[recedo]

Hi,

I've just checked my site to find the homepage "hacked". I have an index.php file in my site root which is just a 301 re-direct to a sub dir (not using CS Cart at the moment). This file has been replaced with the following text;

Update CS-Cart! Saved by UK-Hacker!

Every other part of the site, including my cs-cart test area, is fine.

Anyone else had this? Any ideas on who/why this may be happening? I have had this page "hacked" before, but no other part of my site - it's literally a 301 redirect, nothing else in the script.

Simon

[Trailhunter]

I've noticed in my web stats that people are searching for sites with cs-cart by looking for the text Powered by CS-Cart or the like. Do they know of some vulnerability that they're trying to exploit on other sites? I have removed that text from my site, but Google and others already indexed it with that line included so people are finding their way to my store by searching for that. So far everything is safe. I have a tough alpha-numeric password. It may be that they're looking for cs-cart powered sites as sort of a pre-sales kinda thing, but I'm paranoid about security.

[Gregh]

Yes mate the same sort of thing happened today the people searched through MSN not for powered through cs cart though some other way. I saw in our logs on a sertain thing ive gave cs-cart team a email about it.
ill wait to see what they say.

[recedo]

It's strange... I have removed the powered by text but it may have been indexed already. I also have a decent password. The strange thing is that none of the files in my cscart dir, or any other files for that fact, were touched - only the index.php in my site root (public_html).

It worries me a bit to see cs-cart mentioned though!
Simon

[TonyK]

See if you can get ahold of your server logs on that day....Give them to cs ca rt, there maybe a security hole? This is important to all.

[recedo]

I've contacted CS regarding this and will get hold of the logs.

Simon

[ryan]

I actually started to search for powered by cs-cart for other stores and came accross this hacked site:

http://onetopshop.com/

ryan

[ryan]

http://www.a2zgiftou...s.com/index.php

[ryan]

http://www.security-gizmos.com/

[TonyK]

http://www.dangeloin...al.com/catalog/
http://www.techdubai.com/

others.

i would recommend changing admin.php to something else, like admin_xyz.php

and also change your admin/admin account AS THE FIRST STEP after installing it.

[baballuci]

Maybe CS-Cart is getting too popular.

Someone must not like that.

[recedo]

This is a little worrying... Still find it odd that nothing in my cs cart folder was touched.

I've got my logs but not sure what to do with them/look for. Any ideas? I did notice "admin.php?version" in there a few times.

Simon

[Gregh]

our index.php they deleted it all and put got to catch all the pokiemon so our site is down not good.They didnt go for the the admin just index.

[Trailhunter]

So has anyone heard back from the cs team? I've been getting a fair amount of traffic from people searching on that term. I just googled it and I'm on the bottom of page one...

I would be sure everyone has their install.php deleted or renamed and that they use https to access their admin panel. Fingers crossed here

[kloptops]

This morning i was woken abruptly by another business member querying about why the shops website was "suspended", upon investigation my webhost had suspeneded my account because i had violated my TOS, for Phishing.

I put in a request ticket and they said they found phishing files in the directory "/shop/classes/jpgraph/Customers-Paypal-Scam-2006/customers/Secured/Service/mysql/ssl/connection/__/login/". Once i get access to my site, i'll see what has gone on. Get the logs and from the httpd, and cs-cart...

Altho i have to say im not discouraged from using cs-cart, im just slightly miffed that this has happened.

[zeke]

Yes, we confirm that CS-Cart has security vulnerability. If PHP "register_globals" setting is enabled on the server (although, this is not recommended for security reasons), an unauthenticated attacker may be able to exploit this flaw to remote code execution for obtaining sensitive information from the CS-Cart installation.

It's HIGHLY recommended to download and apply security patch from your file area in Help Desk.

[Gregh]

Following the email you guys got i found some extra files that you should look out for that we found witch i dont rember being there is

Info.txt
and just a file called install
Now we are looked out of admin will have to try and fix it

Greg

[zeke]

Info.txt
and just a file called install

"Info.txt" doesn't belong to CS-Cart installation, but "INSTALL" - is our file.

[Trailhunter]

Thanks for the quick release of the fix! I don't have register globals turned on so that's why I wasn't affected, but I updated anyway. Thanks again!

[zeke]

I don't have register globals turned on so that's why I wasn't affected, but I updated anyway.

Glad to hear that you have secure hosting