Post by dmsims » Sun Feb 28, 2016 10:35 pm

A new admin user has been created, Ip address is zero's and salt is missing

Image

I have Crawl protect running (no log entries for that date)

I have a hash check running against all Opencart files (none have been modified)

The http log show nothing

Login is restricted by IP

Active Member

Posts

Joined
Sat Apr 13, 2013 6:05 pm

Post by IP_CAM » Mon Feb 29, 2016 2:55 am

but why are you telling us about this? Noone has the slightest Idea, about a fully unkown System, and Setup, in a fully unknown environment. It could be anything, possibly beeing (hidden) part of something, possibly obtained with some Extensions, and/or Themes, placed, to serve some purpose.

A good range of Online 'Source' exists, containing 'Stuff', placed either by 'regular' Dev's, just trying to make sure, to know, if someone Unauthorized is using their Software, or then, by Those, offering paid OC Extensions and Themes for Free, but hiding their 'own' Gizmos into the Source, to, at least, make some money, later, when it comes to break into such stores, and grabbing, what is available, but not in their own 'Inventory' yet, to keep in business. ;D

Just to give you some Ideas, on such, and how it's been done, sometimes.
Under 'normal' Circumstances, and with VISITOR UPLOADS disabled, it would/could not have been the case... ;)
Good Luck
Ernie
openshop.li

For Sale: Turnkey URLs with Opencart installed
My present Opencart Testsite: http://www.velomech.ch/shop/
Attacker IP Blocks are denied from further access to my Sites!
Just contact me for more Information at: jti@jacob.ch
690 FREE OC Extension-Repositories - from OC v.1.5.x up
on the largest Opencart-Mod Github Site: https://github.com/IP-CAM
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by dmsims » Mon Feb 29, 2016 3:24 am

It was not created by any extension or theme - there have been no changes for many months and as I said I have a hash check running

I was just trying to see if anyone had any suggestion or had seen anything like it before

Active Member

Posts

Joined
Sat Apr 13, 2013 6:05 pm

Post by ADD Creative » Mon Feb 29, 2016 6:52 am

What version are you running? Maybe check your server access logs for any URL containing admin/index.php?route=user/user/insert&token=

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by dmsims » Mon Feb 29, 2016 7:29 am

Version is 1.5.5.1

I will recheck the logs again

thanks for that

Active Member

Posts

Joined
Sat Apr 13, 2013 6:05 pm

Post by dmsims » Wed Mar 02, 2016 6:28 am

ADD Creative wrote:What version are you running? Maybe check your server access logs for any URL containing admin/index.php?route=user/user/insert&token=
Nothing

Not even any sort of access to the admin

Active Member

Posts

Joined
Sat Apr 13, 2013 6:05 pm

Post by ADD Creative » Wed Mar 02, 2016 8:01 am

Thinking about it if the user was added this way there should be a salt.

Another way I have seen something like this done is through extensions that had SQL injection weaknesses. You might notice something in your server logs containing the data added, if it was done by a GET rather than a POST.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Dhaupin » Sat Mar 05, 2016 1:03 am

What does it say for date_added for that row? Do you have Drupal or wordpress also running on the server? What kind of host/server is it? Do they have proper jailing/cages/bash levels for the accnts?

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by dmsims » Sat Mar 05, 2016 5:47 am

Hi Dhauphin

Date added 10/02/2016 00:00
ip 0.0.0.0
user_id 9999 (wierd??)

Nothing else runs on the account but Opencart (but on the server lots of other things may be running - see below)

as far as the server goes this is a Cloud server running at Tsohost

Active Member

Posts

Joined
Sat Apr 13, 2013 6:05 pm
Who is online

Users browsing this forum: No registered users and 4 guests