Recovering From Hacks
My Site Was Hacked - How Do I Recover?
If your website has been hacked, you need to plug the holes that were used to invade your site. Then you need to clean up the mess created. Then you need to go back to business as usual, and practice good security measures.
Report The Exploit To Your Hosting Company
FIRST, you need to let your hosting company know. They may be aware of other sites on the same server which have been hacked. They may also know more information about "how" your site was invaded, such as whether perhaps the exploit happened from someone ELSE's hosting account, and you were merely a victim of someone else's poor security measures.
Take The Site Offline
You might first want to take your website offline for maintenance. You could ask your host for ideal ways to do this. One brute-force way is to rename your public_html folder temporarily. But ASK YOUR HOST first before you do this. If you can't rename it back again, you'll be offline until your host's tech support can help you. You might want to try a modified .htaccess and index.html/index.php file instead.
If you can't do this step, carry on to the next one:
Download a full copy of all your files from your server, and compare them to your master/backup copy. Here's the concept explained: Troubleshoot - Diagnosing Obscure Issues
(You might choose to skip the "images" folder initially, since it's often very large. Download all the rest first, and while comparing those files, do a separate download of just the "images" folder in the background... then inspect it once it's done.)
ADDITIONALLY, you should start FIRST with checking your main index.php file and your index.html file. For MOST Zen Cart sites, there is NO index.html file ... only index.php. If you have an unexpected index.html file, it may be prudent to rename or delete it. Then check the index.php for any unexpected changes, replacing the file as approproiate. Then proceed with your full site-audit.
When your comparison is done, be sure to upload any required fixes to your server.
Secure Your Site
Make sure you've applied all the security patches applicable to your site: http://www.zen-cart.com/forum/showthread.php?t=131115
Practice good safety measures. Follow these Important Site Security Recommendations.
If you are using v1.3.8 or older, you should probably also implement this tip: http://tutorials.zen-cart.com/index.php?article=320
Change your Passwords
Since your passwords might have been obtained from your configure.php files, be sure to change your MySQL passwords, and use those new passwords in your configure.php files. Your webhost can help you change passwords if you require assistance.
If you have usernames, passwords, transaction keys, API credentials, etc set up in any of your payment or shipping modules, you should do TWO THINGS: a) make sure they are YOUR details (and not changed and replaced by a hacker), and b) CHANGE any passwords or transaction keys or API credentials just in case the details of those have been stolen and could be misused if in the wrong hands.
If your Admin User accounts have been compromised, you should create new passwords for those as well.
Double-Check *ALL* your Email Addresses
In your Admin area there are several places where email addresses are entered, both for sending emails and directing where certain messages should be received. If your admin area has been compromised, you should double-check every email address to be sure that none of those addresses has been changed to some value you didn't put there. You don't want order confirmation emails going to someone besides the customer and yourself, for example.
Double-Check *ALL* your Admin Settings
If someone got into your Admin area, they might have changed various settings on you. You need to verify everything to ensure nothing has been compromised.
If you are using any modules/services that have passwords accessible in your admin area, change those passwords
If any orders have been placed, double-check that they are legitimate before shipping (you should always do that anyway)
If you believe that any credit card information has been compromised, you need to notify the affected customers of that situation immediately
Consider changing your MySQL database username/password too.
Get in the Practice of Doing REGULAR BACKUPS
Be sure to do regular backups of your MySQL database and your website files (ie: the public_html or htdocs etc folder). Ask your host about ways to do this most effectively using controls in your hosting account's control-panel.
Having regular backups will equip you with resources to use for recovery ... whether that's restoring database or files, or comparing your infected live site vs your uninfected backup. Having a healthy point of reference can be a life-saver for ensuring there are non leftovers lingering after cleanup.