New Malicious Hack, very hard to find

Author	« Topic »
Marshall Ecommerce Template Guru USA 1874 Posts	Posted - 12/08/2019 : 08:07:07 A client was recently hacked. After doing the usual file searches, upload new files, and so on. the problem was not fixed. Turns out the hack was in the database, cleverly hidden. As you know, the input field for the Admin category name is about 30 spaces wide. The hacker put 45 spaces between the category name and the malicious script so you could not see it when viewing the category in the Admin. Even with downloading the categoryinventory page, it was not readily visible as Excel defaults to column widths of about an inch and, with text in the 'sectionWorkingName' column, the additional text in the 'sectionName' column is hidden. If you suspect a hack or are getting security warnings (mentioning google-smart) when you open a page, download your category inventory and product inventory files and search for <script> before you drive yourself crazy going through every page and ECT file. As a side note, the hack is from China and the actual malicious script is on another server. The script in the hack is a document.write script. And I say "New Malicious Hack" as I have not seen this spacing trick before. Marshall CENLYT Productions - ms designs Affordable Web Design Custom Ecommerce Designs Responsive Websites Cenlyt.com
Vince Administrator 42462 Posts	Posted - 12/08/2019 : 08:33:19 Hi Marshall I'm sorry to hear that your client got hacked and I'm glad you found the offending script. But did you find out how they put the script there in the first place? I'm assuming it's not an ECT vulnerability or you would have mentioned, but just to be sure etc. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Marshall Ecommerce Template Guru USA 1874 Posts	Posted - 12/08/2019 : 08:48:24 How it got hacked is being looked into. If I find out, I will let you know. All I can say for now is it happened around 12/5 or 12/6. I checked other ECT sites I manage, both ASP and PHP, and could not find any others hacked. Marshall CENLYT Productions - ms designs Affordable Web Design Custom Ecommerce Designs Responsive Websites Cenlyt.com
Vince Administrator 42462 Posts	Posted - 12/08/2019 : 09:08:16 Ok, good luck with finding the cause and thanks for the heads-up about the hack. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Marshall Ecommerce Template Guru USA 1874 Posts	Posted - 12/10/2019 : 13:38:22 Just to follow up, seems this was an SQL injection. Two suspicious IP addresses were found: 111.90.141.195 out of Malaysia and 188.213.49.212 out of Romania, the later is a known for spam and brute force attacks. Marshall CENLYT Productions - ms designs Affordable Web Design Custom Ecommerce Designs Responsive Websites Cenlyt.com
Vince Administrator 42462 Posts	Posted - 12/10/2019 : 13:50:47 Hi Marshall Do you know how they managed to do this though? Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Marshall Ecommerce Template Guru USA 1874 Posts	Posted - 12/10/2019 : 17:19:17 Not sure yet. Marshall CENLYT Productions - ms designs Affordable Web Design Custom Ecommerce Designs Responsive Websites Cenlyt.com
	« Topic »