From Zen Cart(tm) Wiki

Contents 1 My Site Was Hacked - How Do I Recover? 1.1 Report The Exploit To Your Hosting Company 1.2 Take The Site Offline 1.3 Check ALL your files for unauthorized changes 1.4 Secure Your Site 1.5 Change your Passwords 1.6 Get in the Practice of Doing REGULAR BACKUPS

My Site Was Hacked - How Do I Recover?

If your website has been hacked, you need to plug the holes that were used to invade your site. Then you need to clean up the mess created. Then you need to go back to business as usual, and practice good security measures.

Report The Exploit To Your Hosting Company

FIRST, you need to let your hosting company know. They may be aware of other sites on the same server which have been hacked. They may also know more information about "how" your site was invaded, such as whether perhaps the exploit happened from someone ELSE's hosting account, and you were merely a victim of someone else's poor security measures.

Take The Site Offline

You might first want to take your website offline for maintenance. You could ask your host for ideal ways to do this. One brute-force way is to rename your public_html folder temporarily. But ASK YOUR HOST first before you do this. If you can't rename it back again, you'll be offline until your host's tech support can help you. You might want to try a modified .htaccess and index.html/index.php file instead.

If you can't do this step, carry on to the next one:

Check ALL your files for unauthorized changes

Download a full copy of all your files from your server, and compare them to your master/backup copy. Here's the concept explained: Troubleshoot - Diagnosing Obscure Issues

(You might choose to skip the "images" folder initially, since it's often very large. Download all the rest first, and while comparing those files, do a separate download of just the "images" folder in the background... then inspect it once it's done.)

ADDITIONALLY, you should start FIRST with checking your main index.php file and your index.html file. For MOST Zen Cart sites, there is NO index.html file ... only index.php. If you have an unexpected index.html file, it may be prudent to rename or delete it. Then check the index.php for any unexpected changes, replacing the file as approproiate. Then proceed with your full site-audit.

When your comparison is done, be sure to upload any required fixes to your server.

Secure Your Site

Practice good safety measures. Follow these Important Site Security Recommendations.

If you are using v1.3.x, you should probably also implement this tip: http://tutorials.zen-cart.com/index.php?article=320

Change your Passwords

Since your passwords might have been obtained from your configure.php files, be sure to change your MySQL passwords, and use those new passwords in your configure.php files. Your webhost can help you change passwords if you require assistance.

If your Admin accounts have been compromised, you should create new passwords for those as well.

Get in the Practice of Doing REGULAR BACKUPS

Be sure to do regular backups of your MySQL database and your website files (ie: the public_html or htdocs etc folder). Ask your host about ways to do this most effectively using controls in your hosting account's control-panel.

Having regular backups will equip you with resources to use for recovery ... whether that's restoring database or files, or comparing your infected live site vs your uninfected backup. Having a healthy point of reference can be a life-saver for ensuring there are non leftovers lingering after cleanup.