Hey guys,
I have had my open cart website hacked twice in a month.
Both times it has been an index.php hack.
Anyone have an idea how this can keep happening?
Running OC 1.5.5.1. Admin relocated, no ftp accounts, all passwords changed, good permissions, no crazy vqmods.
This is getting beyond frustrating.
You have 1.5.5.1 but which theme(s)? are loaded?
If you are NOT using the default theme, then you can shut off the problem by switching to the default theme until the problem is removed (for example, as next).
IF it has any of certain "free" themes whose own advertising springs from index.php, it is resident, it shipped in with the free theme(s). There are several threads on that but first which theme(s) are you using?
If you are NOT using the default theme, then you can shut off the problem by switching to the default theme until the problem is removed (for example, as next).
IF it has any of certain "free" themes whose own advertising springs from index.php, it is resident, it shipped in with the free theme(s). There are several threads on that but first which theme(s) are you using?
Okay, then it is not springing from ad language in Journal. By "good permissions" do you mean directories 755 and files 644 (with NO vulnerable 777)? You can still briefly test it by switching to default theme.
What is it doing (or not doing) that at least seems to have brought index.php hacking to light? Is there anything odd in your /download/ directory (if yes, delete those files).
What is it doing (or not doing) that at least seems to have brought index.php hacking to light? Is there anything odd in your /download/ directory (if yes, delete those files).
What are the file permissions for the index.php file? How do you know it's hacked? Is the site being taken down completely when you have an issue?barnone wrote:Hey guys,
I have had my open cart website hacked twice in a month.
Both times it has been an index.php hack.
Anyone have an idea how this can keep happening?
Running OC 1.5.5.1. Admin relocated, no ftp accounts, all passwords changed, good permissions, no crazy vqmods.
This is getting beyond frustrating.
DL
This account is inactive. Look for us under the name 'EvolveWebHosting' and contact us under that username.
Thanks!
Correct all permissions are 755, or 644. Mostly 644 every where.
Index file is 644.
Index.php hacking was recognized because it was the only file that was changed today, and when I deleted it and made another maintenance index.php the hack disappeared. No other changes were made to files today, ie nothing changed with todays date and around the time of the hack, except index.php.
The last hack was much worse as I said before, with file changes all over the place, and like 2 or three hacked files.
Basically I navigate to my domain and it pops up with a message about "you've been hacked by xxx, and some message about increasing security."
There are a few files in download. I will go ahead and delete those, as I don't recognize them and worst case I will go ahead and re upload my backup.
Appreciate the help a lot guys.
The last time this happened my site was down all day and tech support at my host, was not helpful at all. Spent all day on it and at the end of the day I just made the changes myself since they wouldn't listen about their backup being compromised.
Index file is 644.
Index.php hacking was recognized because it was the only file that was changed today, and when I deleted it and made another maintenance index.php the hack disappeared. No other changes were made to files today, ie nothing changed with todays date and around the time of the hack, except index.php.
The last hack was much worse as I said before, with file changes all over the place, and like 2 or three hacked files.
Basically I navigate to my domain and it pops up with a message about "you've been hacked by xxx, and some message about increasing security."
There are a few files in download. I will go ahead and delete those, as I don't recognize them and worst case I will go ahead and re upload my backup.
Appreciate the help a lot guys.
The last time this happened my site was down all day and tech support at my host, was not helpful at all. Spent all day on it and at the end of the day I just made the changes myself since they wouldn't listen about their backup being compromised.
I was going to ask what your host had to say. Usually they can pinpoint things for you but apparently not. Maybe their servers aren't hardened properly to be secure.
DL
DL
This account is inactive. Look for us under the name 'EvolveWebHosting' and contact us under that username.
Thanks!
Yeah that is exactly what I was thinking. I am tired of getting the "review these articles on security, and recovering after a hack."cwswebdesign wrote:I was going to ask what your host had to say. Usually they can pinpoint things for you but apparently not. Maybe their servers aren't hardened properly to be secure.
DL
After the first time it was such a hassle that I am pretty sure I am going to move.
I thought that they were big enough to be squared away but perhaps not.
Saw you were a web host will email you shortly.
Check whether you actually deleted /install/, you might have forgotten about it. There may be a hacking console already uploaded, and that would be accessible afterward via http in a browser addressed straight to it. Any odd or suspicious *.php names are red flags (default.php, grocery.php, [nonsense].php, etc.) and if they do not clearly match the fileset timestamps can be quarantined or deleted. If you move, use the fileset on your machine and a known good backup of the database.
Recommend moving. His servers do handle OC and security.
Recommend moving. His servers do handle OC and security.
Wanted to provide an update. I have since moved hosting services and I would highly suggest Evolve Hosting for your open cart needs!. Doug is very helpful, prompt on emails and answers them seemingly around the clock!
He made the process really simple and I hope this move will be the end of this hacking craziness.
Frustrating to do everything that I can find for site security and still have issues.
He made the process really simple and I hope this move will be the end of this hacking craziness.
Frustrating to do everything that I can find for site security and still have issues.
Who is online
Users browsing this forum: No registered users and 82 guests
