My Store Was Hacked!

Hey all,

I was a victim of an attacker although my store is still in the development stage.

While I was trying to access my web store, PHP parse error displayed pointing to a file with a syntax error. It was recently modified and saw an iframe inside it. It is an init.php file belong to one of 3rd party addons. Then realized that all php files for the 2 addons that I have are infected (btw, these addons belong to the same developer). This is the injected code:


Appended to the end of each php file of the 2 addons. On the same directory, I can see Photo.scr is there with admin as the owner. (file size is around 2 MB).

I am using the latest version of Multivendor. Also, My web server is updated. The following security configurations are also applied:

Firewall

SSL/TLS

No password login allowed (only SSH).

Restricted IPs to some directories.

How do you think the attacker succeeded to upload and change PHP files?

What are the possible vulnerabilities that the attacker was able to exploit? I am sure this is not related to server login.

I was always thinking that a server with good conf and complex passwords will never be compromised. Is this not correct? Is it true that any store can be hacked by an experienced hacker regardless of the security procedures applied?

Thank you for your contribution in this so that all of us can enjoy secure CS-Cart/Multi-vendor stores.

You might need to find someone who knows what they are doing to check out your server.

Because in most cases you just have to look through log files to see how they got in

Delete all files, re-upload the CS-Cart files to the server (or make a fresh installation), check the database of suspicious entries. If that is ok, install and configure OWASP ModSecurity Core Rule Set or COMODO ModSecurity Apache Rule Set on the server. This will provide you a real-time protection against many common attack categories, including sql injection, cross site scripting (XSS) attacks, file inclusion etc.

Hello!

It will also be wise to backup the hacked version of CS-Cart to be able to follow the trace during the investigation. If you just delete and reinstall, the problem will not be revealed and the store will be breached again in the future.

So, save the evidence first, then reinstall.

What Multi-Vendor version do you use?

Maybe not your site but your PC firstly was infected where you have FTP client with stored passwords..

Delete all files, re-upload the CS-Cart files to the server (or make a fresh installation), check the database of suspicious entries. If that is ok, install and configure OWASP ModSecurity Core Rule Set or COMODO ModSecurity Apache Rule Set on the server. This will provide you a real-time protection against many common attack categories, including sql injection, cross site scripting (XSS) attacks, file inclusion etc.

Thank you Martfox, will read about your recommendations.

Hello!

It will also be wise to backup the hacked version of CS-Cart to be able to follow the trace during the investigation. If you just delete and reinstall, the problem will not be revealed and the store will be breached again in the future.

So, save the evidence first, then reinstall.

So I did Maksim.

What Multi-Vendor version do you use?

I am using 4.7.3.

Maybe not your site but your PC firstly was infected where you have FTP client with stored passwords..

I am thinking of this as well.

I will keep you updated if any vulnerability or server flaw was found.

This has happened to me, was using filezilla ftp client

I am thinking of this as well.

This has happened to me, was using filezilla ftp client

I never used FTP with password to connect to my store. I used to use filezilla as SFTP with SSH keys. Moreover, I disallowed password authentication. Only SSH key pairs log.

But, I store the private keys on my machine. Also, a copy of local.config.php is also on my machine. So worth investigating this scenario.

If infection is in only 1 developer's addon, you might check the archive source to see if perchance it was distributed with the malicious code (I.e. the developer was hacked). I'm assuming you have privately contacted the developer to advise them of the issue just in case it's a problem on their end. Either way, the developer should be notified just in case there is some vulnerability in what they distributed (either the injected code itself or some other vulnerability).

Hi,

Just for your info... my server was compromized because of a bad server conf related to our FTP accounts. We did a mistake during Server Setup. The reason why the files of certain addons were hacked is because those third party addons' files were owned by the account which was hacked. This has enabled the attacker to change only those files.

Thank you all for your input. Special thanks to Simtech DevOps team for their contribution.

addons must go trought somekind validation process before publication on the markeplace

addons must go trought somekind validation process before publication on the markeplace

Why? This had nothing to do with the addons themselves. If the addon archives had been extracted/installed via the '+' icon in cs-cart rather than being uploaded via FTP, none of those issues would have happened. Additionally the description also implies that the practice used would create ownership issues on the site anyway which (depending on what the addon needs to do) could also break that addon.

Why? This had nothing to do with the addons themselves. If the addon archives had been extracted/installed via the '+' icon in cs-cart rather than being uploaded via FTP, none of those issues would have happened. Additionally the description also implies that the practice used would create ownership issues on the site anyway which (depending on what the addon needs to do) could also break that addon.

i was talking about a verification system of addons like they have on presta... the module has to be tested, and verified...here are distrubted addons without a verification. you can put anyting inside an addon

i was talking about a verification system of addons like they have on presta... the module has to be tested, and verified...here are distrubted addons without a verification. you can put anyting inside an addon

That's an another story and has nothing to do with the OP issue in this thread.