Post by billynoah » Wed Oct 29, 2014 2:41 am

Found the following php script on multiple servers I manage today. Was named "help.php", helper.php" and "config.php"
and generally in the /system/helper/ directory. In a couple sites it looks as though it made it onto the server by way of user upload.

Navigating to the page the title bar says "Daniel Kerr" and appears to attempt emailing password to opencart.com@gmail.com. Presumably this is just some idiot attempting to implicate Daniel. I found no evidence of server compromise but it's really hard to say. If anyone wants to study this and offer some feedback on what it might have done or where it came from would be helpful.

The original file comes in the form of a base64 encoded string which gets decoded and executed by eval(). Below I've attempted to attach the original code but it's being blocked.

Can one of the mods please assist in the attachment so we can make this public?

I'd encourage all of you to check your servers "helper" and "download" directories for this malware. You can probably find it regardless of name by going to your docroot in a shell and running:

Code: Select all

grep -Rl 'eval(base64_decode($a))' .
Which will search all files for the last line of the script.

Image


User avatar
Active Member

Posts

Joined
Tue Jan 15, 2013 12:46 pm

Post by Dhaupin » Wed Oct 29, 2014 7:08 am

+1 Thank you man for sharing this. Have you taken action to invalidate that gmail account? If not, see if G would be so kind as to tell us any forwarder/filter email addresses. This could help clarify the origin.

Not sure if its related, but recently we have ran into 3 separate instances where reseller hosts have been exploited via cross account (OS) dumps in whole shared servers. There is a shred of possibility that its related, at least in the method to drop the files. It only took 1 route in via upload to traverse their whole server(s).

If you are running a shared server for your clients, or even just a VPS for yourself, please make sure you have hardened using a filesystem "cage" or account "jail" of some sort. Not sure how they are pulling it off since the exploits weren't on our servers, but those cage tactics should stop it from spreading to your other hosted clients/platforms if 1 becomes compromised.

PS: If it matters, the string of cross account wtf we found (prob unrelated) was Japan origin.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by Johnathan » Wed Oct 29, 2014 8:00 am

Thanks for the warning. This is likely related to shared hosting being compromised, as Dhaupin mentions, or else they're older versions of OpenCart with file uploads enabled. (Usually this is demo stores where someone has access to the Catalog > Downloads area.) Older versions (I believe before 1.5.3) were susceptible to files being uploaded as images, and then accessed via the "download" folder. You can read more about this exploit here:

http://forum.opencart.com/viewtopic.php?t=98644

People should definitely check their /system/helper/ directory for any of the filenames billynoah mentioned, as well as make sure the permissions on their "download" folder are set to 444. If anyone has any other security suggestions, please post them here.

Image
Image Image Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by billynoah » Wed Oct 29, 2014 10:47 am

Thanks for the info & link Johnathan.

All servers in question VPS and fairly locked down in regards to user access. This is likely related to the download folder directory exploit mentioned above.

Image


User avatar
Active Member

Posts

Joined
Tue Jan 15, 2013 12:46 pm

Post by rph » Wed Oct 29, 2014 2:46 pm

billynoah wrote:Can one of the mods please assist in the attachment so we can make this public?
Have you tried putting it in a zip file? If that doesn't work you may want to try Pastebin or a Gist.

I'd be interested to find out what the vector for attack is. If it's a newer version of OpenCart they may be using the object injection issue published at https://github.com/opencart/opencart/issues/1534 .

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by billynoah » Wed Oct 29, 2014 3:17 pm

I tried zip and even encrypted zip to no avail. Here:

http://zuma-design.com/shared/help.php.malware.zip

It's password protected. Passwd is "malware".

Image


User avatar
Active Member

Posts

Joined
Tue Jan 15, 2013 12:46 pm

Post by Dhaupin » Thu Oct 30, 2014 2:01 am

Im sure you figured it out already but its PHPspy and the dude who has that email uses the handle "Makalot". He pirates a bunches of stuff from OC marketplace, themeforest, and envato then offers them to users in non official ways.

Mail: opencart.com@gmail.com
Yahoo: opcvn_mod
Mobile: 0943-405-833
Last edited by Dhaupin on Thu Oct 30, 2014 10:44 pm, edited 2 times in total.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by billynoah » Thu Oct 30, 2014 2:45 am

I'm pretty sure I'm not alone in my desire for him to implode.

Image


User avatar
Active Member

Posts

Joined
Tue Jan 15, 2013 12:46 pm

Post by Johnathan » Thu Oct 30, 2014 4:12 am

billynoah wrote:I'm pretty sure I'm not alone in my desire for him to implode.
:laugh: You are completely not alone. Maybe if we send enough implosion karma his way, it'll work.

Image
Image Image Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by Dhaupin » Thu Oct 30, 2014 4:50 am

Amen men. They should bring back tar and feathering. I guess technically that script is called "VBA Shell Forcer v2.1" and here are some other versions in the wild if you're curious:

Code: Select all

http://webcache.googleusercontent.com/search?q=cache:axJAIOfnhSoJ:www.er.uqam.ca/nobel/r21270/vocab617/upload/documents/asst_04___5May_1905.doc+&cd=2&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:dmbAPZB5Ir0J:cosovinhphuc.com/download/byg.php%253B.doc+&cd=6&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:oMgIPmHhReUJ:banhat.khonkaen.doae.go.th/jquery%25204.1.2.php%3Ffilesrc%3DL2hvbWUvdHJhdC5tdWVhbmcvVGhlbS9zeW0vcm9vdC9ob21lL21hZWhvbmdzb24ud3d3L2ltYWdlcy95YWIucGhw%26path%3DL2hvbWUvdHJhdC5tdWVhbmcvVGhlbS9zeW0vcm9vdC9ob21lL21hZWhvbmdzb24ud3d3L2ltYWdlcw%3D%3D+&cd=4&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:0GZ_8rFkJsUJ:sonchienblog.my3gb.com/shell/c99.php%3Fact%3Df%26f%3Dbyg.php%26ft%3Dnotepad%26d%3D%252Fwww%252Fmy3gb.com%252Fs%252Fo%252Fn%252Fsonchienblog%252Fhtdocs%252F+&cd=3&hl=en&ct=clnk&gl=us

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&uact=8&ved=0CDQQIDAF&url=http%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3AVilTVdkACbIJ%3Apursuitrecruitment.co.uk%2Fblog_post%2F22%2F.%2524self.%2B%26cd%3D6%26hl%3Den%26ct%3Dclnk%26gl%3Dus&ei=7FBRVIfzKNWHsQS4tYLYCA&usg=AFQjCNHhxGA3R8EwLlz3QaqbbUycCmalBw&sig2=nceer0gG-OeHshomaFKSHA

http://webcache.googleusercontent.com/search?q=cache:n1xufbqeaF4J:sonongnghiep.bacgiang.gov.vn/upload/fckeditor/tnd.doc+&cd=10&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:PzRUL8vlfcwJ:www.ukulizer.com/ukulizer.php%3Ffile%3D/songs/song+&cd=16&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:QzDLud2ZBN4J:eron-events.co.il/userfiles/file/spy.aspx+&cd=22&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:XvDVaAIPjYAJ:sagopatrack.tr.gg/Youtube.htm+&cd=25&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:H8oSCivsNNMJ:iscjnj.com/about-iscj/who-we-are/services/+&cd=24&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:sxd7RcTC8YwJ:thanhtri.hanoi.gov.vn/cgtdt/web/images/upload1/file/finalImage3_php.doc+&cd=19&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:UYvFLprO2TIJ:threesistersfarm.com/wp-content/themes/twentyten/404.php%3Fact%3Df%26f%3Dstyle.css%26ft%3Dhtml%26d%3D%252Fhome%252Fthreesis%252Fpublic_html%252Fwp-content%252Fthemes%252Ftwentyten%252F+&cd=54&hl=en&ct=clnk&gl=us

http://webcache.googleusercontent.com/search?q=cache:4jItIqAtRd0J:www.mbhsny.com/morgana-2+&cd=97&hl=en&ct=clnk&gl=us

http://ddecode.com/phpdecoder/?results=c79d20f3b45a989a8eed8d257cf2c8c2

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by rph » Thu Oct 30, 2014 6:59 pm

Figures.

I removed the links. I'd rather not give that board any more exposure than it's already gotten.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Dhaupin » Thu Oct 30, 2014 10:51 pm

rph wrote:I removed the links. I'd rather not give that board any more exposure than it's already gotten.
Ah my bad man, thanks. For any of ya'll poking around the pirated stuff in those places: we have noticed many of them have malscripts obfuscated or bundled....especially in the themes. Unless its some kinda downloader exer, your anti-virus prob wont detect since its made for servers. Just dont even visit those places, cant trust a thing about em.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by rph » Fri Oct 31, 2014 12:18 am

Dhaupin wrote:Ah my bad man, thanks.
No problem. The site has been posted before when the piracy issue comes up. I'd just rather not give them any more SEO boosts.
For any of ya'll poking around the pirated stuff in those places: we have noticed many of them have malscripts obfuscated or bundled....especially in the themes.
Ha. Good. ;D

Ya know, since they're primarily stealing mods from demo sites it might be fun to set up a little honeypot. It's not like it would matter if a demo site had orders randomly dropped...

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Dhaupin » Fri Oct 31, 2014 3:57 am

Hahah still turning over how that would work in the head, but it sounds promising...or at least a fun experiment. I doubt they are checking mods they steal for malware/tracers....unless they put it in themselves or get it from a fellow thief.

You can edit this out if its too risky to post here: Nothing serious just a little bit of sugar in their gas tank(s) right? Something simple like corrupting welcome_text serialization by capping 65k chars comes to mind...site will barely render, options will break, error is totally obscure until you crawl DB to find offending cell. Even replacing the cell from backup will leave it corrupted...must be wiped out. Bonus if you are the source of that 65k data, you can see what IP's are requesting it, hinting that they are running the .... "sugarMod".

PS: its valid to make your settings structure use MEDIUMTEXT for this reason. Any serialized setting that hits 65k of TEXT will make things very crazy with no hints from error. The error will says its at index().

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by rph » Fri Oct 31, 2014 8:44 am

Not that I'm, uh, advocating anything but there's something to be said for a more subtle effect. It sure would suck if a site suddenly had a noindex metatag or its most popular products had intermittent 404s.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Daniel » Fri Mar 20, 2015 2:28 pm

One veitnamese seller I know got his opencart.com account hacked after he got his site hacked. I imagine this is the same issue.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Sun Feb 21, 2016 4:06 pm

more information about this sumbag here:

Scumbags details

Nguyen Thanh Son
interspire.vn@gmail.com

also works with

Hoang Dung
233 Bac Kinh
Ha Noi 17000

contact: Hoang Dung
address: 5 Pham Hung - Cau Giay
address: 17000 Ha Noi
address: HN
country: VN
phone: +84 1213219925
e-mail: vietzippo.com@gmail.com

Mail: opencart.com@gmail.com
Yahoo: opcvn_mod
Mobile: 0943-405-833

01/12/2014 07:37 Sent Hoang Trung Dung Processed -7.43 -743.35
Transaction ID: 1316028631
Recipient's email: mastercart.net@gmail.com
More details:

amaze admin@opencartz.net
interspire.com info@opencartdev.com
kangoc luuminhkhanh@hotmail.com
maslo maslo@maslo.com
matamko matamko.leo@gmail.com
max opencart info@bonsai.az
newbag sales@newbag.pro
novapro novathemepro@gmail.com
opencart2x admin@opencartx.net
opencart77 opencart77@gmail.com
opencartips admin@opencartips.com
opencartpm admin@opencart.pm
opencartznet info@opencartclub.net
openxcart admin@openxcart.com
opz cheryl.angelo@hotmail.com
vdc haihuyenpham@yahoo.com

some of the above emails are fake.

hes also listed here:

http://opencartvn.com/forum/Thread-modu ... -%E1%BA%A1

I actually have much more details

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Johnathan » Sun Feb 21, 2016 10:40 pm

Can we get a list of IP addresses that he's used? That would be useful for banning him on our own sites.

Image
Image Image Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by dmsims » Mon Feb 22, 2016 5:29 pm

Johnathan wrote:You can read more about this exploit here:

http://forum.opencart.com/viewtopic.php?t=98644
Does that fix apply to 1.5.5.1?

Active Member

Posts

Joined
Sat Apr 13, 2013 6:05 pm

Post by paulfeakins » Mon Feb 29, 2016 6:03 pm

Yep, it's good advice to search for "eval(base64_" etc.

If you don't have SSH access to the server you could use a PHP script like:
http://stackoverflow.com/questions/1504 ... or-strings

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom
Who is online

Users browsing this forum: No registered users and 7 guests