharged but thought I'd give a head's up in case it shows at anyone else's site.

Two files are modified
init.php
and
core/fn.init.php (or on V4 app/functions/fn.init.php).

A function called fn_init_payment_info() was added to the latter and called from init.php

It basically looked for the mode of 'payment_info' (the order management editing of an order) and then captured the 'user_data' from the current cart in the session and wrote it out in a serialized/base64 encoded format to a gif file in images/detailed/0/user_thumbs/CACHE_[md5 number].gif. Note that even on sites that do NOT store CC info, the customer is usually being asked over the phone for their CC info and input into this screen.

I believe we caught this before the data file could be retrieved so I don't believe they were actually compromised.

But it's an interesting way to capture data in small amounts so it would probably go unnoticed. But thanks to a coding issue and having 'display_errors' == true in the admin area, we were able to identify it quickly and remove it.

Very important to ensure that your php files are mode 644 (or even 444 and then set them to 644 before an upgrade). Same goes for *.tpl files.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • 2020
  • Senior Member
  • Members
  • Join Date: 11-Feb 07
  • 509 posts

Posted 21 May 2014 - 02:39 PM #2

Wow - sneaky way to keylog on the server. How are you confident that no other malicious code exists? Did you do a file comparison on the entire site?

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 21 May 2014 - 05:15 PM #3

We periodically look at files that have changed since the last time we looked (time frame varies). I.e. find files that have a mod time greater than some prior time. However, this was injected yesterday but the mod times of the files was nearly 2 months ago. I think FTP will preserve the m_time of a file when it is uploaded so we will have to revisit our strategy. Trying not to store md5 of all files since this is a pretty big server load to do regularly.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • dysartwebs
  • Junior Member
  • Members
  • Join Date: 23-Oct 10
  • 13 posts

Posted 27 May 2014 - 05:46 AM #4

I have two websites and I believe each received hacking attempts this evening. I noticed images were not showing on both websites. I was getting 500 internal server errors for the images . So I checked the htaccess file inside the images folder and noticed it had been modified. It had this inside of it:

PElmTW9cml0eS5jPg0KU2VjRmlsdGVyRW5naW5lIE9mZg0KPC9JZk1vZHVsZT4 | base64 -d (i removed part of the base code here)

So I deleted it from the htaccess file and the images appeared again on the website.

And then around 10 minutes later this was back in the htaccess file-
Options -Indexes
<Files ~ "\.php$">
order allow,deny
deny from all
</Files>

I checked all the other files on the website and nothing else had been modified in months, so I think we are ok for now. I changed all of our ftp passwords, etc.

 
  • dysartwebs
  • Junior Member
  • Members
  • Join Date: 23-Oct 10
  • 13 posts

Posted 27 May 2014 - 06:57 AM #5

I just found the email in regards to the test.gif and js/thumbs.php issue. Found both of them in each of our websites and have deleted them.

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 27 May 2014 - 06:38 PM #6

That is a different insertion. I would immediately change your ftp and cpanel passwords. I would suggest you buy/install our monitoring tool from here also. This will allow you to monitor what files change on your site.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 931 posts

Posted 04 June 2014 - 10:03 AM #7

I didn't find fn_init_payment_info in core/fn.init.php.
Is the a good sign ??

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 04 June 2014 - 06:38 PM #8

Yes

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 

Posted 22 January 2015 - 11:52 AM #9

Thanks to the info in this post I think we have uncovered the source of our credit card info being hacked. As tbirnseth discovered, the init.php and core/fn.init.php files had been modified and a huge gif file was found in the images/detailed/0 folder. The malicious function had a different name however. Ours was called "fn_dispatch_payment_cache()". Found the function call as the last line in the init.php file and the actual function code at the end of the fn.init.php file.

Will be monitoring the the site and will post here with results.
Henry
CS-Cart v2.2.4 PRO

The road to success is always under construction!

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 22 January 2015 - 11:18 PM #10

Was a typo on my part. The function is named fn_dispatch_payment_cache() not fn_init_payment_info().

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Hungryweb
  • Senior Member
  • Authorized Reseller
  • Join Date: 10-Feb 12
  • 1197 posts

Posted 08 April 2015 - 01:06 PM #11

I found also on one of my customers this hacking and also you should be looking at:
  • js/application.php
  • js/ul.php
The data has been saved to gif files in folder
images/detailed/0/user_thumbs/CACHE_*.thumb.gif

With the help of file js/ul.php I believe they delete the above file after they successfully save data, in this way the traces are deleted, so I also guess taht all the data from the time that file has been changes until you find out was already stolen :(

If anyone have more details in regards to this hack please share


I hope that helps

---
Valentin
part of hungryweb.net

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 08 April 2015 - 08:32 PM #12

Can you provide any code snippet of what was added to the js files? Or are these new files added as a result of the hack?
Like to update a security checker I have that tries to detect some of these known vulnerabilities.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Hungryweb
  • Senior Member
  • Authorized Reseller
  • Join Date: 10-Feb 12
  • 1197 posts

Posted 09 April 2015 - 12:52 PM #13

Can you provide any code snippet of what was added to the js files? Or are these new files added as a result of the hack?
Like to update a security checker I have that tries to detect some of these known vulnerabilities.


Mail send ;) Thank you

 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 14 October 2015 - 10:57 AM #14

Doing some routine stuff - found:

 

/js/application.php

/js/ul.php

 

Have saved them locally for info and deleted them... Both had dates of 01/01/80 and perms of 644

 

No images/detailed/0/user_thumbs/CACHE_*.thumb.gif found

 

I will stress that we have NEVER stored Payment Card info since install in 2013 as use third party payment processor.

 

No functionality issues on front-end noticed...

 

Any thoughts?

 

Ah - and /js/jquery.placeholder.php ! I have renamed this for time being and added .htaccess file to /js/

Options -Indexes

<Files ~ "\.([pP][hH][pP].?)$">
  deny from all
</Files>


Edited by Wilko, 14 October 2015 - 11:09 AM.


 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 14 October 2015 - 11:27 AM #15

...actually, thinking of enabling ul.php but for it to simply redirect to https://www.fbi.gov/

 

But I suppose that might be viewed as an invitation / challenge for them to focus on! So I will resist the temptation...



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 14 October 2015 - 06:35 PM #16

What version of cs-cart are you running?  Are the JS files human readable or are they encoded?


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 15 October 2015 - 08:49 AM #17

Hi tbirnseth

 

V 3.05 - the three php files in /js/ were all encoded

 

PS: /js/jquery.placeholder.php  was not on Vali's list ^^^

 

PPS: Correction - ul.php is plain text php


Edited by Wilko, 15 October 2015 - 08:55 AM.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 15 October 2015 - 08:24 PM #18

Well, if you were running V4 and also running our EZ Admin Helper addon, a nightly scan of your server for known security issues would have picked up the following files in your js directory and thrown an alert:

  • js/forms.php
  • js/thumbs.php
  • js/application.php
  • js/ul.php

Unfortunately, we did not provide our security checks in the V2 or V3 versions of EZ Admin Helper.  But V4 would have you covered!

 

BTW: the above are NOT new hacks.  They've been around for a year or two.

 

If you have other files in your js directory that you don't think belong there (beyond the list above), can you please publish them?

 

Other files that shouldn't be on your system either are things like:

  • a function named fn_dispatch_payment_cache() in your fn.init.php file (version dependent location)
  • Inserted code with "images_cache" DB reference in fn.cart.php and controllers/customer/products.php
  • addons/statistics/statistics.php
  • imaes/test.gif
  • images/detailed/0/user_thumbs[big ugly number].jpg

And you should NOT have an cscart_images_cache table in your database.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Wilko
  • Advanced Member
  • Members
  • Join Date: 14-Feb 13
  • 102 posts

Posted 29 October 2015 - 12:57 PM #19

Thanks tbirnseth, I have been away so...

 

I had: /js/jquery.placeholder.php do you want me to paste the full code here? I have removed the file when I came across this thread. 

 

Other files that shouldn't be on your system either are things like:
a function named fn_dispatch_payment_cache() in your fn.init.php file (version dependent location) - PREVIOUSLY REMOVED
Inserted code with "images_cache" DB reference in fn.cart.php and controllers/customer/products.php - SUCH CODE NOT FOUND
addons/statistics/statistics.php - NOT PRESENT
imaes/test.gif - NOW DELETED
images/detailed/0/user_thumbs[big ugly number].jpg - NOT PRESENT (Probably deleted by 'them' using ul.php?)
And you should NOT have an cscart_images_cache table in your database - NOT PRESENT


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10607 posts

Posted 29 October 2015 - 06:48 PM #20

Can you email me the jquery.placeholder.php file so I can review it please.  You can send it to support AT ez-ms.com.

If it's valid, I'd like to include it in the security checks we do in ez admin helper addon.

 

All the rest are already handled in our addon.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.