Our site is hosted at InMotion which was recently hacked the other day and 1000s of sites were defaced, including ours. ( http://threatpost.com/en_us/blogs/hosting-provider-inmotion-hacked-thousands-sites-affed-092811 ) They have fixed the issue but my concern is that the hacker may of left a back door for later entry or has modified some of the pages. According to the ftp logs we know he was interested mainly in everything under the following directory
cc_cvc_with_encrypt-decrypt/includes/

/1/sym/.htaccess b _ o r myusername ftp 1 * c

His IP address was 77.247.235.177 Which was part of the Russian Federation located I believe in Amsterdam

I would appreciate advise. We are using B2B Version 6.41a I am a newbee...

Clean your site and restore from fresh files.

1. Backup your database.
2. Do not back up your files. (you no longer trust them)
3. ask yourself, do you have local copies of your logos, images, template art?
4. if you do and you can rebuild your site from fresh files, then proceed to step 5.
5. setup a dev site in a another folder with fresh installation of Loaded Commerce B2B
6. upload your template files - do not copy from your hacked site
7. upload your images files (you can copy these, if you make sure to only copy .jpg/.png/.gif and do not copy sub folders)
8. test your new site
9. if all looks good, then zip up and your hacked site and do a fresh DB backup
10. move your new dev site into your live site into your live folder and restore your live DB

You may want to hire someone to execute this for you if you are comfortable with doing it yourself.

also he was going for your credit card data.

I strongly recommend not using the old CC manual storage and encryption. it is not PCI Compliant or PA DSS compliant.

We created CRE Secure to sovle this issue by moving your card data out of your applicaton to our secure cloud solution. CRE Secure is integrated in 6.4 and up.

It works with Authorize.net CIM and give you PCI Compliance faster and clean. www.cresecure.com or upgrade to B2B 6.5 with the 250 CRE Secure included.

http://www.loadedcommerce.com/loaded-co ... 87_214_283

Thank you for getting back with us. We are using CRE secure and credit cards are encrypted. That said, my hope is that he/she was not able to get what they wanted. At this point it might be better for an upgrade.
Steve

If your host uses CPanel, you can block the ip to stop this hacker from getting in again. As most IPs are dynamic, your best bet is to block the entire range using a wildcard. Go to IP Deny, and enter the first 3 sets of numbers like this: 77.247.235.

The downside is that it will block every IP in that range, which may block innocent users. However, from past experience, if you just block their IP as logged in the attack, as soon as they re-boot they will be free to have another go from a fresh IP. So, its up to you if its better to possibly block a few innocents, or to be vulnerable tot his hacker coming in again......

It does not sound like you are using cre secure. It does not use encryption.

This is either not true or the second time in 6 months Inmotion has been seriously hacked (this from Sept 2011):
http://savvyblogging.net/inmotion-servers-hacked/

So what has InMotion done to secure the server you're on, apart from saying 'everything is ok now' ?
Sure you can tighten up your site's security (a few basic suggestions here) but it'll mean zip if the server itself has been compromised and same old practices as before are in place.

Me? I'd change hosts.

Simon

There have been no hacks for the last 6 months like that one. What I actually wanted to say but didn't was how possible is it that at that time someone created a back door. The site was backed up after the major defacement from a prior date. Everything was replaced. Now, six months later someone has found a way to get in. There have been no occurrences since I updated the control panel and ftp passwords with characters/upper/lowercase/numbers/symbols.
Thank you very much for the link to security enhancements.
Steve

In a mass attack of this sort the hacker may not know exactly what they are looking for to begin with and access logs can reflect all sorts of paths which have nothing to do with the application installed. In particular, there has never been a path like the one mentioned above in CRE Loaded....

It is not at all unlikely. PHP based back doors are readily available and easily uploaded. We routinely locate these during clean up of cases like your own.

Crackers these days use a wide variety of file names. Best bet is to either use a merge / comparison tool to weed out any new files you didn't add and make sure no unauthorized file mods were inserted. Alternatively, if you have access to a site with an exploit scanner, you can upload it there and let it clean known hacks for you....

I should note that we have had no hacks like this on our own hosting services once we finish initial file cleanups on incoming clients since we started our PCI complaint hosting services...

The reads on Inmotion were rather interesting - thanks guys.

David

Steve - there are as many different ways to hack the server as there are accounts on it. Why do you think the hacker is just targeting you? Server configuration (ie lack of security on it) is just as likely to cause issues for EVERYONE on the server and there are dozens of wordpress, oscommerce etc hacks around.

Best thing is not to consider it a personal attack - if the server gets done, you're just one of dozens (possibly hundreds) of victims.

The only question here is - how much do you trust InMotion to have sorted itself out and employed an actual linux admin tech rather than a bunch of support / call centre staff which many cheap shared hosting companies use in place of any real 'administrators.'

Here's a few other pointers - since getting hacked, has InMotion bothered to contact you outlining changes to their security with the idea that it will prevent this happening again - eg are they running the php extension suhosin for example? mod user_dir / chroot access? who gets shell access and what are the rules re that ? is php running under any form of restriction? have they updated their lamp stacks to the latest stable versions ?do they only allow sftp connections to a non typical port? do they regularly require you to change passwords? do all accounts require ssl connections?

These are a few very basic ideas that any proactive hosting company not looking at making a fast buck would have largely implemented. If their answers to that list = vague and lacklustre (ie signs of incompetence), then how confident are you it won't happen again tomorrow?

Simon

We use either the measures Paul outlined, or equivalents - plus an aftermarket auto-installer for a restricted number of applications to limit the number of vulnerabilities due to poorly maintained blogs and forums. We're also pretty selective about who we take on as clients, setting a minimum version you must have on your store before you can go live. I hear a lot of complaints about paranoia - but our service provider comes to us for advice on keeping CRE Loaded and other oscommerce secure because we set the benchmark for security among their ecommerce hosting customers. I can live with that.

David

Hi David - who's Paul ? Sounds like you run a secure hosting service then.

Simon

Sorry Simon,

I mean you - but for some reason apparently had a flight of thought that had you sharing a name with a member of some other famous rock group..

Yes, we do run secure hosting services. They're not just for payment data either...

David

Good to hear - some hosts only consider payment data as requiring 'security' ... clearly ID fraud has never been mentioned to them.

What's the link to the hosting you provide David? I'm always encouraging people to flee 'the big US hosting companies' as generally they're pretty bad all round, esp godaddy, although Bob makes some entertaining vids at times. Should just do that really.

Simon