Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Hacked?? Any ideas? Rate Topic   - - - - -

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 04 June 2006 - 02:43 AM #1

Hi,

I've just checked my site to find the homepage "hacked". I have an index.php file in my site root which is just a 301 re-direct to a sub dir (not using CS Cart at the moment). This file has been replaced with the following text;

Update CS-Cart! Saved by UK-Hacker!


Every other part of the site, including my cs-cart test area, is fine.

Anyone else had this? Any ideas on who/why this may be happening? I have had this page "hacked" before, but no other part of my site - it's literally a 301 redirect, nothing else in the script.

Simon

 
  • Trailhunter
  • Junior Member
  • Members
  • Join Date: 20-Mar 06
  • 22 posts

Posted 04 June 2006 - 05:14 AM #2

I've noticed in my web stats that people are searching for sites with cs-cart by looking for the text Powered by CS-Cart or the like. Do they know of some vulnerability that they're trying to exploit on other sites? I have removed that text from my site, but Google and others already indexed it with that line included so people are finding their way to my store by searching for that. So far everything is safe. I have a tough alpha-numeric password. It may be that they're looking for cs-cart powered sites as sort of a pre-sales kinda thing, but I'm paranoid about security.

 
  • Gregh
  • Member
  • Members
  • Join Date: 14-Jan 06
  • 47 posts

Posted 04 June 2006 - 10:11 AM #3

Yes mate the same sort of thing happened today the people searched through MSN not for powered through cs cart though some other way. I saw in our logs on a sertain thing ive gave cs-cart team a email about it.
ill wait to see what they say.
Greg
1.3.5 sp4

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 04 June 2006 - 03:10 PM #4

It's strange... I have removed the powered by text but it may have been indexed already. I also have a decent password. The strange thing is that none of the files in my cscart dir, or any other files for that fact, were touched - only the index.php in my site root (public_html).

It worries me a bit to see cs-cart mentioned though!
Simon

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 04 June 2006 - 03:32 PM #5

See if you can get ahold of your server logs on that day....Give them to cs ca rt, there maybe a security hole? This is important to all.
Pimpin' skins since v1.0

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 04 June 2006 - 03:47 PM #6

I've contacted CS regarding this and will get hold of the logs.

Simon

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 04 June 2006 - 07:30 PM #7

I actually started to search for powered by cs-cart for other stores and came accross this hacked site:

http://onetopshop.com/

ryan

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 04 June 2006 - 07:34 PM #8

http://www.a2zgiftou...s.com/index.php

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 04 June 2006 - 07:37 PM #9

http://www.security-gizmos.com/

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 04 June 2006 - 08:37 PM #10

http://www.dangeloin...al.com/catalog/
http://www.techdubai.com/

others.

i would recommend changing admin.php to something else, like admin_xyz.php

and also change your admin/admin account AS THE FIRST STEP after installing it.
Pimpin' skins since v1.0

 
  • baballuci
  • Senior Member
  • Members
  • Join Date: 02-Mar 06
  • 969 posts

Posted 04 June 2006 - 10:35 PM #11

Maybe CS-Cart is getting too popular.

Someone must not like that.
Charlie

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 05 June 2006 - 05:48 AM #12

This is a little worrying... Still find it odd that nothing in my cs cart folder was touched.

I've got my logs but not sure what to do with them/look for. Any ideas? I did notice "admin.php?version" in there a few times.

Simon

 
  • Gregh
  • Member
  • Members
  • Join Date: 14-Jan 06
  • 47 posts

Posted 05 June 2006 - 06:23 AM #13

our index.php they deleted it all and put got to catch all the pokiemon so our site is down not good.They didnt go for the the admin just index.
Greg
1.3.5 sp4

 
  • Trailhunter
  • Junior Member
  • Members
  • Join Date: 20-Mar 06
  • 22 posts

Posted 05 June 2006 - 06:23 AM #14

So has anyone heard back from the cs team? I've been getting a fair amount of traffic from people searching on that term. I just googled it and I'm on the bottom of page one...

I would be sure everyone has their install.php deleted or renamed and that they use https to access their admin panel. Fingers crossed here :D

 
  • kloptops
  • Junior Member
  • Members
  • Join Date: 07-Mar 06
  • 5 posts

Posted 05 June 2006 - 07:18 AM #15

This morning i was woken abruptly by another business member querying about why the shops website was "suspended", upon investigation my webhost had suspeneded my account because i had violated my TOS, for Phishing.

I put in a request ticket and they said they found phishing files in the directory "/shop/classes/jpgraph/Customers-Paypal-Scam-2006/customers/Secured/Service/mysql/ssl/connection/__/login/". Once i get access to my site, i'll see what has gone on. Get the logs and from the httpd, and cs-cart...

Altho i have to say im not discouraged from using cs-cart, im just slightly miffed that this has happened.

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 05 June 2006 - 07:41 AM #16

Yes, we confirm that CS-Cart has security vulnerability. If PHP "register_globals" setting is enabled on the server (although, this is not recommended for security reasons), an unauthenticated attacker may be able to exploit this flaw to remote code execution for obtaining sensitive information from the CS-Cart installation.

It's HIGHLY recommended to download and apply security patch from your file area in Help Desk.

 
  • Gregh
  • Member
  • Members
  • Join Date: 14-Jan 06
  • 47 posts

Posted 05 June 2006 - 10:30 AM #17

Following the email you guys got i found some extra files that you should look out for that we found witch i dont rember being there is

Info.txt
and just a file called install
Now we are looked out of admin will have to try and fix it

Greg
Greg
1.3.5 sp4

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 05 June 2006 - 12:07 PM #18

Info.txt
and just a file called install


"Info.txt" doesn't belong to CS-Cart installation, but "INSTALL" - is our file.

 
  • Trailhunter
  • Junior Member
  • Members
  • Join Date: 20-Mar 06
  • 22 posts

Posted 05 June 2006 - 03:55 PM #19

Thanks for the quick release of the fix! I don't have register globals turned on so that's why I wasn't affected, but I updated anyway. Thanks again!

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 05 June 2006 - 04:02 PM #20

I don't have register globals turned on so that's why I wasn't affected, but I updated anyway.


Glad to hear that you have secure hosting :)