The story: about a week ago, someone contacted my customer by whatsapp, and told him that he had security problems in the website, and asking for $200 bucks to repair the vulnerabilities, or otherwise, he would damage the store. Then he sent several screenshots showing my customer's store admin panel, orders, users, etc.
My customer tried to get more info about the security problems, but the only things the hacker said was the he was using hydra hacking tool (https://www.concise-courses.com/security/what-is-hydra/)
We contacted the host, and immediately changed all passwords and usernames (store's, ftp's, control panel, databas), and implemented other security measures like password protecting admin folder, and blocking ips by htacess.
However, the hacker still has access to the database, he recently set all products prices to 0, for example.
So the question is now, is opencart somehow vulnerable to hydra brute force password cracking, and how, where the hacker is using that tool. Or is it possible we have a problem with the custom template, extensions, etc?
Website is here: http://www.floresdealtura.com/
Best Regards,
Marvin M
You want to thank me for my time! Click here to donate
There should be a log for MySQL or enable it in etc/my.cnf
Now you can see when/how/what. Maybe he got root access somehow?
Also I would bind sql access to only the localhost and rule out a remote user.
Attn: I no longer provide OpenCart extensions, nor future support - this includes forum posts.
Reason: OpenCart version 3+
Thanks!
We think we been able to track the hacker, and we think this is the guy: https://www.facebook.com/ogunsanmi.akinwumi
From Nigeria, and if you google him, you'll find several hack related posts https://www.google.com/search?q=ogunsan ... umi+hacker
We've blocked his ip, but I guess now he's using a vps or a proxy, so he is still getting access.
The other thing.... arvixe support until now has been terrible, they have just provided generic copy and paste information.
Regards,
Marvin M
You want to thank me for my time! Click here to donate
---
According from what I have been reading, he's not a Newbie, but earn's his 'bread' on such, and from what I FOUND, by 'finding/checking' on 'HOT' Mod's, usually paid One's, it obviously seems to be a hobby, of some, to even ADD strange Stuff into 'harmless' looking Opencart Add-On's, paid One's, offered for FREE!!!
---
Therefore, the only way, to find out, would be, to entirely download your Website, to a local PC, and compare it's entire content with the existing ORIGINAL, placed on the PC.
It's gonna be some work
and even more Work, if, possibly, no (updated) FULL Software backup exists.
But this would only be a problem for those, not operating on a professional Level, I assume...
Good Luck
Ernie
hitline.info/shop/
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
This is also expected, as you did block ip adresses, but he still has access
do a reverse whois on server ip and see wich sites are on same server, contact owners and ask if they have the same problem.
if so your host is compromised, and they should solve the matter.
If i would face these problems, i would have moved my site day before yesterday
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
Arvixe finally escalated the issue to a senior support agent, however, the support is still not efficient, it's been more than 4 hours since their last reply... their chat support is useless
The site is running oc 1.5.6.4, would it be a good idea to upgrade to the latest oc version? Is there any easy way to do that (upgrade script)?
Regards,
Marvin M
You want to thank me for my time! Click here to donate
and so deny any other?dmsims wrote:Rather than trying to Block Ip addresses why not just allow yours?
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
when on shared hosting there is nothing you can do to disallow a hacker to your sites.
The hoster is responisble to take care of that.
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
Thanks for all your replies.
Marvin M
You want to thank me for my time! Click here to donate
go to your db phpmyadmin and check the mysql users table and delete all of them and create a new user there using a password syntax MD5.
Finally NEVER BUT NOT LAST... NEVER! use for a live store Free modules from unknown dev's or give then access to your ftp and even less if you have a vps.
hope this helps, there's tons of good articles on templatemonster how to do all of this (if you don't knew this already).
Have a good one!.
We think it was added by the hacker, so the scary thing is that this earlier backup already had it.
Regards,
Marvin M
You want to thank me for my time! Click here to donate
The Problem remains, on how he got there, by use of a just 'lightly' filtered 'Jscript'-line, in the first place!?
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I would just like to make sure you are not having anymore issues with your site.
Regards,
Noah
Arvixe Representative
T: 1-888-278-4939
F: 805-293-8885
Arvixe, LLC - http://www.arvixe.com
Freedom of the web at your fingertips.
Users browsing this forum: No registered users and 186 guests