My Zen Cart was hacked – now what?

Reconcile yourself to a weekend of hard work.  It’s not invention – you can do it yourself, and you don’t need to hire me – but it is work, and I recommend not taking shortcuts that might leave holes in your system.

You will need to delete what’s on your site and restore from a known good backup.  And when I say “delete what’s on your site,” I mean everything.  The exploits I have seen are infecting files in unrelated directories; every PHP file is getting damaged.

If you don’t have a good backup, you should install the latest Zen Cart and install your mods and template by hand.

Before you install your backup (or a fresh download), here is what you need to do locally to your files.  This will become your new backup site.

  1. Install all of the security patches.
  2. One of these patches had as a substep, “rename your admin directory.”  Have you done this?  YOU MUST DO THIS.  Here are step by step changes for renaming your Zen Cart Admin Page.
  3. Check the permissions on all files and directories.  My SysCheck utility for Zen Cart will help you do this.  It’s a free download from my site.

Once you’re ready to install, check your PC for viruses.  You may have a trojan or a keylogger that’s capturing passwords running on your PC.   Then (and only then!) do these things:

  1. Change your CPanel password.
  2. Change your database password (from your hosting control panel – cPanel or some similar system).  Then put this new password in includes/configure.php and YOUR-ADMIN/includes/configure.php.
  3. Change your FTP password.
  4. Install your files
  5. Add .htaccess protection to your new admin directory from your control panel.
  6. Go into your admin panel, and go to tools/admin settings.  Make sure there aren’t any extra admin accounts.  Change the passwords on all admin accounts.
  7. Re-run SysCheck (you installed it, right?) to double-check your installation.

The question of whether running phpSuExec is better is often asked.  I do have a preference for phpSuExec because it means you don’t have to leave your images directory open (permissions 777).  But the I prefer PHP as an Apache module with all the fixes above to phpSuExec without them.   The real issue is generally whether you have applied patches and security recommendations and kept up to date, not whether you are using mod PHP or phpSuExec; I have seen both types of servers attacked.

If you are running osCommerce instead of Zen Cart, the steps and recommendations are similar.  There is also a SysCheck for osCommerce.

4 thoughts on “My Zen Cart was hacked – now what?”

  1. I have been asked, for my sins as a LAMP experienced developer/support engineer to resolve a clients website and zencart that has been hacked.

    I found a Backdoor trojan in pure php, did all sorts of horrendous stuff you would expect, was secreted in the images directory and spawned sixty odd php files in the same directory.

    I am following your suggestions but I am unsure about a reported EVAL in ../admin/products_with_attributes_stock.php a php file that seems to be completely missing in 1.3.9h

    So I am suggesting rebuilding the Zencart completely i.e. a clean install with the best security suggestions I have read. Do I need to clear the database or is this also compromised. In other words if I have the db data can I reuse it so we don’t have to rebuild all the zencart. The data was in 1.3.8a and will be upgraded to 1.3.9h

  2. My concern about not re-uploading is that there may be something still there that SysCheck doesn’t know about. I would take a weekend and reload from backup just to be sure.

  3. Hi,

    Thanks so much for all your contributions to Zen Cart. I recently helped a friend recover from a hacked cart where they pretty much did all the things that your Syscheck utility searches out. I removed everything that your utility found and added all updates for the current Zen Cart.

    My question, though, is if our site is now secure again after I followed all the steps in your walk-through. Mind you, I did not reinstall the entire site. I merely overwrote all the files that had the eval injection and removed the eval line manually from any of my customized files that were affected. Now, when I use the Syscheck utility, there are no rogue files. The only two that come up are from the add-on FAQ module, but they seem like they use it legitly. (If that’s a word)

    P.S. There is no way I could have helped him sort his site out without your utility. Thanks very much! I will recommend he contribute to your cause.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.