There seems to be a problem connecting to our database. (after being hacked)

[greengreetings]

In PhpMyAdmin of a MySQL console you should do a

Code:

SHOW CREATE TABLE db_cache;

(db_cache may be zen_db_cache or some other prefix you have chosen) and the column cache_data should show up as a mediumblob the code in the Zen Cart install sql is

Code:

DROP TABLE IF EXISTS db_cache;
CREATE TABLE db_cache (
  cache_entry_name varchar(64) NOT NULL default '',
  cache_data mediumblob,
  cache_entry_created int(15) default NULL,
  PRIMARY KEY  (cache_entry_name)
) TYPE=MyISAM;

so there's no reason why it should be a BLOB and not a mediumblob if it has been a fresh install then you may have some issue with your version of MySQL or your host may have done something to the configuration. (though I have no idea if it is possible to compile MySQL without large BLOB support). If it is a MySQL configuration problem then you shouldn't be able to change it using the ALTER TABLE sql above.

Philip.

I'm using v1.3.8 and I ran the SQL code above and I'm still getting the message: Sorry!
There seems to be a problem connecting to our database. Please give us a few minutes to remedy the problem. Thank you. I recently deleted record_company.php because my host sent me an e-mail saying that someone tried to execute a malicious code from that file. Would that have anything to do with it?

[philip_clarke]

No a non-connection to your database is between you and your host, (and nothing to do with this thread) although if you did not install the security patches, and you host has detected an attempt to use record_company.php then it is probable that your server has been compromised already and that could be responsible for using up your hosts database resource.

Philip.

[greengreetings]

No a non-connection to your database is between you and your host, (and nothing to do with this thread) although if you did not install the security patches, and you host has detected an attempt to use record_company.php then it is probable that your server has been compromised already and that could be responsible for using up your hosts database resource.

Philip.

Then, what steps should I take, or what should I tell/ask my host to remedy the issue?

[philip_clarke]

Apply the security patchs first, then ask your host to reset your mysql password, because if you were compromised (and it looks like it) they've probably taken your password from your includes/configure.php or wrecked it, and then you'll need someone to take the server to pieces and try and salvage what you have (I do this) but your host may be able to, a restore from back up will almost certainly not get rid of any backdoors they have eft nor memory resident programs and depending on your hosting the miscreants may have been able to penetrate into other people's websites on the same machine.

Sorry for the bad news

Philip.

[greengreetings]

Wow, quick reply. It doesn't seem too bad what you told me. Maybe I'm too optimistic. I've been making many backups just like everyone at Zen Cart tells us to.

I just sent my host a message before I saw your reply, but when they reply, I'll give them your suggestion and see what we can do about it. I will post the results soon. Maybe this thread can help some others who are having the problem I am. Thanks a lot Philip. I appreciate it.

Janay

[greengreetings]

My host said:
"Unfortunately, your installations of Zen Cart have a significant security vulnerability, and need to be patched in order to be used again. You will need to install the most recent version of Zen Cart, if you do not already have it. Even if you have the most recent version, you may still need to apply the patch documented here:

http://www.zen-cart.com/forum/showthread.php?t=130161

Note that the disabled files have had their permissions removed, but are still owned by your account. You can change the permissions to have read/write access for "owner," and no
other permissions enabled, while you make the required changes."

My solution: Fresh install.

One question, this may be off topic. How and why do people hack and compromise our sites and databases?

[philip_clarke]

A fresh install will not patch the database, or remove any backdoors

Why do they do it ? kids do it for fun, (and I've had a lot of people recently where the kids went in and just vandalised everything), the adults plant programs that let your server send out spam, infect visitors, sell fake anti-virus software (reckoned to be worth $34 million a month in business), hide things like stolen credit cards details and other websites sending out illegal software, the list is endless. Oh and changing your forms so that they can steal your customers details before they get sent to paypal or whomever so they can reap the details for months.

So basically your host audited your account, found you were running a old version of ZC and suspended it by changing your files. Who was the host ? they had reason to suspect that you site was being compromised probably from queries to record_company.php but do they know if it was sucessful ?

Philip.

[greengreetings]

A fresh install will not patch the database, or remove any backdoors
[...]
So basically your host audited your account, found you were running a old version of ZC and suspended it by changing your files. Who was the host ? they had reason to suspect that you site was being compromised probably from queries to record_company.php but do they know if it was sucessful ?

Philip.

My host is pairNetworks (http://www.pair.com). What will patch the database? Should I create a new one? Also, can I manually transfer customer details from the old database to a new one? How will customers still be able to log in? Will their passwords transfer over?

This is what they said about record_company.php:
We regret to inform you that we needed to disable the following script located in your account because a security vulnerability within it was exploited by a malicious user to run commands on the server:

/usr/www/users/USERNAME/DIRECTORY/ADMIN/record_company.php

They also got into my includes, and the record_company.php to a Zen Cart site that I hadn't fully built yet.

[philip_clarke]

You really need professional help, because there are almost certainly aspects that you don't have enough knowledge abuot, like scripts on a timer and cron jobs that can re-install back doors onto the system. The limits of what you could do would be to install your backup into a new folder with a .htaccess file with the words

Code:

deny from all

in it, then you put your backup there (you will not be able to get it to yet) and re-edit your configuration files to point to that folder (put a deny from all in the old folder too, but they could have put an allow from all so it's also best to change the other folder's name entirely so that nothing in it ever works again. Do a google seach for a zen cart shop and if you go down the bottom, quite a few display what is callled your ip address in your .htaccess file you the put

Code:

allow from IP_ADDRESS

and that will mena only you will see that site. Make sure the site is patched, and the admin folder moved before you even consider putting the database passwords into the configuration files. The trouble is that even this is not safe. It depends on how thorough a job they have done about putting in backdoors, that other site is contaiminated too, as mentioned they may have things on a timer and if you are on shared hosting it is perfectly possible to backdoor someone else's website when they got into yours and then pop back into your and do the same thing.

You data could be corrupt, the sale invoice for Mrs Miggins could contina links to ######## or javascrript so that when viewed it triggers another backdoor, the royal mail modules that I created, they always display their title on the page in html, so if one of the configuration keys was booby trapped, then they could come back.

This is why you need professional help. Whether they come back depends on how valuable your system is to them, what they stored on it, or what they were using it for. It takes a very long time for even a professional to be through, I removed countless back doors from a system recently and timers and then discovered that among the 65 Gbytes of data on the computer, they'd left their ftp passwords so the hackers could waltz in any time they pleased. They already have your mysql passwords just by reading the config file.

[greengreetings]

So Phillip, when you say I need professional help does that mean I need to pay someone to help me or I need to talk to my host?