|
|
|||||||
| Latest News What's new? Find out in here! |
 |
|
|
Thread Tools | Display Modes |
|
#1
06-06-2011, 10:04 AM
|
|||
|
|||
Are Storesprite stores being hacked/hijacked?
This morning all 3 of my stores have been hacked/hijacked with malicious code inserted at the opening PHP tags.
whats odd about the attack is that ONLY storesprite php files have been changed, all of my custom scripts and pages are completely clean which leads me to believe this is an attack on Storesprite sites. so, has anyone else been attacked? anyone figured out how to resolve before i restore from backup? 
|
|
#2
06-06-2011, 10:44 AM
|
|||
|
|||
|
This appears to be the exploit:
http://forr.st/posts/Find_Blackhole_...clean_them-Dqf Not yet managed to get the site clean though even eith the supplied code..
|
|
#3
06-06-2011, 11:47 AM
|
|||
|
|||
|
What version of SS? Please PM details of your URLS also.
Nothing has been reported directly to us or on this forum, we are aware of one client who had issues at least a year ago (but not with this) and it appeared at the time to have been caused by security issues at the host. We will look into this as a precaution to see if there is anything we need to do.
|
|
#4
06-06-2011, 12:01 PM
|
|||
|
|||
|
I have PM'ed requested details.
I have also asked the Host to restore from backup so unsure how long the infected site will be visable for.
|
|
#5
06-06-2011, 12:56 PM
|
|||
|
|||
|
I've found some more infected code amoungst my google analytics javascript...
|
|
#6
06-06-2011, 05:01 PM
|
|||
|
|||
|
Quite a while ago we had a problem one one of our websites with some files being altered with malicious code and new files added but it was due to poor host FTP security at the time and not a storesprite security issue.
We changed the passwords, locked the FTP and checked all files and folders by hand for altered files/malicious code and new unknown folders. Google will sometimes spot files with malicious code. It seems a bit odd as 3 of your sites have had a problem, are they all with the same host?
|
|
#7
06-06-2011, 05:29 PM
|
|||
|
|||
|
An important note here:
If you believe this has happened to your store please save your server log files. If this is a storesprite vulnerability then hopefully we can check and see how access was gained. Also, it would be useful to see the code that has been added to your pages. Unfortunately in this instance we might not get to see the logs and code, however, we are looking into how this toolkit works. Though have found limited information thus far.
|
|
#8
06-06-2011, 05:40 PM
|
|||
|
|||
|
This thread is similar: http://forum.storesprite.com/showthread.php?t=1200
Important advice for everyone regardless: - Disable FTP if you can and use sftp/ssh instead - Ensure your passwords are secure and change them regularly - Perhaps consider vps rather than shared hosting
|
|
#9
06-06-2011, 06:29 PM
|
|||
|
|||
|
Just a few points in regards to our enviroment.
My sites are on a Semi-dedicated (share with 1 other) server that is PCI compliant. FTP is disabled, SFTP is used. Unfortunately as mentions as we were in a hurry to get the site back we have restored from an earlier backup and the server logs may not be retriveable.
|
|
#10
06-06-2011, 06:38 PM
|
|||
|
|||
|
Do you have access to bash_history (just in case server was compromised in another way?) might be worth taking a look at it.
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
