v1.3.? Hacked! All but .php database and images destroyed...

Hi there...

I am a business owner whose site was hacked last week by some cyber-terrorist bastards who pretty much destroyed my business. The administrator for my site had to delete the entire version of Open Cart we were running, which was v1.3. something. The ONLY files he has managed to salvage are my main database file (the .php file that usually resides in the "Home" directory) and all of my image files. We are unable to upgrade at the moment, since we are unable to determine what version of Open Cart we were running. My initial question therefore is this: Is there any way to determine which version we were using by looking at the code in the database file? Is it written in there anywhere? He has downloaded the most recent version, (1.4.9.1) and has tried like hell to get this new version to recognize and connect to the old database. It is just not working. I had spent HUNDREDS of hours uploading products, writing descriptions, etc., and this business is a secondary source of income for me and my family. My administrator accepts the responsibility for not upgrading as he should have been. What's done is done though and now we're looking for a solution. The .php file he has contains all of my former cart's information. We are having a connectivity issue with the latest version of Open Cart. Does ANYONE have any ideas as to how we can get my store up and running again? My idea was to determine which version of Open Cart we were using when we were hacked, install that same version and then obtain each and every upgrade from Daniel Kerr, then follow the upgrade instructions to the letter. We are willing to try anything. If I was aware that there were security issues in the version we were running, I would have certainly taken measures to insure the safety of my site.

Any suggestions from you brilliant database code writers will be greatly appreciated. This is not only an enormous blow to my company but it's making me severely depressed.

Just to reiterate, The ONLY files we saved from the hack are the main database .php file, and all of my images.


Thank you...

Jeff

Hey Jeff

That really sucks
The best thing I can suggest is to install on a local machine all the versions of 1.3.x and try one at a time to get them to connect with the database you salvaged, then export the data for all of your products using J Neuhoffs export module (I think it's compatible that far back). Then create a fresh new install of 1.4.9.1 with a new database, and import them into the latest version. If you've got your image files that will certainly reduce the grief you'll have with this

One question, do you have cPanel on the server you have the store on? if so, you could well have a backup of the site already, as it periodically makes backups of your data (daily, weekly and monthly). If you have those, it might be possible to get everything restored

DrummerBoy wrote:Hi there...
The ONLY files he has managed to salvage are my main database file (the .php file that usually resides in the "Home" directory) and all of my image files.

......The .php file he has contains all of my former cart's information.

......The ONLY files we saved from the hack are the main database .php file, and all of my images.

Not sure what file you saved but a database is not saved as as .php file that I am aware of. Databases are exported from phpmyadmin into .sql or .gz usually

I'm guessing he meant the db config rather than an actual db

Jay...

I have a feeling that the database, (which he did export as a .sql file and not a .php, I was mistaken), will connect with version 1.3.4. Are you saying that if/when we get that connected and working locally, this export module will modify the database to be compatible with version 1.4.9.1? Can you supply a link to the export module? We couldn't seem to locate it earlier. My administrator is running cPanel locally and his host did have a back-up but that was riddled with viruses too. He checked the e-mail folder again today and it was infested. I know these CSRF attacks often originate from an e-mail link someone clicks on. He has about (25) accounts he is hosting, which makes it difficult to prevent unless there is a filter we can place at the entrance to the mailboxes that won't allow infected mail to be delivered. Once we do get the store up and running again, the goal will be to prevent this from happening again. Is the latest version of Open Cart effective at doing so or do we need to purchase a program that will scan the server?

Qphoria--this is the same issue my administrator has been e-mail you about, (Mike from OhGoGosh).

Best way to stop getting hacked by these CSRF attacks is to upgrade

http://www.opencart.com/index.php?route ... sion_id=17 - IMPORT/EXPORT module. That is only for 1.4.7 - 1.4.9 but I'm sure there was one made for earlier versions. If you contact J Neuhoff I'm sure he'll send you the file for your version

Unfortunately any shopping system or website can be hacked today. Mine was hacked 2 times in just one week. First time by a turkish and second by an algerian. A kind of Holy war I guess...

This is what a network security administrator told me:

Hello,

Your site was hacked via a username/pasword combination used to access your "admin" area and upload a malicious file:

Note: Please feel free to remove this code if you think that can help other hackers.

A FCKEditor vulnerability?

Then I renamed the admin folder and changed the username and password.

In order to rename the admin just rename the admin folder to anything else, then edit config.php and /admin/config.php and replace all references to "admin" by the name of the new admin folder.

Also I highly recommend to install this open source software: http://www.crawlprotect.com/

Just download it, unzip it, rename the folder, upload to the root or directory where you have the shop installed, and point your browser to yoursite.com/thenameofthecrawlprotectfolder/ then choose a username and password, log in and click create .htaccess that's all. This will add a few lines on your .htaccess. Don't forget to tick OpenCart if the option is there.

DrummerBoy, do you have a database and files backup? If yes, you can restore your shop easily.

Jay... thanks for the link to the upgrade module. We're attempting to make changes to the code and connect the database now. We may need to utilize your expertise if our efforts fail Qphoria. Your rate is fair and you'd be able to upgrade my UPS module as well. If we need to hire you, do you accept half up front and half upon completion?

GoogleBot... thank you for the link to CrawlProtect! That's exactly what we were looking for. Something we can put on the server that would act as a guardian of sorts. None of the hosting companies offer free scans and some of the protection that is available is INSANELY priced, (we found one for over $12K per year!). I imagine those programs are for companies that are generating far more revenue than I am, (eBay, Target, Wal-mart, etc.). It really sucks that your site was hacked twice in one week. I can certainly empathize with you though, having my store hacked, fixed then hacked again the very next day! Thank God we have some decent, intelligent programmers, developers and code writers on our side too, like Qphoria and Jay!

Will any luck, I'll be back up and running this week. Going on week #2 of not being able to generate any income and it's getting frustrating!

DrummerBoy wrote:Jay...

I have a feeling that the database, (which he did export as a .sql file and not a .php, I was mistaken), will connect with version 1.3.4. Are you saying that if/when we get that connected and working locally, this export module will modify the database to be compatible with version 1.4.9.1? Can you supply a link to the export module? We couldn't seem to locate it earlier. My administrator is running cPanel locally and his host did have a back-up but that was riddled with viruses too. He checked the e-mail folder again today and it was infested. I know these CSRF attacks often originate from an e-mail link someone clicks on. He has about (25) accounts he is hosting, which makes it difficult to prevent unless there is a filter we can place at the entrance to the mailboxes that won't allow infected mail to be delivered. Once we do get the store up and running again, the goal will be to prevent this from happening again. Is the latest version of Open Cart effective at doing so or do we need to purchase a program that will scan the server?

Qphoria--this is the same issue my administrator has been e-mail you about, (Mike from OhGoGosh).

it wasn;t a csrf attack. if you are running 1.3.2 you need to delete the example directory in your fckeditor. this problem was found out 2 years ago and was fixed straght away.

GoogleBot wrote:Also I highly recommend to install this open source software: http://www.crawlprotect.com/

Has anyone else used this script? Opinions?

it wasn;t a csrf attack. if you are running 1.3.2 you need to delete the example directory in your fckeditor. this problem was found out 2 years ago and was fixed straght away.

Daniel... how do you know it was version 1.3.2 that we were using? My admin guy had to delete the entire program and related files, aside from the .sql database and the images that accompany my products. We were trying to figure out which version he was using. He had it already installed on his server when he mentioned it to me. I downloaded 1.3.4 which I happened to still have on my computer. I sent this to him last week to see if we can get the database to connect to it. If it was definitely 1.3.2, would you happen to have a .zip of it you can send him or me? I'm trying to figure out the easiest and best way to get up and running again. Thanks for the response!

Jeff

Jeff, you can find older versions of Opencart here:
http://code.google.com/p/opencart/downloads/list
- if it's any help..hope it is

Karen, we're trying it out on our server now and will post some feedback after we test it a bit.

Moggin, thank you for the link! We should be able to get things up and running again this week now that we have all the old versions!