Jump to content



Member Since 27 May 2014
Offline Last Active Jun 03 2014 02:10 PM

Posts I've Made

In Topic: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

03 June 2014 - 02:08 PM

It's been a few days now, since the incident and I am updating our situation, so that people get more information.

We experienced two VERY HIGH LOAD incidents on the server. On Monday, May 12th and on Monday, May 26th. The server was hitting loads of 100-300 and was unresponsive and "heavy" for the most part of the day. Neither me, nor our datacenter technicians were able to determine what caused this high load values. It appeared to be MySQl and I/O related.
In both occasions the load went away by itself...

- As soon as the announcement of the vulnerability was public we checked our 25+ CS-Cart installations and we found that almost all (about 21 out of 25) of them were affected. We found both files (test.gif & thumbs.php) in our installations. Both files were modified on Sunday the 25th of May.

- Checking our Apache access logs showed NO access to those files at all!!! Furthermore, we did not find the attacking IP (the one most of you here mentioned) and any trace of access to hsbc & atos files in any of our logs (access and error)... So, the attackers has either cleaned up his tracks or something more sinister is going on.

- We have checked our server using ClamAV several times and we found no other known threat.

- We have changed all Admin, MySQL & FTP passwords and we also changed the admin panel path.

- What I do not completely understand is why people need to change MySQL passwords? If the installation is now clean and remote MySQL access is not allowed, how could someone connect to MySQL even if he has the correct credentials? Is this necessary only as a precaution in case there is any other malicious file left that reads the db and logs and/or sends data to the attackers?

In any case, the inconvenience, the damage and the frustration that this incident caused is GREAT!

In Topic: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2

27 May 2014 - 08:06 AM


We host about 25 cs-cart installations on our server. About 20 of them were affected and we applied the suggested fix about 20-30 minutes after we received the announcement.

Our server was facing extremely HIGH load during the whole day yestrerday.
We faced the same HIGH LOAD issues on Monday the 12th of May.

On both the above occassions our techs and our datacenter were unable to explain the extremely high load.
Apache was hit hard, opening 300-900 threads, were it normally has 80-120 max, MySQl was heavily overloaded and suspending our most active sites (not cs-cart) did not have any positive effect.

We have never experienced such high load issues in the past.
We are not certain whether this cs-cart problem is related with the high load issue, but we have no other explaination or indication up to now.

Did any of you notice any similar server behaviour?