Dear SunShop Customer,

Today we were made aware of a security issue that has affected all SunShop versions. After further investigation we have learned that our database from our old site had been compromised and some malicious javascript had been inserted into our SunShop news feed that is displayed in the admin area when you login. In turn, any SunShop admin who logged into their store between 11am PST on April 10th and 7pm PST April 12th, had a file placed on their server called eval.php automatically. If you did not login to your admin area between those times then your shop is secure. Otherwise, we suggest logging into your server via FTP and making sure the files is not present. For more details please see below.

Originating File:

The originating file is called eval.php and it is loaded into the themes/YOURTHEME/ folder where "YOURTHEME" is the actual active theme folder. The attackers who added the malicious code to our news feed somehow get notified that the eval.php is on your server, most likely from server logs, and they use that file to run their own PHP commands on your server. They usually add additional files in an attempt to gain access to your customers financial details, but if you are running SunShop 4.2.5 or later, they will find this task to be very challenging due to the encryption keys. Below if a list of files that have been found in the same folder and various folders in the SunShop directory.

These files have also been reported:

eval.php, dec4.php, term.php, tem.php, xp.php, xps.php, xz.php

If you notice these or any other php files that look out of place, you should delete them or contact us to look into the issue further for you. You can open a ticket at

Our Database & Our Customers Data:

Because our database was compromised, we are advising that all customers who submitted their FTP or login information to us at any time on the old site and system to update their information immediately and change any FTP control panel or admin login information that we may have had in the system.

It is important to note though that we DO NOT keep any financial information in our databases on our customers. Additionally as an added security measure, we are resetting all account passwords on the legacy system. If you need to request your password you can use the forgot password feature or contact us for assistance.

As we stated if you should have any questions or if you need additional assistance, please feel free to contact support. We simply need your FTP details if you would like us to login and check for these files and remove them. We apologize for any inconvenience this may have caused and we want to assure you we are working hard to correct the problem in any way possible.


*UPDATE - 4/13* Some users are reporting that an admin was created. If you notice this as well you should delete any admins that do not belong in your system.

*UPDATE #2 - 4/13* It is also advised that your mysql database password be changed as an extra precaution.

*UPDATE #3 - 4/13* We have noted the following attack IP addresses. & IP OWNER INFO

Thursday, April 12, 2012

« Back