Ok, so that’s a funny headline…. But it’s true. We have had several cases recently where a Zen Cart owner or other personnel with access infected their own site with a Trojan.
In both recent cases, a file called zcv.gif was inserted into the cart’s directories. A quick search on Google Groups reveals that not only Zen Carts were affected, but WordPress, Joomla and more. Although the Zen Carts seemed to hold up and no injection of scripting took place in the 2 I was involved with, apparently Joomla users were not so lucky as they had every single index file to clean up as well!
The issue kept reoccurring after users cleaned their websites up. When cleaning a hacked website we look for back doors which can provide future access to cause damage. In this case, the “back door” providing the access for reinfection resided on the website owners computers.
The infection, caused by a Trojan downloader threat JS-Downloader-X, infected from several different websites. The threat is listed as high, and unfortunately at the time it escaped many common virus software scanners. The virus essentially uses the hosting and/or FTP login info on the user’s computer to make its access. This is highly hard to track down and prevent, as normal hosting firewalls, security rules and even brute force detection are not triggered… You see the access is authorized.
Below is a list of things you can do to keep your own computer and other who access your website clean.
1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanning/online/?task=load
2. Download anti-virus and fully scan your PC for malicious files. Here are some free online scanners for Windows, which is typically the most vulnerable to infection. If you have a different OS, there are similar programs that can be located and run on your system to protect it in the same way:
MalwareBytes ( http://www.malwarebytes.org/ ) and
ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ) have been reported to be able to clean a recent strain of malware that resists detection by almost all other anti-virus agents. It is highly suggested that you one or both of them and one of the following:
-http://housecall.trendmicro.com/
-http://www.bitdefender.com/scan8/ie.html
-http://www.kaspersky.com/virusscanner
-http://support.f-secure.com/enu/home/ols.shtml
-http://www.eset.com
3. Update all passwords for any account that you access/own that may not be up to standards. Any passwords that have been compromised will need to be changed as well. Standards for secure passwords are available: http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
4. Keep your computer secure from malware infecting it. If your computer is compromised, your account can be compromised through your password being used to access it.
– Ensure you use the latest browser version; Ensure that said browser subscribes to Google’s blacklist API (Mozilla Firefox, Google Chrome, Safari)
– Disable javascript
– Use the firefox addon noscript
– Make sure your antivirus has a subscription to new database and version releases. This may cost some amount of money, but is well worth the expense.
– Use http://www.avg.com.au/index.cfm?section=avg&action=onlinescan to test suspicious links you are given in emails or find online.
6. Ensure that all database configurations for your account are using a custom generated user and password combination, and that this information is not stored in plain text if this is feasible. Using your cPanel username and password to access your databases for your site may be convenient, but it introduces an incredible security risk.
7. Audit your account for unnecessary scripts, such as file uploaders. Ensure that if they are necessary that they are password protected, or if that is not feasible that they check the file type before allowing upload, to prevent upload of certain types of files.
Most important, if you see the file zcv.gif in your file structure, know that removing it will not remove the threat and all with access will need to properly scan and clean up their computers.