site hack. what is this file?

  • Posts: 7
  • Thank you received: 0
11 years 11 months ago #83475

Hello -
i noticed last week that when click into my shopping cart, the url changes to " www.theagileeffect.com " without redirecting the site anywhere suspicious. [Try that url maybe... will it redirect you to a jewelry site??]
RSfirewall told me the following file was changed by a user logging in as me but from a different IP address. this is the file. what does this mean?

administrator/index.php?option=com_hikashop&ctrl=update&task=install&update=1


this is the second time this site has been hacked. this is the first CC site ive done - its for my friend - and now im really sketched out because it seems like ive got to guard this site every day for the rest of my life or the consequences will be stolen money! theres got to be a reliable way to secure this site. please help :(

thank you. let me know if you need more info... ill be happy to fetch what you need or show screen shots etc.

happy holidays....
c

washedupjewelry.com



ps i just added screenshot of RS firewall dashboard with security breaches.

Attachments:
Last edit: 11 years 11 months ago by cfixy. Reason: added screenshot

Please Log in or Create an account to join the conversation.

  • Posts: 18
  • Thank you received: 13
11 years 11 months ago #83479

Hi cfixy! :)
This is your fault. HikaShop nothing to do with. :whistle:

First, you need to place your site on a reliable and secure web-hosting.
Secondly, well set security of your site.
Third, if you do not know all the details, then use the components for protection. I advise Admin Tools Pro . Create strong passwords. Password-protect Administrator. Master password access to each component and directory. Create access to IP. Create Two-Factor Authentication (Google Authenticator) and much more... :woohoo:

Close access to the installation of extensions and create a password to access it.

And do not forget to create backups with Akeeba Backup Pro B)

Do not use warez! Better to pay than to deal with the problems of the site. :)

Good luck.
Vio.

Last edit: 11 years 11 months ago by viocassel.
The following user(s) said Thank You: Mohamed Thelji

Please Log in or Create an account to join the conversation.

  • Posts: 7
  • Thank you received: 0
11 years 11 months ago #83580

Hi Vio!
Yep - totally my fault. i know. but i thought id post in this forum because everybody is familiar with the files.
well..... i was working with a seemingly extremely knowledgeable coder, he did a lot of that. but probably not all. hes not available to work anymore unfortunately so im stuck. i have a few questions if you dont mind.... (many thanks]

#1
i talked to greengeeks about their security on a shared server, and they insisted a million times over that their triple layered whatever is the best shared server technology - and its impossible that it could be a hack from their end. the alternative for a dedicated server is quite costly... like $20 per month or so i think. do you believe greengeeks?

#2
well. now i have to fix the site. easy fix? such as replacing the affected file with the original version from the zip? or is this thing deep in the script.

#3
are you aware of a definitive, itemized checklist for securing hikashop (or other shopping cart sites}? it seems sooooo vague to me. maybe i can secure it myself with such a list, but maybe i can hire someone to do it too (are you or someone you know interested?}

#4
how often will i have to be involved with monitoring this site once its completely secure?? is it going to be like a small child? cant leave it alone for more than 15 minutes?? this might be my first and final CC site. :/


thanks very much for your help!
c

Please Log in or Create an account to join the conversation.

  • Posts: 18
  • Thank you received: 13
11 years 10 months ago #83641

Hi cfixy!

#1.
I do not know who the Greengeeks. But the hack was on your side. :whistle:

#2.
Yes, the site is easy to restore, if you know which file has been changed. If the file to change in HikaShop, then reinstall the component on top of that there is.

#3.
Yes, you can configure the protection of its own site with Admin Tools Pro and Akeeba BackUp Pro. If there are any problems or questions - write on the forum. I'll try to help if I have free time. :)

#4.
No. No need to monitor it every 15 minutes. You will only need to go 1-2 times a month and update extensions if the update came out. Admin Tools Pro will send notification of updates on e-mail, attempts to enter the admin, who went to the admin panel and when entered. Akeeba BackUp Pro can be configured so that it created a backup of the site every day and would send it to you. Therefore, you are always and every day will have a backup site for restoration, if something happens. Restore a site in 30 seconds. B)

---

Good luck.
Vio.

The following user(s) said Thank You: cfixy

Please Log in or Create an account to join the conversation.

  • Posts: 7
  • Thank you received: 0
11 years 10 months ago #83798

Hi Vio.... many thanks for the advise. I think im in trouble now again - over the holidays looks like theagileeffect.com hijacked the whole site - 403 access forbidden on both the frontend and the secret admin access. ugh. this might be well beyond the scope of your generosity... but i think this bug is getting the best of me. ? :[ any thoughts... or direction in which to point me? sorry and thanks... c

Please Log in or Create an account to join the conversation.

  • Posts: 13201
  • Thank you received: 2322
11 years 10 months ago #84326

Hi,

I don't think that you problem is HikaShop related.

Regards.

Please Log in or Create an account to join the conversation.

  • Posts: 7
  • Thank you received: 0
11 years 9 months ago #90276

Hi Xavier and vio -

wondering if either of you hav eany thoughts.....


i still have problems with theagileeffect.com. the owner of the domain is in the UK and he is not aware of any of this, and the hacks are coming from the philippines. i went thru my cpanel and replaced every file (tons of hikashop files] that were changed the same exact date and time as the original hack. the site is still getting hijacked! i think im about to rebuild the site - just reinstall the database and the few custom css files. i have a few questions....



1 regarding your comment .... hikashop is not on the vulnerable extensions list for joomla. i only have joomlapack, admintools and DJ image slider module installed on the latest joomla 1.5. shouldnt be any security holes... ?



2. greengeeks insists its not a server issue - maybe not - but is their security enough for an ecommerce site? [do you trust this technology?] should i still get a dedicated server?


their response REgarding suPHP:
>>>>>Thank you for your inquiry, GreenGeeks has developed a service which is essentially the same as SiteGround with a few benefits with our development. SiteGround uses a service called suPHP which insures PHP and executable scripts can only read/write/delete content if owned by the user. This means if a hacker was to target cPanel user "abccom" it cannot effect cPanel user "defcom".

At GreenGeeks we take this process one step further, well GreenGeeks uses suPHP we have also created a complete Lightweight Tenant Isolation system. This essentially creates a Cloud/VPS environment for each cPanel user. Each user is provided with its own Virtual File System Structure insuring that no hacker can emulate or attack another user, but also allows us to provide specific resources limitations to each cPanel account. This insures no user can become abusive and slow down another user on the server.<<<


their response regarding open_basedir:

>>>>
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
;open_basedir =

Don't worry we are using the latest mod security rules and security plugin cageFS.

CageFS is a virtualized file system and a set of tools to contain each user in its own 'cage'. Each customer will have its own fully functional CageFS, with all the system files, tools, etc...
The benefits of CageFS are:
• Only safe binaries are available to user
• User will not see any other users, and would have no way to detect presence of other users & their user names on the server
• User will not be able to see server configuration files, such as Apache config files.
• User's will have limited view of /proc file system, and will not be able to see other' users processes
At the same time, user's environment will be fully functional, and user should not feel in any way restricted. No adjustments to user's scripts are needed. CageFS will cage any scripts execution done via:
• Apache (suexec, suPHP, mod_fcgid, mod_fastcgi)
• LiteSpeed Web Server
• Cron Jobs
• SSH
• Any other PAM enabled service





3. if i wipe the whole site and rebuild from scratch, do i have to do anything to my host account first before any first step to rebuild? like, "bleach" it ? could the hack be hidden as far back as my domain registrar or soemthing crazy like that?? can i rebuild on the same domain? or should i build it somewhere else and transfer it back once its secure. i would think the original domain is a vulnerable target now....



4. once root directory is wiped and disinfected, i probably should immediately upload special php files like open_basedir [green geeks wont let me do that though] or php.ini or something?



5. could the hack be in my database somewhere?


thank you very very much. im not a very good bug zapper :/

Please Log in or Create an account to join the conversation.

  • Posts: 82910
  • Thank you received: 13379
  • MODERATOR
11 years 9 months ago #90281

Hi,

The domain won't be a problem. But there could be a backdoor in any file of the website or even in the database. So you won't be sure that there is no way to get hacked again unless you remove every file and the database and start anew.

Joomla 1.5 is not supported anymore by the Joomla team. There could be potential holes in it which are not fixed in the latest version.

I would recommend to start directly on Joomla 2.5. Also, it can be good to use a security extension like RS firewall to protect your website against hacks in the future. Changing the hosting/hosting company won't magically fix everything unfortunately. And a normal server is enough regarding security as long as the payment happens on a payment gateway website and not directly on your website like it's the case with PayPal.

Please Log in or Create an account to join the conversation.

  • Posts: 7
  • Thank you received: 0
11 years 9 months ago #90286

ok great info. thank you.

should i adjust any server settings with the php.ini or basedir file etc after i wipe root clean and before i reinstall joomla?

Please Log in or Create an account to join the conversation.

  • Posts: 82910
  • Thank you received: 13379
  • MODERATOR
11 years 9 months ago #90287

The default settings should be fine.

The following user(s) said Thank You: cfixy

Please Log in or Create an account to join the conversation.

  • Posts: 206
  • Thank you received: 26
11 years 9 months ago #90294

Something that you may want to look at is "OSE Security Suite" they are the only other people who match the support of hikashop, it has stopped my site being hacked so many times + when my files were infected their software cleaned it up for me and told me what was modified.


I'm not an expert at this, if i post on your thread i'm doing so with the best of my knowledge and just trying to help :)
The following user(s) said Thank You: nicolas

Please Log in or Create an account to join the conversation.

Time to create page: 0.106 seconds
Powered by Kunena Forum