New Hack

Just dealt with one of my client’s sites that was hacked (actually 2 of them were). I believe this was an inside job from an employee that was discharged but thought I’d give a head’s up in case it shows at anyone else’s site.



Two files are modified

init.php

and

core/fn.init.php (or on V4 app/functions/fn.init.php).



A function called fn_init_payment_info() was added to the latter and called from init.php



It basically looked for the mode of ‘payment_info’ (the order management editing of an order) and then captured the ‘user_data’ from the current cart in the session and wrote it out in a serialized/base64 encoded format to a gif file in images/detailed/0/user_thumbs/CACHE_[md5 number].gif. Note that even on sites that do NOT store CC info, the customer is usually being asked over the phone for their CC info and input into this screen.



I believe we caught this before the data file could be retrieved so I don’t believe they were actually compromised.



But it’s an interesting way to capture data in small amounts so it would probably go unnoticed. But thanks to a coding issue and having ‘display_errors’ == true in the admin area, we were able to identify it quickly and remove it.



Very important to ensure that your php files are mode 644 (or even 444 and then set them to 644 before an upgrade). Same goes for *.tpl files.

Wow - sneaky way to keylog on the server. How are you confident that no other malicious code exists? Did you do a file comparison on the entire site?

We periodically look at files that have changed since the last time we looked (time frame varies). I.e. find files that have a mod time greater than some prior time. However, this was injected yesterday but the mod times of the files was nearly 2 months ago. I think FTP will preserve the m_time of a file when it is uploaded so we will have to revisit our strategy. Trying not to store md5 of all files since this is a pretty big server load to do regularly.

I have two websites and I believe each received hacking attempts this evening. I noticed images were not showing on both websites. I was getting 500 internal server errors for the images . So I checked the htaccess file inside the images folder and noticed it had been modified. It had this inside of it:



PElmTW9cml0eS5jPg0KU2VjRmlsdGVyRW5naW5lIE9mZg0KPC9JZk1vZHVsZT4 | base64 -d (i removed part of the base code here)



So I deleted it from the htaccess file and the images appeared again on the website.



And then around 10 minutes later this was back in the htaccess file-

Options -Indexes



order allow,deny

deny from all





I checked all the other files on the website and nothing else had been modified in months, so I think we are ok for now. I changed all of our ftp passwords, etc.

I just found the email in regards to the test.gif and js/thumbs.php issue. Found both of them in each of our websites and have deleted them.

That is a different insertion. I would immediately change your ftp and cpanel passwords. I would suggest you buy/install our monitoring tool from here also. This will allow you to monitor what files change on your site.

I didn't find [color=#282828][font=arial, verdana, tahoma, sans-serif]fn_init_payment_info in [/font][/color][color=#282828][font=arial, verdana, tahoma, sans-serif]core/fn.init.php. [/font][/color]

[color=#282828][font=arial, verdana, tahoma, sans-serif]Is the a[/font][/color][color=#282828][font=arial, verdana, tahoma, sans-serif] good sign ??[/font][/color]

Yes

Thanks to the info in this post I think we have uncovered the source of our credit card info being hacked. As tbirnseth discovered, the init.php and core/fn.init.php files had been modified and a huge gif file was found in the images/detailed/0 folder. The malicious function had a different name however. Ours was called “fn_dispatch_payment_cache()”. Found the function call as the last line in the init.php file and the actual function code at the end of the fn.init.php file.



Will be monitoring the the site and will post here with results.

Was a typo on my part. The function is named fn_dispatch_payment_cache() not fn_init_payment_info().

I found also on one of my customers this hacking and also you should be looking at:[list]

[]js/application.php

[
]js/ul.php

[/list]

The data has been saved to gif files in folder ```php
images/detailed/0/user_thumbs/CACHE_*.thumb.gif

<br />
[color=#ff0000][b]With the help of file [u]js/ul.php[/u] I believe they delete the above file after they successfully save data, in this way the traces are deleted, so I also guess taht all the data from the time that file has been changes until you find out was already stolen <img src="upload://n4syhXZrRhsStKvmS4jT3Mp2S3k.png" class="bbc_emoticon" alt=":(">[/b][/color]<br />
<br />
[u][b][color=#000000]If anyone have more details in regards to this hack please share[/color][/b][/u]<br />
<br />
<br />
I hope that helps<br />
 <br />
[color=#282828][font=arial, verdana, tahoma, sans-serif]---[/font][/color]<br />
[color=#282828][font=arial, verdana, tahoma, sans-serif]Valentin[/font][/color]<br />
[color=#808080][font=arial, verdana, tahoma, sans-serif][size=2]part of hungryweb.net[/size][/font][/color][color=#282828][font=arial, verdana, tahoma, sans-serif] [/font][/color]

Can you provide any code snippet of what was added to the js files? Or are these new files added as a result of the hack?

Like to update a security checker I have that tries to detect some of these known vulnerabilities.

[quote name=‘tbirnseth’ timestamp=‘1428525141’ post=‘210759’]

Can you provide any code snippet of what was added to the js files? Or are these new files added as a result of the hack?

Like to update a security checker I have that tries to detect some of these known vulnerabilities.

[/quote]



Mail send ;) Thank you

Doing some routine stuff - found:

/js/application.php

/js/ul.php

Have saved them locally for info and deleted them... Both had dates of 01/01/80 and perms of 644

No images/detailed/0/user_thumbs/CACHE_*.thumb.gif found

I will stress that we have NEVER stored Payment Card info since install in 2013 as use third party payment processor.

No functionality issues on front-end noticed...

Any thoughts?

Ah - and /js/jquery.placeholder.php ! I have renamed this for time being and added .htaccess file to /js/

Options -Indexes


deny from all

...actually, thinking of enabling ul.php but for it to simply redirect to https://www.fbi.gov/

But I suppose that might be viewed as an invitation / challenge for them to focus on! So I will resist the temptation...

What version of cs-cart are you running? Are the JS files human readable or are they encoded?

Hi tbirnseth

V 3.05 - the three php files in /js/ were all encoded

PS: /js/jquery.placeholder.php was not on Vali's list ^^^

PPS: Correction - ul.php is plain text php

Well, if you were running V4 and also running our EZ Admin Helper addon, a nightly scan of your server for known security issues would have picked up the following files in your js directory and thrown an alert:

  • js/forms.php
  • js/thumbs.php
  • js/application.php
  • js/ul.php

Unfortunately, we did not provide our security checks in the V2 or V3 versions of EZ Admin Helper. But V4 would have you covered!

BTW: the above are NOT new hacks. They've been around for a year or two.

If you have other files in your js directory that you don't think belong there (beyond the list above), can you please publish them?

Other files that shouldn't be on your system either are things like:

  • a function named fn_dispatch_payment_cache() in your fn.init.php file (version dependent location)
  • Inserted code with "images_cache" DB reference in fn.cart.php and controllers/customer/products.php
  • addons/statistics/statistics.php
  • imaes/test.gif
  • images/detailed/0/user_thumbs[big ugly number].jpg

And you should NOT have an cscart_images_cache table in your database.

Thanks tbirnseth, I have been away so...

I had: /js/jquery.placeholder.php do you want me to paste the full code here? I have removed the file when I came across this thread.

Other files that shouldn't be on your system either are things like:
a function named fn_dispatch_payment_cache() in your fn.init.php file (version dependent location) - PREVIOUSLY REMOVED
Inserted code with "images_cache" DB reference in fn.cart.php and controllers/customer/products.php - SUCH CODE NOT FOUND
addons/statistics/statistics.php - NOT PRESENT
imaes/test.gif - NOW DELETED
images/detailed/0/user_thumbs[big ugly number].jpg - NOT PRESENT (Probably deleted by 'them' using ul.php?)
And you should NOT have an cscart_images_cache table in your database - NOT PRESENT

Can you email me the jquery.placeholder.php file so I can review it please. You can send it to support AT ez-ms.com.

If it's valid, I'd like to include it in the security checks we do in ez admin helper addon.

All the rest are already handled in our addon.