Suspicious Indexx.php File



Hello,

An indexx.php file appear like magic on our server for a CS-Cart 4.4.1 with a phpinfo(); and looks to appear also for other cs-cart developers.

Anyone has any information about this issue?

After digging a little we found that on same day the var/backups folder has been modified and I also have a list with ip’s that they access it and the first ip is 77.111.245.167

Thanks

Keep on smiling,


Valentin
part of hungryweb.net



Hello,

An indexx.php file appear like magic on our server for a CS-Cart 4.4.1 with a phpinfo(); and looks to appear also for other cs-cart developers.

Anyone has any information about this issue?

After digging a little we found that on same day the var/backups folder has been modified and I also have a list with ip's that they access it and the first ip is 77.111.245.167

Thanks

Keep on smiling,

---
Valentin
part of hungryweb.net

Hi, Valentin.
It is not magic, it means that your store has been hacked. One our site 4.6.3 with all security patches from cs-cart helpdesk has the same file from the same IP. According to server logs this visitor has successfully logged into admin panel and make a lot of bad things. And as far as you have the same IP actions, I am sure that he/she has not used admin's pass in order to login to admin panel. It seems that CS-Cart has a fresh unknown vulnerability.
What can you say, @cs-cart ?

Hello Hungryweb and CS-Market,

This problem requires additional investigation.

Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.

When submitting a ticket, please specify "[indexx.php]" in the ticket title.



Hello,

An indexx.php file appear like magic on our server for a CS-Cart 4.4.1 with a phpinfo(); and looks to appear also for other cs-cart developers.

Anyone has any information about this issue?

After digging a little we found that on same day the var/backups folder has been modified and I also have a list with ip's that they access it and the first ip is 77.111.245.167

Thanks

Keep on smiling,

---
Valentin
part of hungryweb.net

Yes, your website has been hacked. Remove the file and install all security pacthes from CS-Cart team.

Yes, your website has been hacked. Remove the file and install all security pacthes from CS-Cart team.

Our one has these security patches, as I have mentioned in previous post. They were not help!

Hello Hungryweb and CS-Market,

This problem requires additional investigation.

Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.

When submitting a ticket, please specify "[indexx.php]" in the ticket title.

We have posted all info in HelpDesk. Hope it will help to find vulnerability.

Hello Hungryweb and CS-Market,

This problem requires additional investigation.

Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.

When submitting a ticket, please specify "[indexx.php]" in the ticket title.


Done

...It is not magic, it means that your store has been hacked...


I know is not magic but why not making fun and enjoying life :D

... According to server logs this visitor has successfully logged into admin panel and make a lot of bad things...


Can you please PM with the list they did for us to track also, thank you

Here are our main recommendations on improving the security (except the most obvious ones):

1. Make sure that admin script is renamed and rename it once in a while (https://docs.cs-cart.com/4.9.x/install/security.html)

2. Make sure that you are using current CS-Cart version or that all available security patches are installed.

3. Check your store admin accounts and make sure that API access is disabled for the accounts that should not have it.

Here are our main recommendations on improving the security (except the most obvious ones):

1. Make sure that admin script is renamed and rename it once in a while (https://docs.cs-cart.com/4.9.x/install/security.html)

2. Make sure that you are using current CS-Cart version or that all available security patches are installed.

3. Check your store admin accounts and make sure that API access is disabled for the accounts that should not have it.

Here is the thought, why not create a security feature that once in a while (prolly every 3 months) asks admin if he wants to change the admin script name and if admin says yes have him rename and confirm (just like password).

As you prolly know not all your customers understand the importance of security and even if they if do they might forget to do it. So why not make is automatic, that is what software is for.

But then you might ask me to post this in uservoice.. :mrgreen:

Here is the thought, why not create a security feature that once in a while (prolly every 3 months) asks admin if he wants to change the admin script name and if admin says yes have him rename and confirm (just like password).

As you prolly know not all your customers understand the importance of security and even if they if do they might forget to do it. So why not make is automatic, that is what software is for.

But then you might ask me to post this in uservoice.. :mrgreen:


I don't think your idea is simple, but also I don't know any system having this.. . Here is an question how came to this breach, how the visitor got an admin password??? How he created an index.php file on the server???

I don't think your idea is simple, but also I don't know any system having this.. . Here is an question how came to this breach, how the visitor got an admin password??? How he created an index.php file on the server???

Two name changes can't be done by software? what so difficult about it?

The other platforms don't need this capability is because they have better ways to protect:

https://pagely.com/blog/hiding-wordpress-login-page/

Cs-cart team is too busy creating more and more new features but makes no effort to make existing things better.

Cs-cart team is too busy creating more and more new features but makes no effort to make existing things better.

:confused: :confused: :mrgreen: :mrgreen: :mrgreen:

:confused: :confused: :mrgreen: :mrgreen: :mrgreen:

You tell me what kind of response is that - customers should once in a while rename admin script...

what if customer forgot? what if customer is not reading this forums? he is out of luck i guess

We got the indexx.php file here too and it was detected by our EZ Admin Helper nightly file scanning. We noticed that another file was also created, then deleted. The indexx.php file did a phpinfo(). So someone is looking for vulnerabilities.

Not sure it's safe to assume that a file being added in a document root of a site is a cs-cart issue. I would think that it is more likely a cPanel, FTP or hosting vulnerability.

We got the indexx.php file here too and it was detected by our EZ Admin Helper nightly file scanning. We noticed that another file was also created, then deleted. The indexx.php file did a phpinfo(). So someone is looking for vulnerabilities.

Not sure it's safe to assume that a file being added in a document root of a site is a cs-cart issue. I would think that it is more likely a cPanel, FTP or hosting vulnerability.

What directory you see this file in?

Two name changes can't be done by software? what so difficult about it?

The other platforms don't need this capability is because they have better ways to protect:

https://pagely.com/blog/hiding-wordpress-login-page/

Cs-cart team is too busy creating more and more new features but makes no effort to make existing things better.

yes, we know they always inventing something new and hoping the old bugs will cure themselves :)

What directory you see this file in?

Document root.

Hello Hungryweb and CS-Market,

This problem requires additional investigation.

Please contact us via the Customer Help Desk and provide us with the server logs that relate to the breach and all the found suspicious files. If possible, provide us with the access information to the compromised servers so we can investigate the issue directly.

When submitting a ticket, please specify "[indexx.php]" in the ticket title.

is this forwarded to cs team ?

We got the indexx.php file here too and it was detected by our EZ Admin Helper nightly file scanning. We noticed that another file was also created, then deleted. The indexx.php file did a phpinfo(). So someone is looking for vulnerabilities.

Not sure it's safe to assume that a file being added in a document root of a site is a cs-cart issue. I would think that it is more likely a cPanel, FTP or hosting vulnerability.

Hello,

Most likely this is the case. We haven't noticed such files in our hosting environments, but that most likely is a result of our strict permissions (we only allow www-data to write to the images directory and some others, but not root or application), by doing this a lot of these issues can be avoided.

Also, we install all the add-ons foro ur clients, we check the code, temporarily lift permissions and deploy the addon, after which we reset the permissions.

Kind regards,