Recovering From Hacks
My Site Was Hacked - How Do I Recover?
If your website has been hacked, you need to plug the holes that were used to invade your site. Then you need to clean up the mess created. Then you need to go back to business as usual, and practice good security measures: Important Site Security Recommendations.
Report The Exploit To Your Hosting Company
FIRST, you need to let your hosting company know. They may be aware of other sites on the same server which have been hacked. They may also know more information about "how" your site was invaded, such as whether perhaps the exploit happened from someone ELSE's hosting account, and you were merely a victim of someone else's poor security measures.
And work with your hosting company to review the server access logs and error logs in order to determine HOW the exploit happened so that proper corrective action can be taken.
Take The Site Offline
You might first want to take your website offline for maintenance. You could ask your host for ideal ways to do this. One aggressive way is to rename your public_html folder temporarily. But ASK YOUR HOST first before you do this. If you can't rename it back again, you'll be offline until your host's tech support can help you. You might want to try a modified .htaccess and index.html/index.php file instead.
(A very quick alternative to this would be to rename your main index.php file to index.php.OFF and make a copy of the nddbc.html file as index.php until you're done cleaning up. This will not be good as a long-term solution, but will prevent people (and search engines) from accessing your damaged store until you complete the cleanup.)
Even if you can't do this step, carry on to the next one:
Download a full copy of all your files from your server, and compare them to your master/backup copy. Here's the concept explained: Troubleshoot - Diagnosing Obscure Issues
(You might choose to TEMPORARILY skip the "images" folder initially, since it's often very large. Download all the rest first, and while comparing those files, do a separate download of just the "images" folder in the background... then inspect it once it's done.)
BUT REMEMBER: Many exploits, especially phishing hacks, will put their "back door" in files located in your "images" folder and/or subfolders, possibly even looking like image files. SO DO NOT SKIP THE IMAGES FOLDER ENTIRELY!!!! Be sure to do a THOROUGH inspection of EVERY file in all your images folders/subfolders!!!!
ADDITIONALLY, you should start FIRST with checking your main index.php file and your index.html file. For MOST Zen Cart sites, there is NO index.html file ... only index.php. If you have an unexpected index.html file, it may be prudent to rename or delete it. Then check the index.php for any unexpected changes, replacing the file as appropriate. Then proceed with your full site-audit.
When your comparison is done, be sure to upload any required fixes to your server.
Secure Your Site
Practice good safety measures. Follow these Important Site Security Recommendations.
Make sure you've applied all the security patches applicable to your site.
If you are using v1.3.8 or older, YOU REALLY NEED TO UPGRADE ASAP, as there are well-known security exploits in prior versions. v1.3.8 was released in 2007. There are many newer versions since then, which don't have those older security problems, because a large security overhaul was done on core code for 1.3.9 and newer.
Use SECURE access to your website
FTP access should NEVER be done over standard FTP on port 21.
You should ALWAYS use SFTP or FTP-with-implicit-SSL or some other secure method of FTP communication. Contact your hosting company to determine what options are available and for instructions on how to use more secure methods.
Ensure that any contractors you hire or give access to your FTP are instructed to also use SECURE methods of FTP access.
Use dedicated SSL or at least shared SSL to secure communications with your website.
1. Add SSL to your store's front-end, to protect your customers. Using SSL will ensure that their passwords and address info are transmitted securely, instead of in plain text which can be easily stolen by anybody snooping around an internet connection. The use of SSL is mandatory if you're also collecting credit card numbers directly on your site. But even if you're leaving all the credit card handling on the bank's site you should still protect your customers' data via SSL, even if it's at least shared SSL.
2. Admin side. Even if you've opted not to secure your store's front-end, you really ought to secure your store's admin with SSL, even if it's "shared SSL" and not a dedicated certificate. To secure all your admin pages, make a small edit in your admin-specific configure.php file so that your site's SSL address appears in both the HTTP_SERVER and HTTPS_SERVER fields. (this is different than how you'd do it on the storefront side).
Change your Passwords
Since your passwords might have been obtained from your configure.php files, be sure to change your MySQL passwords, and use those new passwords in your configure.php files. Your webhost can help you change passwords if you require assistance.
If you have usernames, passwords, transaction keys, API credentials, etc set up in any of your payment or shipping modules, you should do TWO THINGS: a) make sure they are YOUR details (and not changed and replaced by a hacker), and b) CHANGE any passwords or transaction keys or API credentials just in case the details of those have been stolen and could be misused if in the wrong hands.
If your Admin User accounts have been compromised, you should create new passwords for those as well.
There are many passwords which you should change:
- MySQL database user (described above), and put the new one in your configure.php files
- payment/shipping modules, if they have any passwords, transaction keys, API credentials, etc
- third-party services like google/froogle/(or whatever they call it these days), captcha addons, anything for which you've put a password into your store's admin settings
- your Zen Cart admin users
- your hosting account control panel (to access your webhosting from your hosting company)
- your FTP accounts -- make sure ALL ftp users in your account are supposed to be there, in case someone added more
If your FTP was compromised, then you might have been using unsecure FTP over port 21 (mentioned earlier) and should be changing to secure FTP. See your hosting company for help with that.
Also, if your FTP or webhosting account password was compromised, then you might have a trojan/virus/keylogger on your computer that has been stealing your passwords and sending them to the hacker. Cleaning up your computer will be necessary. And then change all your passwords. Including any passwords you use for personal reasons outside Zen Cart (such as email, banking, etc).
Double-Check *ALL* your Email Addresses
In your Zen Cart Admin area there are several places where email addresses are entered, both for sending emails and directing where certain messages should be received. If your admin area has been compromised, you should double-check every email address to be sure that none of those addresses has been changed to some value you didn't put there. You don't want order confirmation emails going to someone besides the customer and yourself, for example.
Double-Check *ALL* your Admin Settings
If someone got into your Zen Cart Admin area, they might have changed various settings on you. You need to verify everything to ensure nothing has been compromised.
If you are using any modules/services that have passwords accessible in your admin area, change those passwords.
If any orders have been placed, double-check that they are legitimate before shipping (you should always do that anyway).
If you believe that any credit card information has been compromised, you need to notify the affected customers of that situation immediately.
Consider changing your MySQL database username/password too.
Get in the Practice of Doing REGULAR BACKUPS
Be sure to do regular backups of your MySQL database AND your website files (ie: the public_html or htdocs or www (or whatever the proper foldername is for your server)). Ask your host about ways to do this most effectively using controls in your hosting account's control-panel.
Having regular backups will equip you with resources to use for recovery ... whether that's restoring database or files, or comparing your infected live site vs your uninfected backup. Having a healthy point of reference can be a life-saver for ensuring there are non leftovers lingering after cleanup.