Post by theone » Mon Mar 13, 2017 7:05 pm

hello,
today i found my site has been hacked by DeadlyCrew.İNFO/Deadly-Warrior.
just front end has been hacked i guess. so what should i do now, should i just restore my backup or any way to find out where is the weak point?

my site www.unlocksolution.com

waiting for your advice.

thank you

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 7:20 pm

im hosting with a2hosting.com with their shared hosting. i already asked them about his hack and waiting for their reply.

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 8:59 pm

from a2hosting i got this reply -
"Hello,
Thank you for contacting A2 Hosting!

It was not due to the server. There are any number of ways a site can be hacked. A2 hosting cannot provide forensic details on every site that is hacked unfortunately. We can provide you with methods to clean the hack however. "

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 10:04 pm

i think it was done through google analytic module . i found this code in google analytic module

Code: Select all

<html>
<head>
<link rel=”icon” type=”image/png” href=”http://img.webme.com/pic/i/iconvar/turk-b-2.png” />
<title>DeadlyCrew.İNFO/Deadly-Warrior</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<body bgcolor="black">
<center><img src="http://i.hizliresim.com/W09o88.png" width="700" height="400" alt="Hacked!" /></center>
<h2><center><font face="arial" size="5" color="white">Biz Ancak<font color="red"> rükuda eğiliriz</font></center></h2>
<br>
<center><font face="arial" size="3" color="white">DeadlyCrew dont forget 18 March!<br>We dont forget anyone!<br> We are Turk!
<br>We are celebrating 18th March Canakkale Victory
<br>Canakkale is impassable<font color="red"></font></center><br><center><font face="arial" size="3" color="white">DeadlyCrew.İNFO | <font face="arial" size="3" color="RED">  DELİLER TİM</FONT></center>
<embed src="https://www.youtube.com/v/eltPkGySVYQ&autoplay=1" type="application/x-shockwave-flash" height="0" width="0"></embed>
</body>
</html>

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by ADD Creative » Fri Mar 17, 2017 10:56 pm

I would check your server logs for access to anything under /admin/. Look for IP addresses that aren't yours.

Also check your FTP logs.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by theone » Mon Mar 20, 2017 9:53 pm

well if i search "DeadlyCrew dont forget 18 March" on google i can see many other web sites powered by opencart were hacked including mine. and i already confirmed with my hosting which is a2hosting they confirmed it was not due to shared hosting..

however i have disabled google analytic module for now just to be in safe side.

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by ADD Creative » Tue Mar 21, 2017 11:23 pm

I can't see that disabling the Google Analytics extension will prevent further attacks. If they could modify its contents then they can re-enable it.

If you want to check for any weak points look for access to admin/index.php?route=extension/analytics/google_analytics (or any other suspicious activity) in your server logs. If you look at the IP address and then see what was the first entry point from that IP address.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by angela » Sun Mar 26, 2017 10:10 am

theone wrote:
Mon Mar 13, 2017 10:04 pm
i think it was done through google analytic module . i found this code in google analytic module
Which module are you using? The one that comes with opencart, or a 3rd party extension?

How did your host suggest to 'clean' it up? Detailed cleaning instructions can point you toward the method of entry.

User avatar
New member

Posts

Joined
Fri Dec 02, 2016 2:14 am

Post by pretrator » Tue Feb 12, 2019 6:32 pm

Hi,
I am new to the opencart community,
Today i found my website hacked,
Well there was same google analytics edited.
I have a strong password on admin panel Also.
Any idea to anyone.

Newbie

Posts

Joined
Sat Jul 07, 2018 12:24 pm

Post by ADD Creative » Thu Feb 14, 2019 11:33 pm

What version of OpenCart? Was the code that you entered into the Google Analytics module changed or the PHP files themselves? Have you clicked on any links that have taken you to your admin login?

Check your FTP logs. Check your web access logs for access to admin/index.php?route=extension/analytics/google_analytics or anything else that looks suspicious.

Change all your passwords.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 6 guests