OLD Super Orders 2.0 (See v3.0 thread instead)

[HimalayanWeb]

I'm getting the following error in my website http://www.maternitystar.com.au


Fatal error: Call to undefined function zen_href_link() in /home/matern/public_html/includes/languages/english.php on line 539

What could be causing this? Thanks for any help on the matter. Please help me i am in big problem....

[carlvt88]

The function is defined in includes/functions/html_output.php. Do you know if that file is OK? Was your site working before you made a change somewhere? Do you have extra files in that directory that don't belong? Let us know how you make out...

[philip_clarke]

In all likelihood they have been hacked and then the script kiddie has run riot since their admin folder is in the default place. Going to the admin folder results in problems with SEO too in the auto_load functions so I am guessing that it's a hack and then break the server to stop anyone else. A quick scan before my ip got blocked (that was ME not a bad guy) showed an odd port open on 2222 which is listed as a rootkit shell port but then it could just be SSH bein forwarded to a non obvious port.

http://www.google.co.uk/search?hl=en...t+2222+rootkit

lists quite a few rootkits there. I think they need professional help, and probably shouldn't be posting here either, more int he security section.

Philip.

[dw08gm]

In all likelihood they have been hacked and then the script kiddie has run riot since their admin folder is in the default place. Going to the admin folder results in problems with SEO too in the auto_load functions so I am guessing that it's a hack and then break the server to stop anyone else. A quick scan before my ip got blocked (that was ME not a bad guy) showed an odd port open on 2222 which is listed as a rootkit shell port but then it could just be SSH bein forwarded to a non obvious port.

http://www.google.co.uk/search?hl=en...t+2222+rootkit

lists quite a few rootkits there. I think they need professional help, and probably shouldn't be posting here either, more int he security section.

Philip.

Philip, you absolutely amaze me with the things you uncover. I love it.

What was the scan you did that showed the open port 2222?

[philip_clarke]

Standard nmap scan, there seems to be some snort-like feature enabled on that server or a router further down the chain, as after the scan it then ceased communication with the ip address it was scanned from (not my web browser address) so I investigated further and found that the site is/ was a 1.3.7 as listed conveniently here:

http://www.maternitystar.com.au/docs/

a little more investigation now that the block has cleared show that port 2222 is a forwarded SSH port that you can try and log in on. It's also a Red Hat Enterprise Linux Server because helpfully it says so in the browser headers (you can read them in firefox)

HTTP/1.1 200 OK
Date: Fri, 07 Aug 2009 14:57:32 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_perl/2.0.4 Perl/v5.8.8

Please note that at no point have I attempted to gain access to this machine or it's data. I am just giving a considered opinion that the server has been wrecked, in all likelihood by a script kiddie covering his/ her tracks by doing rm *.php after they've done their business. I saw this a lot about 3/ 4 weeks ago when a proof of concept exploit was published. Also it appears that modifications to morfeus and santy have already been done since requests for zen cart shops are now appearing much higher up the rank in some honey traps I have laid out.

With any luck that site could be restores quite easily depending on the damage the kiddie has done naturally. I'd start by sweeping for backdoors though. The wrecking was probably to cover tracks, professional hackers tend to go quietly in and leave things untouched to the outside eye, (hence the port scan to see if there was any indication of an IRC controlled bot). The more skilled professional hacker tends to be of the opinion that there is no point in hacking a server to reap credit cards, join a bot net, send out spam, store illegal files etc... if the website's owner is going to take down the website because it's been trashed.

I reckon one of two causes. a) big hard drive failure leading to large sections of the drive being unreadable (but not "that" likely as the main directory structure of the site looks intact.
b) script kiddie

Naturally I have only looked from the outside bit like shining a torch on a car wreck, as going in would be covered by the "computer misuse act" in the UK and I haven't been invited.

Philip.

[dw08gm]

It is always good to know your enemy. I did the search as per your previous post and started reading the madirish blog (IIRC) and a few others. Amazing stuff. While I don't ever expect to catch up, I can only hope my site is interesting enough not to be hacked. Otherwise I will erect a sign saying "This site is protected by extreme poverty". Thanks for the heads up.

[philip_clarke]

http://news.bbc.co.uk/1/hi/world/eur...es/8123450.stm

is an interesting article about "quiet" hackers as I call them, note that they aim was not money when they took over the website, also the Swiss police did not arrest the website owner which is unusual.

[rpain]

OK - question related to the mod. I have got a set of customers (about 200) who have bought some particular item. I'd like to send an email to just those customers - is this possible within the interface (or with a simple mod) or do I need to start fiddling around generating huge sql queries and extracting emails that way? I'm using the latest version.

Thanks,
Richard

[philip_clarke]

Zen Cart has the newsletter feature built in, not this, that kind of email would also fall foul of the USA spam (and probably our) rules if they were given the chance to opt into a newletter and you just went an ignored it even if it were limited to one item, and apart from that it's fiddling time.

Philip.

[carlvt88]

Check out the query factory. This uses the zencart newsletter feature and allows you to build in a custom list for distribution. So, you can specify a query that will select the users who bought that particular item.