My Zen Cart was hacked – now what?

Reconcile yourself to a weekend of hard work.  It’s not invention – you can do it yourself, and you don’t need to hire me – but it is work, and I recommend not taking shortcuts that might leave holes in your system.

You will need to delete what’s on your site and restore from a known good backup.  And when I say “delete what’s on your site,” I mean everything.  The exploits I have seen are infecting files in unrelated directories; every PHP file is getting damaged.

If you don’t have a good backup, you should install the latest Zen Cart and install your mods and template by hand.

Before you install your backup (or a fresh download), here is what you need to do locally to your files.  This will become your new backup site.

  1. Install all of the security patches.
  2. One of these patches had as a substep, “rename your admin directory.”  Have you done this?  YOU MUST DO THIS.  Here are step by step changes for renaming your Zen Cart Admin Page.
  3. Check the permissions on all files and directories.  My SysCheck utility for Zen Cart will help you do this.  It’s a free download from my site.

Once you’re ready to install, check your PC for viruses.  You may have a trojan or a keylogger that’s capturing passwords running on your PC.   Then (and only then!) do these things:

  1. Change your CPanel password.
  2. Change your database password (from your hosting control panel – cPanel or some similar system).  Then put this new password in includes/configure.php and YOUR-ADMIN/includes/configure.php.
  3. Change your FTP password.
  4. Install your files
  5. Add .htaccess protection to your new admin directory from your control panel.
  6. Go into your admin panel, and go to tools/admin settings.  Make sure there aren’t any extra admin accounts.  Change the passwords on all admin accounts.
  7. Re-run SysCheck (you installed it, right?) to double-check your installation.

The question of whether running phpSuExec is better is often asked.  I do have a preference for phpSuExec because it means you don’t have to leave your images directory open (permissions 777).  But the I prefer PHP as an Apache module with all the fixes above to phpSuExec without them.   The real issue is generally whether you have applied patches and security recommendations and kept up to date, not whether you are using mod PHP or phpSuExec; I have seen both types of servers attacked.

If you are running osCommerce instead of Zen Cart, the steps and recommendations are similar.  There is also a SysCheck for osCommerce.