HI everyone! My website gets hacked by someone who found a way to enter the admin panel of the store.
 
The hacker just replaces my PayPal email address by his own email address. We are trying to find where the security issue is. We change all possible passwords and rename the admin folder. We even delete all the files and upload everything, but that doesn't change anything.
 
We already lost a lot of money and times. Now we have to monitoring everything in our control panel. We put in place a solution and we are tracking everyone we get in the server and are working with PayPal and our local Internet police for that issue.
 
Does someone else experience the same issue?
 
The hacker uses those 2 emails addresses:
ideastack@mynet.com and sashasarapova@hotmail.com
 
Viart need to put in place some plans against that kind of attack.
 
If someone gets any suggestion on how to fix that issue, please advice.
 
I'm using the version 3.6 of the store.
 
The first attack was 26th January 2011. Since then, the hacker keeps trying. Just today he tried many times.
That hacker is really getting on my nerves.
 
Thank you

You must open a support ticket and get Viart to look at this urgently

I did open a ticket; they trried to give me some solutions like change my passwords, scan my computers for virus and backdoors, and apply security on folders. But, nothing that I didn’t know and do. My website gets thousands of files so it's really nothing easy to find if the hacker uploaded a script on my server. I'm still doing my investigation.
 
 
Viart's customers should know about that issue.

Well, good luck with your search

One solution as it seems they are getting in via Admin is to change "templates/admin/admin_payment_system.html" to remove the parameter references in the table cells (but leave the <!--- begin <!--- end. references so the php still works).
This way there are no writeable fields to change.
 
Don't keep the original file on the site but in a safe place if you wish to change anything later.
 
If it is replaced and again hacked the hacker has possible FTP access or is getting into your SQL database (

I'm not sure I understand what you mean Ned.
Do you want me to remove the parameter that is use to set the paapal email address "business"?
 
Witch parameter should be remove in the html file?
If I remove a parameter some how my Paypal Email address should be set some where as a static value.
 
I Already changed all my FTP and MySQL accountsn't passwords, but it's seem that does even slow the hacker.
 
Thank you for any suggestion.

Sorry for the delay.
 
If you have set all your values for all the parameters in Admin then they will be stored in the SQL tables, for example, setting the paypal address as a static value.
 
Once you have done this then changing the html file and removing all the parameter fields stops you or anyone from changing the SQL values via the ViArt Admin.
However you need the "<!--- begin <!--- end" references in the html as these make the php work which "drives" the SQL and html template files.
 
If your FTP is compromised then the SQL server can be accessed and then the paypal address can be changed _in the table_ which means my idea wont work.
 
Try setting everything back to the correct values and then removing FTP access completely!! You cam restore it when you need it but if the hacker gets in again it should show in your server provider admin logs.

I am not an expert at all, so feel free to correct me if I'm wrong, but it could be a keylogger. You could try changing the login information from a computer other than your own and not accessing it from your computer for a few days. If the email doesn't get changed again, you may have a keylogger installed on your computer.

You may also want to see
http://www.viart.com/installation_hacking.html
for those finding additional malicious code on their sites.
HTH

Minista, hope you don't have this problem anymore but just in case here is one more piece of advice.
 
In case of a serious and repeating attack we will advise:
1) to make sure there is not checked an option "Allow to run PHP code" in Administration > System >Global Settings;
2) make a full re-installation of your shop using default files, new database and without FTP access or at least make it white-listed (by IPs).
3) scan your computer and the ones who have access to your site on subject of viruses every day.
 
Regards,
ViArt Team

Thank you for the advices everyone.
 
I've done all your suggestions. The hacker was still able to change the email address. We put in place some other checking method to prevent that kind of attack in the future.
 
Delete all the files and re-upload them was the first thing we did and changing all the passwords.
 
The hacker didn't try for a few weeks. I guest he get bored after 20 tried without any result (redirected sales).
 
But, I think that PayPal should set some low level settings that will stop once for all that kind of attack.
We get a few idea of that could be implemented.
 
Regards