Post by Einherj » Thu Jan 18, 2018 7:02 pm

I am running Opencart 3.0.2.0. My admin password keeps getting hacked somehow. I'm suspecting some SQL injection bot or similar, since it only affects the oc_user table in the database. My admin account username and password gets changed. Then I change it back manually from phpMyAdmin to get access again. Then they get changed to the same thing every time a couple of hours after I change them.

Does anybody have any ideas how I could fix this?

I have these modifications:
Custom Image Titles: https://www.opencart.com/index.php?rout ... on_id=1243
Option Combination Stock Management: https://www.opencart.com/index.php?rout ... =47&page=8

Here is my store root .htaccess

Code: Select all

# 1.To use URL Alias you need to be running apache with mod_rewrite enabled.

# 2. In your opencart directory rename htaccess.txt to .htaccess.

# For any support issues please visit: http://www.opencart.com

Options +FollowSymlinks

# Prevent access to .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

# Prevent Directoy listing
Options -Indexes

# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|.twig|\.ini|\.log|(?<!robots)\.txt))">
 Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>

# SEO URL Settings
RewriteEngine On
# If your opencart installation does not run on the main web folder make sure you folder it does run in ie. / becomes /shop/

RewriteBase /
RewriteRule ^sitemap.xml$ index.php?route=extension/feed/google_sitemap [L]
RewriteRule ^googlebase.xml$ index.php?route=extension/feed/google_base [L]
RewriteRule ^system/(.*) index.php?route=error/not_found [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]

### Additional Settings that may need to be enabled for some servers
### Uncomment the commands by removing the # sign in front of it.
### If you get an "Internal Server Error 500" after enabling any of the following settings, restore the # as this means your host doesn't allow that.

# 1. If your cart only allows you to add one item at a time, it is possible register_globals is on. This may work to disable it:
# php_flag register_globals off

# 2. If your cart has magic quotes enabled, This may work to disable it:
# php_flag magic_quotes_gpc Off

# 3. Set max upload file size. Most hosts will limit this and not allow it to be overridden but you can try
# php_value upload_max_filesize 999M

# 4. set max post size. uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value post_max_size 999M

# 5. set max time script can take. uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value max_execution_time 200

# 6. set max time for input to be recieved. Uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value max_input_time 200

# 7. disable open_basedir limitations
# php_admin_value open_basedir none

Newbie

Posts

Joined
Tue Oct 10, 2017 4:35 pm

Post by ADD Creative » Fri Jan 19, 2018 11:57 pm

A few things you could to do if you haven't already.
Change your hosting passwords including all FTP accounts that may have been created.
Change the OpenCart database user password (remember to update the two config.php files with the new password).
Check the files or your server have not been modified or new files added by comparing against a clean download of your version of OpenCart and any modifications.
Check your database for any injected code.
Lookup through your servers web access log for anything suspicious that may help you find where they are getting in.
Check the OpenCart error logs for anything suspicious.
Change the admin account name from the default of "admin" (better still create a new admin account and give full permission and then delete the default account).
Check your database can only be accessed from the relevant IP addresses.
Switch off displaying of errors in OpenCart (this has to be done in the admin and the config files in version 3).

I've seen site attacked through week or stolen FTP passwords, vulnerabilities in extensions, ect.

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by Einherj » Thu Jan 25, 2018 4:56 pm

Thank you for the reply. Great checklist!

I had changed the username and password of the default admin account but this time I deleted the whole entry from the database and created a new admin account.

I also deleted the FTP account and created a new one with a very secure password (and updated the config files). We've been without a hack for a week now.

Seems like no code injection has been made to the database or any files have been modified.

Newbie

Posts

Joined
Tue Oct 10, 2017 4:35 pm

Post by Elevate » Sun Jul 08, 2018 3:04 am

Also check your file and folder CHMOD permisisons and consider a service like Sucuri or Comodo cWatch to scan and repair any ongoing issues.

Elevate
Custom Website Developers
https://www.elev8your.com


New member

Posts

Joined
Fri Jul 06, 2018 12:40 am
Location - Denver, Colorado, USA
Who is online

Users browsing this forum: No registered users and 11 guests