Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Been Hacked Rate Topic   - - - - -

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 01 November 2007 - 01:57 PM #1

Someone has hacked into our server (shared hosting) and cart - seemed to spend a lot of time looking at skins. As far as we know all permissions were set correctly. Not sure which was breached first!! At this point in time we have posted a ticket with the host to check it out.

Hacker has been locked out and we have isolated cart for time being.

We don't want to re-open cart until we get the all-clear from the host.

Our question is, once we have the go-ahead from host that "hackings" have been cleared from server, is it recommended that we start afresh with CS, ie delete everything and re-install?

We have offsite backup of everything (thankfully).

Any suggestions/help much appreciated.

Regards

BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 01 November 2007 - 02:16 PM #2

I would certainly edit all Admin passwords for your cart. before going back live.
Pimpin' skins since v1.0

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 01 November 2007 - 03:06 PM #3

Thanks, think we have changed passwords for just about everything that we use them for!!!
This waiting around for the all clear is a pain, but better safe than sorry eh.
BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 

Posted 01 November 2007 - 04:08 PM #4

Are you aware of any "cs-cart" hacks themselves or rather just someone poking at files within the repository?
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 01 November 2007 - 04:39 PM #5

Hi Jesse
We aren't knowledgable enough to know for certain, he has added several thinks to our cpanel new database etc. We have/are removing anything we find. Not sure if we should just bin everything and start again or not?
When we looked in our latest visitors we could see lots of poking around, and at what point he/she got in we don't know yet! We don't know how or why we were hacked at all! DOH!

Regards

Barryh

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 

Posted 01 November 2007 - 09:58 PM #6

Hi Jesse
We aren't knowledgable enough to know for certain, he has added several thinks to our cpanel new database etc. We have/are removing anything we find. Not sure if we should just bin everything and start again or not?
When we looked in our latest visitors we could see lots of poking around, and at what point he/she got in we don't know yet! We don't know how or why we were hacked at all! DOH!

Regards

Barryh


I would suggest that you remove all the skins from the /var/skins_repository/ that you don't use. 70% of cs-carts weight in more or less within those directories making it the best place to hide exploits (My host told me) If you'ld want to review the security permissions suggested have a look at the sticky in "security" where this was posted.

What host are you with at this time, for the sake of security of anyone else hosted by them?

Jesse
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 02 November 2007 - 03:27 AM #7

BarryH, look thru my posts and, if you trust me well enough send me ftp login to your account (ssh would be much better if you have that ability). I am very familier with most shell types and could possibly help remove any copies that the hacker has most likely created in other directories.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 04 November 2007 - 05:19 PM #8

Hi
We have been rather radical and deleted everything off our host (siteground) leaving only host folders and files. We asked them to check and do clean install if required, they came back and said everything appeared ok. We will be doing fresh install and then running restores etc.

New question on subject of installation/host: Originally when CScart was installed for us by our host, it was put in the root in a public folder! What we are concerned about is that we set all permissions as required but we still got hacked. So are we better to install in a none public folder and only have a file pointing to this folder from the public folder ie mydomain.com/public_html/admin.php etc or mydomain.com/cscart/admin.php
We just concerned how easy it is to see/access files in a public folder.
Hope this makes sense.

BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • argentice
  • Senior Member
  • Members
  • Join Date: 11-May 07
  • 383 posts

Posted 04 November 2007 - 05:53 PM #9

Barry,

You're better off not using a shared server in the first place. Uisng PHP you can access any file on the server, whther or not it is in your section, or not.
Rob

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 04 November 2007 - 06:36 PM #10

Barry, you have to have your site in public_html or your website wont be published.

Did you ask your host if other sites on the server were hacked?
Pimpin' skins since v1.0

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 04 November 2007 - 08:24 PM #11

Hi argentice/ETInteractive
Thanks for that, we did ask the host if they could tell us where we were hacked, we never really got an answer, we assumed they couldn't tell. We are new to this and keep reading lots of conflicting information.

If all files on a server can be read as suggested how is it possible to ever make a site secure? If we are putting files in public_html then by definition aren't we making these sensitive files available to every Tom, **** and Hacker??? So is Shared/Dedicated relevant?
We had ALL permissions set correctly, depending on which set of permissions you choose to believe!
At this point our confidence level has dropped conciderable, we are very nervous about putting our website back on line, even though it's not finsished.
Would uploading into another folder that is NOT public and continuing our development behind closed doors as it were be the best way forward?
And does this create problems when moving to a public folder???

BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 

Posted 04 November 2007 - 08:29 PM #12

Would uploading into another folder that is NOT public and continuing our development behind closed doors as it were be the best way forward?
And does this create problems when moving to a public folder???

BarryH


This would make no difference as the original hacking method is still available to exploit. What version were you using at the time of the hack?
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 04 November 2007 - 08:45 PM #13

BarryH, argentice could be correct depending on how the security is configured on that server but it is doubtful that it's coming from another account. Quality hosts know to at least enable php open_basedir protection which prevents the ability to view the files of other accounts on the server. If your host doesn't have this protection enabled then you should get away from them asap.

It is most likely that someone did manage to get a shell included into your account somewhere and it still exists within your files. Once these hackers are able to get a shell on your account, they will usually create copies of it within other writable directories just in case the original is found. It is very difficult sometimes to locate these files because they are often encoded to avoid being discovered by anti-virus applications

Regardless of the open_base protection, it is obvious that server has minimal if any additional security installed because, it is possible to prevent most of these shells from working at all by using a good mod_security ruleset and disabling some dangerous PHP functions they require.

I specialize in this area so get with me if you would like further info or help
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 04 November 2007 - 09:58 PM #14

Hi Jesse

Using 1.3.5sp1 at time of hack.

Hi S-Combs
Thanks for that info. Just to clarify the situation (because we are stupid), you are saying that there's a good possibility, although Siteground say not, that this hacker may have left a "bug"?
If you've read many of our previous posts you will have realised that we are as far from being experts as is possible, and due to this hacking, we are now being extremely cautious, although we had no sensitive materials on the website at that stage.
Re your offer to check out our domain files, we thank you very much for this offer, but as previously mentioned we are being extremely cautious of giving out this info to anybody - we previously gave this info to CS in order to fix a bug and this was the only occasion such info has been revealed to a.n.other - was it intercepted in some way???
Because of advice/comments received I am going back to Siteground and ask them to re-check as per above.
BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 05 November 2007 - 11:11 AM #15

Hi
Just to keep everyone informed, we have had our domain re-installed as though new, there is nothing in any of the folders, so in the words of Siteground we can "start from scratch". Hopefully this will resolve the Hacking issue!!!!!!

If anyone has any advise to offer regarding the way forward, we would greatly appreciate it!
Am still very suspicious of anything to do with this subject, confidence very dented.

BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 

Posted 22 November 2007 - 08:06 AM #16

I got hacked not 3 weeks ago. I was using SiteGround. Complete bull****. I think siteground has some problems.

:evil:

 

Posted 22 November 2007 - 08:22 AM #17

I got hacked not 3 weeks ago. I was using SiteGround. Complete bull****. I think siteground has some problems.

:evil:


I guess you know where to go for hosting from here then don't you?
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.