Post by rhorne » Tue Apr 24, 2018 10:29 pm

Today our Opencart webshop 2.3.0.2 was infected with some form of Malware. Basically every time you loaded the site a fake Google popup would appear claiming that your version of Chrome or Internet Explorer was out-of-date and if you clicked the update button it took you to a random website and attempted to download an executable file.

I managed to find the spurious code that generated this and realised it was masquerading as Google Analytics code in the oc_setting table. Deleting these 8 or so records immediately fix things.

I've since updated our template and changed FTP, user and database passwords.

Is that about as much as I can realistically hope to do?

My boss wants to know how this code got there and I honestly have no answers. My host doesn't keep a log apparently so I can't use that for evidence. How are these things added? Is it likely to be an SQL injection attack? Account details compromised? Or all of the above.

New member

Posts

Joined
Wed Jan 18, 2012 3:07 am

Post by Johnathan » Wed Apr 25, 2018 1:36 am

If the code was in the database, it could have been either (1) compromised database info (allowing someone to write directly to the database) or (2) it could have been compromised admin info (allowing someone to log into your admin panel and change settings) or (3) it could have been compromised FTP info (allowing them to do pretty much anything). Changing all the passwords on those accounts is a good first step, to ensure that no one else can gain access.

Figuring out how it happened may be next to impossible without any access logs. Given that the code was in the database and not injected directly into a file, I would suspect compromised database or admin panel info, but it could still have been FTP info as well.

If you notice it happening again after this, then someone probably installed a backdoor to your website, or you're on a shared server that is being compromised through someone else's account. For the first problem you'd need to do a server scan (which some hosts will do) and for the second you'd want to make sure you move to a VPS. Shared servers are not great for ecommerce.

Image
Image Image Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by rhorne » Wed Apr 25, 2018 3:59 am

We are already supposed to be on a VPS so I'm thinking more likely to be the former than the latter. :)

New member

Posts

Joined
Wed Jan 18, 2012 3:07 am
Who is online

Users browsing this forum: No registered users and 38 guests