Post by Evilonion » Wed Jul 05, 2017 4:12 pm

Hi,

We have just been hacked with a URL injection.
They have placed a ton of folders and files on the server linking to porn and all sorts.

Google have listed the site as hacked, this was all done 2 days ago and google emailed me today.

All folders are 755, files are 644 and config files are 444.
Opencart version 1.5.6.4.
We run the theme journal bought from theme forest.

Any ideas how this could have happened and how i can remedy the situation?
All help and advise appreciated thank you.

Newbie

Posts

Joined
Sun Oct 30, 2016 8:07 pm

Post by Evilonion » Wed Jul 05, 2017 4:35 pm

To update.

I have removed all the folders i have found from the main root directory, but i am finding loads of php files that i do not recognise.
When i open them they are are all messages to hackers such a 'lido was here' etc.
I have removed some of them but how will i find them all? and how will i stop this happening again?

The only thought i have is to buy protection from Astra?

Newbie

Posts

Joined
Sun Oct 30, 2016 8:07 pm

Post by Evilonion » Wed Jul 05, 2017 6:16 pm

Host has advise config.php is infected.
Its locked on the server so I've opened in ftp and they have added a load of code to the file.
Im going to upload the standard file from opencast, permission 444.
I'll change all ftp passwords and ill have to change database and admin password.

Looking to upload crawl protect to the root folder.

Anything else i can look to do?

Newbie

Posts

Joined
Sun Oct 30, 2016 8:07 pm

Post by ADD Creative » Wed Jul 05, 2017 8:13 pm

As you say, change all your passwords for your hosting, database, FTP and all OpenCart admins. Change all account, for example any FTP account you may have created in your hosting control panel. Remove any account that are not needed anymore.

Compare your files against a fresh download of OpenCart, to see if any have been modified.

Update your theme and any extensions. There was an issue reported with the Journal theme. viewtopic.php?f=179&t=183812

Look through your web and FTP log files for anything suspicious that might tell you how they managed it. If you can work out what IP address you could deny that IP in your htaccess.

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by Evilonion » Wed Jul 05, 2017 10:10 pm

thank you for that link, i have updated the journal theme.
Ive also installed crawl protect and changed the admin password.
Its not possible for me to change the admin folder as it throws up a ton of errors with the journal theme etc.

Newbie

Posts

Joined
Sun Oct 30, 2016 8:07 pm
Who is online

Users browsing this forum: No registered users and 15 guests