Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Suspicious Indexx.php File Rate Topic   - - - - -

 
  • Hungryweb
  • Senior Member
  • Authorized Reseller
  • Join Date: 10-Feb 12
  • 1223 posts

Posted 01 November 2018 - 07:35 AM #1

indexx-php-29-10-2018.jpg

Hello,
 
An indexx.php file appear like magic on our server for a CS-Cart 4.4.1 with a phpinfo(); and looks to appear also for other cs-cart developers.
 
Anyone has any information about this issue?
 
After digging a little we found that on same day the var/backups folder has been modified and I also have a list with ip's that they access it and the first ip is 77.111.245.167
 
Thanks
 
Keep on smiling,
 
---
Valentin
part of hungryweb.net

 
  • CS-Market
  • Senior Member
  • Authorized Reseller
  • Join Date: 06-Mar 13
  • 648 posts

Posted 01 November 2018 - 10:12 AM #2

indexx-php-29-10-2018.jpg

Hello,
 
An indexx.php file appear like magic on our server for a CS-Cart 4.4.1 with a phpinfo(); and looks to appear also for other cs-cart developers.
 
Anyone has any information about this issue?
 
After digging a little we found that on same day the var/backups folder has been modified and I also have a list with ip's that they access it and the first ip is 77.111.245.167
 
Thanks
 
Keep on smiling,
 
---
Valentin
part of hungryweb.net

 

 Hi, Valentin.
 
It is not magic, it means that your store has been hacked. One our site 4.6.3 with all security patches from cs-cart helpdesk has the same file from the same IP. According to server logs this visitor has successfully logged into admin panel and make a lot of bad things. And as far as you have the same IP actions, I am sure that he/she has not used admin's pass in order to login to admin panel. It seems that CS-Cart has a fresh unknown vulnerability.
 
What can you say, @cs-cart ?

GET A FREE QUOTE  │  CS-Cart add-ons   │   CS-Cart custom development   │  CS-Cart design integration  │  CS-Cart license

Сертифицированный разработчик на CS-Cart Русская Версия. More than 5 years experience in CS-Cart development.


 
  • mschekotov
  • Architect
  • CS-Cart Architects
  • Join Date: 06-Aug 15
  • 12 posts

Posted 01 November 2018 - 11:50 AM #3

Hello Hungryweb and CS-Market,

 

This problem requires additional investigation.

 

Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.

 

When submitting a ticket, please specify "[indexx.php]" in the ticket title.


Michael Schekotov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 18358 posts

Posted 01 November 2018 - 01:13 PM #4

indexx-php-29-10-2018.jpg

Hello,
 
An indexx.php file appear like magic on our server for a CS-Cart 4.4.1 with a phpinfo(); and looks to appear also for other cs-cart developers.
 
Anyone has any information about this issue?
 
After digging a little we found that on same day the var/backups folder has been modified and I also have a list with ip's that they access it and the first ip is 77.111.245.167
 
Thanks
 
Keep on smiling,
 
---
Valentin
part of hungryweb.net

 

Yes, your website has been hacked. Remove the file and install all security pacthes from CS-Cart team.


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    CS-Cart RU                         24500 руб.
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      CS-Cart RU + UniTheme    36000 руб.


 
  • CS-Market
  • Senior Member
  • Authorized Reseller
  • Join Date: 06-Mar 13
  • 648 posts

Posted 01 November 2018 - 01:25 PM #5

Yes, your website has been hacked. Remove the file and install all security pacthes from CS-Cart team.

 

Our one has these security patches, as I have mentioned in previous post. They were not help!


GET A FREE QUOTE  │  CS-Cart add-ons   │   CS-Cart custom development   │  CS-Cart design integration  │  CS-Cart license

Сертифицированный разработчик на CS-Cart Русская Версия. More than 5 years experience in CS-Cart development.


 
  • CS-Market
  • Senior Member
  • Authorized Reseller
  • Join Date: 06-Mar 13
  • 648 posts

Posted 01 November 2018 - 01:26 PM #6

Hello Hungryweb and CS-Market,

 

This problem requires additional investigation.

 

Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.

 

When submitting a ticket, please specify "[indexx.php]" in the ticket title.

 

We have posted all info in HelpDesk. Hope it will help to find vulnerability.


GET A FREE QUOTE  │  CS-Cart add-ons   │   CS-Cart custom development   │  CS-Cart design integration  │  CS-Cart license

Сертифицированный разработчик на CS-Cart Русская Версия. More than 5 years experience in CS-Cart development.


 
  • Hungryweb
  • Senior Member
  • Authorized Reseller
  • Join Date: 10-Feb 12
  • 1223 posts

Posted 01 November 2018 - 01:36 PM #7

Hello Hungryweb and CS-Market,
 
This problem requires additional investigation.
 
Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.
 
When submitting a ticket, please specify "[indexx.php]" in the ticket title.


Done

 
  • Hungryweb
  • Senior Member
  • Authorized Reseller
  • Join Date: 10-Feb 12
  • 1223 posts

Posted 01 November 2018 - 01:39 PM #8

...It is not magic, it means that your store has been hacked...


I know is not magic but why not making fun and enjoying life :D

... According to server logs this visitor has successfully logged into admin panel and make a lot of bad things...


Can you please PM with the list they did for us to track also, thank you

 

Posted 02 November 2018 - 04:03 PM #9

Here are our main recommendations on improving the security (except the most obvious ones):

 

1. Make sure that admin script is renamed and rename it once in a while (https://docs.cs-cart...l/security.html)

2. Make sure that you are using current CS-Cart version or that all available security patches are installed.

3. Check your store admin accounts and make sure that API access is disabled for the accounts that should not have it.


Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • 12ka4
  • Advanced Member
  • Trial users
  • Join Date: 21-Feb 18
  • 94 posts

Posted 02 November 2018 - 09:57 PM #10

Here are our main recommendations on improving the security (except the most obvious ones):

 

1. Make sure that admin script is renamed and rename it once in a while (https://docs.cs-cart...l/security.html)

2. Make sure that you are using current CS-Cart version or that all available security patches are installed.

3. Check your store admin accounts and make sure that API access is disabled for the accounts that should not have it.

 

Here is the thought, why not create a security feature that once in a while (prolly every 3 months) asks admin if he wants to change the admin script name and if admin says yes have him rename and confirm (just like password).

 

As you prolly know not all your customers understand the importance of security and even if they if do they might forget to do it. So why not make is automatic, that is what software is for.

 

But then you might ask me to post this in uservoice..  :mrgreen:  



 
  • mokeshop
  • Senior Member
  • Members
  • Join Date: 27-Jul 12
  • 980 posts

Posted 03 November 2018 - 07:35 PM #11

Here is the thought, why not create a security feature that once in a while (prolly every 3 months) asks admin if he wants to change the admin script name and if admin says yes have him rename and confirm (just like password).
 
As you prolly know not all your customers understand the importance of security and even if they if do they might forget to do it. So why not make is automatic, that is what software is for.
 
But then you might ask me to post this in uservoice..  :mrgreen:


I don't think your idea is simple, but also I don't know any system having this.. . Here is an question how came to this breach, how the visitor got an admin password??? How he created an index.php file on the server???

 
  • 12ka4
  • Advanced Member
  • Trial users
  • Join Date: 21-Feb 18
  • 94 posts

Posted 04 November 2018 - 04:04 PM #12

I don't think your idea is simple, but also I don't know any system having this.. . Here is an question how came to this breach, how the visitor got an admin password??? How he created an index.php file on the server???

 

Two name changes can't be done by software? what so difficult about it?

 

The other platforms don't need this capability is because they have better ways to protect:

 

 https://pagely.com/b...ess-login-page/

 

Cs-cart team is too busy creating more and more new features but makes no effort to make existing things better.



 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4385 posts

Posted 04 November 2018 - 04:20 PM #13

 

 

Cs-cart team is too busy creating more and more new features but makes no effort to make existing things better.

:confused:  :confused:  :mrgreen:  :mrgreen:  :mrgreen:


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • 12ka4
  • Advanced Member
  • Trial users
  • Join Date: 21-Feb 18
  • 94 posts

Posted 04 November 2018 - 06:18 PM #14

:confused:  :confused:  :mrgreen:  :mrgreen:  :mrgreen:

 

You tell me what kind of response is that - customers should once in a while rename admin script...

 

what if customer forgot? what if customer is not reading this forums? he is out of luck i guess 



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10964 posts

Posted 04 November 2018 - 09:20 PM #15

We got the indexx.php file here too and it was detected by our EZ Admin Helper nightly  file scanning.  We noticed that another file was also created, then deleted.  The indexx.php file did a phpinfo().  So someone is looking for vulnerabilities.

 

Not sure it's safe to assume that a file being added in a document root of a site is a cs-cart issue.  I would think that it is more likely a cPanel, FTP or hosting vulnerability.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • 12ka4
  • Advanced Member
  • Trial users
  • Join Date: 21-Feb 18
  • 94 posts

Posted 05 November 2018 - 03:40 AM #16

We got the indexx.php file here too and it was detected by our EZ Admin Helper nightly  file scanning.  We noticed that another file was also created, then deleted.  The indexx.php file did a phpinfo().  So someone is looking for vulnerabilities.

 

Not sure it's safe to assume that a file being added in a document root of a site is a cs-cart issue.  I would think that it is more likely a cPanel, FTP or hosting vulnerability.

 

What directory you see this file in? 



 
  • mokeshop
  • Senior Member
  • Members
  • Join Date: 27-Jul 12
  • 980 posts

Posted 05 November 2018 - 04:21 PM #17

Two name changes can't be done by software? what so difficult about it?

 

The other platforms don't need this capability is because they have better ways to protect:

 

 https://pagely.com/b...ess-login-page/

 

Cs-cart team is too busy creating more and more new features but makes no effort to make existing things better.

 

yes, we know they always inventing something new and hoping the old bugs will cure themselves :)



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10964 posts

Posted 05 November 2018 - 06:36 PM #18

What directory you see this file in? 

Document root.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • mokeshop
  • Senior Member
  • Members
  • Join Date: 27-Jul 12
  • 980 posts

Posted 05 November 2018 - 07:36 PM #19

Hello Hungryweb and CS-Market,

 

This problem requires additional investigation.

 

Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.

 

When submitting a ticket, please specify "[indexx.php]" in the ticket title.

 

 

 

is this forwarded to cs team ?



 
  • poppedweb
  • Authorized Reseller
  • Members
  • Join Date: 02-Aug 16
  • 446 posts

Posted 05 November 2018 - 08:21 PM #20

We got the indexx.php file here too and it was detected by our EZ Admin Helper nightly  file scanning.  We noticed that another file was also created, then deleted.  The indexx.php file did a phpinfo().  So someone is looking for vulnerabilities.

 

Not sure it's safe to assume that a file being added in a document root of a site is a cs-cart issue.  I would think that it is more likely a cPanel, FTP or hosting vulnerability.

 

Hello,

 

Most likely this is the case. We haven't noticed such files in our hosting environments, but that most likely is a result of our strict permissions (we only allow www-data to write to the images directory and some others, but not root or application), by doing this a lot of these issues can be avoided.

 

Also, we install all the add-ons foro ur clients, we check the code, temporarily lift permissions and deploy the addon, after which we reset the permissions.

 

Kind regards,


PoppedWeb | sales@poppedweb.com | https://poppedweb.com
TurnKey Website Design | Add-Ons | Performance Audits | Dedicated Server Management
24/7 Support | Response within an hour (during working hours).