Seems as if there is some kinda download folder issue going on where folks are uploading junkware. In this case its a mass upload of an game from http://gabrielecirulli.com/
To see infected sites:
https://www.google.com/search?q=downloa ... aaa.jpg%22
Nav to your store download folder, then look for these files (they will contain random strings after the filename):
1024.php.jpg.
license.php.jpg.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpg.
Attachments
Source - note pulling assets from github
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Yep, got 'em on several Sites.
I did not touch some of those sites for a long time.
Ernie
I did not touch some of those sites for a long time.
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
It happened to others. See this thread which contains some steps to protect yourself:
http://forum.opencart.com/viewtopic.php?f=20&t=98644
Basically you need to
1. Ensure you have a proper encryption key in your store settings (older versions had 12345 and some people forgot to change it). Setting a unique key prevents this hack from executing if it manages to upload the files.
2. To prevent the upload of the files, clear out the box in settings called "uploadable file types". That is unless you are actually selling products that require an upload.
http://forum.opencart.com/viewtopic.php?f=20&t=98644
Basically you need to
1. Ensure you have a proper encryption key in your store settings (older versions had 12345 and some people forgot to change it). Setting a unique key prevents this hack from executing if it manages to upload the files.
2. To prevent the upload of the files, clear out the box in settings called "uploadable file types". That is unless you are actually selling products that require an upload.
Aye it comes from the file option, so if you have it on a product thats what i assume to look for. The filetypes are flawed too, they only look for 1 period so things like file.php.jpg (which is actually a script) would still be allowed, example:
Also, like components of the OC site itself, as well as various store platform functions, this upload function should have a x-robots header to avoid being indexed, snooped, and exposed for intra-domain/client tinkering (or OC data gathering): https://www.google.com/#q=%22product/pr ... 0&filter=0
The upload script isnt too complex either, the only validation it has is file name length and the first period of the file type (which fails validate in example above):
Its true that they are "encrypted" with a string, but then we encounter another thought: many people somehow leave their download folder open...perhaps they deleted index.html, perhaps they allow file structure browsing. This means you can literally see the hash. Obviously this is not caused by OpenCart but i assume that is why they attempted. There are enough open download folders being indexed by google (like in first post) to make it slightly worthwhile.
Code: Select all
if (!in_array(substr(strrchr($filename, '.'), 1), $allowed)) {
$json['error'] = $this->language->get('error_filetype');
}
Code: Select all
X-Robots-Tag: noindex, nofollow, noimageindex, nosnippet, noodp, noarchive
Code: Select all
new AjaxUpload('#button-option-1234', {
action: 'index.php?route=product/product/upload',
..... script continued
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Who is online
Users browsing this forum: No registered users and 47 guests
