Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2 Rate Topic   - - - - -

 
  • TBOTECH
  • Member
  • Members
  • Join Date: 17-Oct 10
  • 165 posts

Posted 29 May 2014 - 08:05 PM #61

Found another .htaccess file located in the images folder with a a modified date of 25 May 2014.

It shows:

<IfModule mod_security.c>

SecFilterEngine Off

</IfModule>

Is that one fine?

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12158 posts

Posted 29 May 2014 - 08:10 PM #62

@tbirnseth - The Apache error logs pick up some of the commands that are run in PHP Command Line Mode.

Some yes, but certainly not all... My point was that much of the actual actions will be hidden from the logs.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • imac
  • CEO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2077 posts

Posted 29 May 2014 - 08:12 PM #63

This seems to be more serious than it is being made out to be. If they downloaded user data, that would mean they have customers login info.

Ilya: Please advise if we should be changing our MySQL DB passwords, re-setting customer passwords and any other things that the hackers may now have. This type of stuff is not a joke and can bring a business to it's knees if not handled correctly.


Unfortunately it is very serious.

My recommendations are:
1) Changes all FTP & SSH passwords on your server
2) Change MySQL DB password
3) Change all users passwords (admin & customers)

Changing server passwords like DB, FTP or SSH is a good practice even in case you are sure your site was not hacked.
The 3rd point is a complex task (I'm talking about customer password), so if you are going to do it, you should be sure that your users data has been stolen.
Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • imac
  • CEO
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2077 posts

Posted 29 May 2014 - 08:13 PM #64

Found another .htaccess file located in the images folder with a a modified date of 25 May 2014.

It shows:

<IfModule mod_security.c>

SecFilterEngine Off

</IfModule>

Is that one fine?


No, this one is uploaded by the hacker. You should replace it with the correct one.
Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12158 posts

Posted 29 May 2014 - 08:15 PM #65

Also suggest that cpanel user and any root passwords that you manage be changed on your server.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 29 May 2014 - 08:21 PM #66

One of my customers sites was hit today hard, when viewing only the order details page we got the store closed page, at first as I like what is going on store closed on admin side and only on order details page, had no idea. Viewed the page source of the store closed page and their were base64 encoded images being called just like this:

images folder was modified with this string of characters:

PElmTW9kdWxlIG1vZF9zZWN1cml0eS5jPg0KU2VjRmlsdGVyRW5naW5lIE9mZg0KPC9JZk1vZHVsZT4 | base64 -d


FYI the above decoded is:

<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>

Also take note I've been having customers call me saying the store is closed and they can't get in to check their order, when I investigated myself the store was obviously open so I was like well I have no idea. Out of no where the store closed page disappeared and we lost the page source in a spaztastic rush to shut it down and could never get it back to investigate. The offending files were not present on our server though we deleted the payments. We changed admin access filename and passwords but not sure what the next steps are to investigate where, what this hack has and is doing. FYI Imac this site was running v4.1.5 when this happened but it could have been infected before we updated to v4.1.5 from v4.1.4 - Sno
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12158 posts

Posted 29 May 2014 - 08:32 PM #67

@Sno

In V4, the old "Error Occured" (from a database error) has been replaced with the Store Closed page on the admin side.
The encoded data you see is the DB Error and if you have the "make cs-cart better" setting checked, then that data is sent to cs-cart.

I do not think that page is anything to worry about.
You might want to add a define into your config.local.php (for a while anyway) of
if( !defined('DEVELOPMENT') ) define('DEVELOPMENT', true);
This will then dump the DB error to the screen rather than encoding it into the store closed page for sending to cs-cart..

I've never decoded the page so can't be absolutely certain, but I do believe that my assessment is correct.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 5126 posts

Posted 29 May 2014 - 08:40 PM #68

I have never noticed these being exactly like this in my .htaccess before, is it normal

JOhn
<FilesMatch "\.(js|css)$">
Header set Cache-Control "public"
Header set Expires "Thu, 15 Apr 2015 20:00:00 GMT"
Header unset Last-Modified
</FilesMatch>

<Files 403.shtml>
order allow,deny
allow from all
</Files>

4 14.1


 
  • Fishpaste
  • Junior Member
  • Members
  • Join Date: 11-Feb 11
  • 85 posts

Posted 29 May 2014 - 08:47 PM #69

1) Changes all FTP & SSH passwords on your server

Sorry just to be clear - when you say FTP passwords do you mean just any specific FTP accounts you may have created - only as far as I know the main CPanel password can be used with FTP... would that need changing to, or would the main CPanel password not be available to any hacker through this attack?

 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 29 May 2014 - 09:05 PM #70

@tbirnseth, thanks Tony, I'll check, maybe I jumped the gun who knows, regardless what's going on here is a big deal - Sno
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 12158 posts

Posted 29 May 2014 - 09:15 PM #71

@sno - yes it is a big deal. And I'm certain everyone is on pins and needles.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 

Posted 29 May 2014 - 09:45 PM #72

Ugh... three client sites got hacked. Couple questions that might be on a lot of folks minds... if anyone could answer them, that would be helpful.

[1] Can I restore my site's physical files with cpanel's CS-cart backup restore to the file versions from before the hack attack to ensure no modified files remain on the server?
One of my sites got attacked May 25, 19:50h.... and I checked the log files for the last 3 months before then, no other attack. I removed thumbs.php and test.gif on May 26 - but I am not sure if there are modified files on the server. Should I restore my site with the files from May 20, then change passwords for cpanel, CS-cart admins, mysql database, FTP etc

[2] For folks that aren't comfortable with command line prompts to check for modified files... is there a solution that lay persons can use?

[3] I am sure everyone sees something similar in their access logs... can somebody provide a line by line explanation of below's snippet (I removed my domain at the beginning of each line):

173.236.23.161 - - [25/May/2014:14:23:07 +0000] "GET /ad-min.php?version HTTP/1.1" 200 4762 "-" "Mozilla/5.5 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/24.2.483.1265 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:08 +0000] "GET /ad-min.php?version HTTP/1.1" 200 4762 "-" "Mozilla/6.4 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/28.0.61.1350 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:09 +0000] "POST /ad-min.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 5013 "-" "Mozilla/1.1 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/28.3.263.422 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:09 +0000] "GET /ad-min.php?dispatch=orders.details&order_id= HTTP/1.1" 302 693 "-" "Mozilla/1.1 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/28.3.263.422 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:10 +0000] "GET /ad-min.php?dispatch=auth.login_form&return_url=ad-min.php%3Fdispatch%3Dorders.details%26order_id%3D HTTP/1.1" 200 8202 "-" "Mozilla/1.1 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/28.3.263.422 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:11 +0000] "GET /images/test.gif HTTP/1.1" 200 4666 "-" "Mozilla/3.3 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/25.5.323.523 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:11 +0000] "POST /ad-min.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 5013 "-" "Mozilla/6.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/16.9.258.848 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:12 +0000] "GET /ad-min.php?dispatch=orders.details&order_id= HTTP/1.1" 302 693 "-" "Mozilla/6.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/16.9.258.848 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:12 +0000] "GET /ad-min.php?dispatch=auth.login_form&return_url=ad-min.php%3Fdispatch%3Dorders.details%26order_id%3D HTTP/1.1" 200 8202 "-" "Mozilla/6.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/16.9.258.848 Safari/537.11"
173.236.23.161 - - [25/May/2014:14:23:13 +0000] "POST /js/thumbs.php HTTP/1.1" 200 4634 "-" "Mozilla/7.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/12.1.66.1163 Safari/537.11"
173.236.23.161 - - [27/May/2014:18:08:41 +0000] "POST /js/thumbs.php HTTP/1.1" 404 22637 "-" "Mozilla/6.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/26.1.186.1439 Safari/537.11"


[4] If I have "remove CC info" checked for all order statuses, then what can an attacker do with a customers address and last four credit card digits?

 
  • idg
  • Member
  • Members
  • Join Date: 22-Jul 09
  • 75 posts

Posted 29 May 2014 - 09:51 PM #73

Thanks Ilya. I changed the MySQL DB password, SSH and the admin passwords. How can I know if user data has been stolen? I am definitely seeing the bot in the logs.

Unfortunately it is very serious.

My recommendations are:
1) Changes all FTP & SSH passwords on your server
2) Change MySQL DB password
3) Change all users passwords (admin & customers)

Changing server passwords like DB, FTP or SSH is a good practice even in case you are sure your site was not hacked.
The 3rd point is a complex task (I'm talking about customer password), so if you are going to do it, you should be sure that your users data has been stolen.



 
  • kogi
  • Senior Member
  • Members
  • Join Date: 16-Aug 07
  • 652 posts

Posted 29 May 2014 - 10:03 PM #74

So, Why does cs-cart have my admin filename and why are they storing it?
find / -type f -name '*.base' -exec chown kogi.kogi {} \;

 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 29 May 2014 - 10:10 PM #75

I would recommend you to go through the access logs of your server. Look for 173.236.23.161.


Ilya I guess we should all be adding:

Order Deny,Allow
Deny from 173.236.23.161

to the root .htaccess until this is resolved, every little bit helps. If their are other IP's I guess we need to start getting a list together - Sno
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • mrfoameruk
  • Senior Member
  • Members
  • Join Date: 03-Dec 09
  • 302 posts

Posted 29 May 2014 - 10:15 PM #76

this is my log

??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:26 +0100] "GET /admin??????.php?version HTTP/1.1" 200 21 "-" "Mozilla/8.9 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/20.4.692.558 Safari/537.11"
??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:27 +0100] "GET /admin??????.php?version HTTP/1.1" 200 21 "-" "Mozilla/5.6 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/19.2.158.894 Safari/537.11"
??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:27 +0100] "POST /admin??????.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 - "-" "Mozilla/5.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/17.1.653.1017 Safari/537.11"
??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:30 +0100] "GET /admin??????.php?dispatch=auth.login_form HTTP/1.1" 200 8016 "-" "Mozilla/5.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/17.1.653.1017 Safari/537.11"
??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:32 +0100] "GET /images/test.gif HTTP/1.1" 404 170913 "-" "Mozilla/9.2 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/24.3.234.202 Safari/537.11"
??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:34 +0100] "POST /admin??????.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 - "-" "Mozilla/6.7 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/15.3.684.1218 Safari/537.11"
??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:35 +0100] "GET /admin??????.php?dispatch=auth.login_form HTTP/1.1" 200 8016 "-" "Mozilla/6.7 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/15.3.684.1218 Safari/537.11"
??????.co.uk 173.236.23.161 - - [23/May/2014:23:19:36 +0100] "GET /images/test.gif HTTP/1.1" 404 170912 "-" "Mozilla/6.8 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/34.9.186.1185 Safari/537.11

Do I need to worry? I cant see any of the files talked about in this topic so far (i'm halfway through checking the website).
I take it "get" means look and post means upload (I'm not techy). There are a couple post lines?
I'm on 4.1.5 upgraded though all the updates.
http://UKBeading.co.uk.....one day I will get round to it and stop playing......

cs cart 4.1.4

 
  • Fishpaste
  • Junior Member
  • Members
  • Join Date: 11-Feb 11
  • 85 posts

Posted 29 May 2014 - 10:23 PM #77

mrfoameruk:
test.gif (one of the problem files) is mentioned a couple of time in your log

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 1059 posts

Posted 29 May 2014 - 10:32 PM #78

Bugger this. I twill take a guru to make sure their site isn't infected.
Removed data as per email with 5 minutes of getting email.
Attack has already occurred.
NOW the logs aren't even reliable.
I downloaded a copy of my site to my hard drive and scanned it for infections...All OK.
I would like a step by step re-installation procedure in a sub folder on the same server
and THEN a step by step on how to make number one.
And PLEASE don't provide a link to the installation manual. I have one and can install
my cart OK. It's just the deletion of the existing cart and how to make the new cart number
one that is hurting my head.

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 1059 posts

Posted 29 May 2014 - 10:35 PM #79

HANG ON. If all our admin names were being held by CS-Cart, HOW did they
get there ? Fair enough initially for the purposes of registration but why and how
every time there was an admin name change ?

 
  • nedd
  • Senior Member
  • Members
  • Join Date: 13-Jan 08
  • 125 posts

Posted 29 May 2014 - 11:02 PM #80

Here is my report:

I didn't found any of the mentioned files (js/thumbs.php and images/test.gif) after first warning from May 26, deleted Atos and HSBC files and folders per instruction, as of today can't locate any suspicious changes in other files and folders and site behavior, BUT access and error logs shows suspicious activity from May 23.

Please check and advise. Thx

***********


ACCESS LOG:

173.236.23.161 - - [23/May/2014:19:23:07 +0300] "GET /xxx.php?version HTTP/1.1" 200 42 "-" "Mozilla/5.2 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/27.0.568.596 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:08 +0300] "GET /xxx.php?version HTTP/1.1" 200 42 "-" "Mozilla/4.2 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/12.6.610.1115 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:08 +0300] "POST /index.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 0 "-" "Mozilla/6.9 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/39.0.572.1039 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:10 +0300] "GET /index.php?dispatch=checkout.checkout HTTP/1.1" 302 0 "-" "Mozilla/6.9 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/39.0.572.1039 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:10 +0300] "GET /index.php?dispatch=checkout.cart HTTP/1.1" 200 26570 "-" "Mozilla/6.9 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/39.0.572.1039 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:11 +0300] "GET /images/test.gif HTTP/1.1" 404 389 "-" "Mozilla/8.1 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/27.7.215.107 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:12 +0300] "POST /index.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 0 "-" "Mozilla/3.4 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/30.6.295.1202 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:13 +0300] "GET /index.php?dispatch=checkout.checkout HTTP/1.1" 302 0 "-" "Mozilla/3.4 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/30.6.295.1202 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:13 +0300] "GET /index.php?dispatch=checkout.cart HTTP/1.1" 200 26572 "-" "Mozilla/3.4 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/30.6.295.1202 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:23:14 +0300] "GET /images/test.gif HTTP/1.1" 404 389 "-" "Mozilla/1.9 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/38.6.681.1113 Safari/537.11"


173.236.23.161 - - [23/May/2014:19:54:09 +0300] "GET /xxx.php?version HTTP/1.1" 200 42 "-" "Mozilla/7.9 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/21.3.231.1244 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:10 +0300] "GET /xxx.php?version HTTP/1.1" 200 42 "-" "Mozilla/3.7 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/21.7.33.834 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:10 +0300] "POST /index.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 0 "-" "Mozilla/5.5 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/26.2.351.1273 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:11 +0300] "GET /index.php?dispatch=checkout.checkout HTTP/1.1" 302 0 "-" "Mozilla/5.5 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/26.2.351.1273 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:12 +0300] "GET /index.php?dispatch=checkout.cart HTTP/1.1" 200 26569 "-" "Mozilla/5.5 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/26.2.351.1273 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:13 +0300] "GET /images/test.gif HTTP/1.1" 404 389 "-" "Mozilla/6.1 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/20.7.57.1142 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:13 +0300] "POST /index.php?dispatch=payment_notification.results&payment=atos HTTP/1.1" 302 0 "-" "Mozilla/8.2 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/15.6.386.777 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:14 +0300] "GET /index.php?dispatch=checkout.checkout HTTP/1.1" 302 0 "-" "Mozilla/8.2 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/15.6.386.777 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:15 +0300] "GET /index.php?dispatch=checkout.cart HTTP/1.1" 200 26569 "-" "Mozilla/8.2 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/15.6.386.777 Safari/537.11"
173.236.23.161 - - [23/May/2014:19:54:16 +0300] "GET /images/test.gif HTTP/1.1" 404 389 "-" "Mozilla/1.3 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/24.4.467.1197 Safari/537.11"

ERROR LOG:

[23-May-2014 18:23:09 Europe/Berlin] PHP Warning: exec() has been disabled for security reasons in /home/xxx/public_html/payments/atos.php on line 218
[23-May-2014 18:23:09 Europe/Berlin] PHP Warning: Invalid argument supplied for foreach() in /home/xxx/public_html/core/fn.cart.php on line 1314
[23-May-2014 18:23:09 Europe/Berlin] PHP Warning: substr_count() [<a href='function.substr-count'>function.substr-count</a>]: Empty substring in /home/xxx/public_html/core/fn.cart.php on line 3016
[23-May-2014 18:23:12 Europe/Berlin] PHP Warning: exec() has been disabled for security reasons in /home/xxx/public_html/payments/atos.php on line 218
[23-May-2014 18:23:12 Europe/Berlin] PHP Warning: Invalid argument supplied for foreach() in /home/xxx/public_html/core/fn.cart.php on line 1314
[23-May-2014 18:23:12 Europe/Berlin] PHP Warning: substr_count() [<a href='function.substr-count'>function.substr-count</a>]: Empty substring in /home/xxx/public_html/core/fn.cart.php on line 3016
[23-May-2014 18:54:10 Europe/Berlin] PHP Warning: exec() has been disabled for security reasons in /home/xxx/public_html/payments/atos.php on line 218
[23-May-2014 18:54:10 Europe/Berlin] PHP Warning: Invalid argument supplied for foreach() in /home/xxx/public_html/core/fn.cart.php on line 1314
[23-May-2014 18:54:10 Europe/Berlin] PHP Warning: substr_count() [<a href='function.substr-count'>function.substr-count</a>]: Empty substring in /home/xxx/public_html/core/fn.cart.php on line 3016
[23-May-2014 18:54:14 Europe/Berlin] PHP Warning: exec() has been disabled for security reasons in /home/xxx/public_html/payments/atos.php on line 218
[23-May-2014 18:54:14 Europe/Berlin] PHP Warning: Invalid argument supplied for foreach() in /home/xxx/public_html/core/fn.cart.php on line 1314
[23-May-2014 18:54:14 Europe/Berlin] PHP Warning: substr_count() [<a href='function.substr-count'>function.substr-count</a>]: Empty substring in /home/xxx/public_html/core/fn.cart.php on line 3016