Shopping carts hacked

[j52c]

Hi.

Are their any users of X-cart shopping cart system on here?

It would appear over the last 4 to 6 weeks hackers are targetting them as some have been rendered unusable by hackers exploiting a flaw in Awstats on web servers.

some entries in web error logs look like this:-

/blog/xmlsrv/xmlrpc.php 30 -
/blogs/xmlsrv/xmlrpc.php 30 -
/xmlrpc/xmlrpc.php 28 -
/xmlsrv/xmlrpc.php 27 -
//awstats.pl 2 -
//awstats/awstats.pl 2 -
//cgi-bin/awstats/awstats.pl 2 -
/mysqladmin/main.php 2 -
/dbadmin/main.php 2 -

[SMHarman]

AWstats is separate to xcart and would be an attack on that application that runs on many servers, not just xcart servers.

xcart is vunerable to hacking as is any other shopping cart site, peoples credit card information is stored in the database, it can cause financial hardship while your site is down, reputational loss / risk as you are off line and know to have been hacked.

Did you change the SALT code when you first inistalled the cart. This will change the encryiption keys and make it harder to hack. Of course if your site is up and running changing this key is difficult as it will trash all the passwords.

Have you set the permissions on all folders correctly

What folder is your xcart running in? Hopefully not blah.com/xcart/shop.php the path gives a clear clue to which codebase the hacker is trying to get into. The best place to run the shop is actually in the root public_html folder, helps SEO too.

Have you password protected the provider and the admin folder (better still renamed them and password protected them (using HTAccess or simpler still using CPanel to write the HT access)

Does your robots .txt exclude the folders mentioned above.

Have you disabled indexes in the other folders?

If you do all the above and back up your code base and database regularly you have less to worry about. You should also patch your xcart with the security fixes sent out.

URL (702) Error Hits Referers
/xmlrpc.php 14 -
/blogs/xmlsrv/xmlrpc.php 10 -
/xmlsrv/xmlrpc.php 8 -
/blog/xmlsrv/xmlrpc.php 8 -
/_vti_inf.html 8 -
/wordpress/xmlrpc.php 8 -
/blog/xmlrpc.php 8 -
/xmlrpc/xmlrpc.php 8 -
/_vti_bin/shtml.exe/_vti_rpc 8 -
/drupal/xmlrpc.php 8 -
/phpgroupware/xmlrpc.php 8 -
/scgi-bin/awstats/awstats.pl 7 -
/cgi-bin/awstats/awstats.pl 6 -
/cgi-bin/awstats.pl 5 -
/blogs/xmlrpc.php 5 -
/scgi-bin/stats/awstats.pl 4 -
/cgi/awstats/awstats.pl 4 -
/stats/awstats.pl 4 -
/scripts/awstats.pl 4 -
/cgi-bin/stats/awstats.pl 4 -
/scgi-bin/awstats.pl 4 -
/scgi/awstats/awstats.pl 4 -

My log is equally bad, these are 404s though so not much can happen if they see a 404.

Oh BTW - yes I run XCart

[j52c]

Hi.

On this site, going to install the new version of X-cart and change the salt code once installed, as you say, trying to change it when live would be a pain. I have the products backed up so not a problem.
Too many files were changed, mainly te skin folder, so easier to start from scratch.

Another site I operate is quite safe as I have already done most of the things you have suggested, was in the process of doing it with this one, but it would appear I was a little late.

Here is a online tool to create .htaccess files if none users cpanel
http://www.htaccesstools.com/

We don't store credit card info on the server, orders are deleted once processed.

Tanks for the tips