My antivirus software found a virus in my local backup of my website. So I surfed to the corresponding URL on my site, and I'm looking at a black page that shows all directories and files on the hosting space. At the top is some ASCII graphics that say "GNY.Shell" . So I assume I've been hacked. Nobody's defaced the main page, but basically I need to know how to remove these files and prevent this type of thing from happening again.
Can anyone give me some pointers or a link to a tutorial about securing my site? It's running on ZenCart.
Thank you for any help! I'm going to go search on the zen cart site for some security tutorial posts.
Just remove the web based shell and turn register_globals, allow_url_fopen, and allow_url_include off. The very least people could do is htaccess their cpanel-ish scripts.
And make sure you update the software (1.3.8 I believe is the latest verson of ZenCart. GYNshell has been around for years, but the most recent update was the middle of last month.
Ok... I understand deleting the shell/php file, but the register_globals, allow_url_fopen and url_include ... where would I make those changes?
Originally Posted by The-Spec
This is hosted on a server that I don't have control over. Is that on their end or are these settings in ZC?
What OS is zen cart running on?
If linux/osx, I suggest you check the file permissions. Part of the linux install of zen cart requires the installer to change the file permissions to 777. Then you are supposed to change it back (644 or 444) after the install (as well as change the name of the install script).