Hi everyone, I am helping a customer find out how to prevent a hacker access to his website database. We're working together with the arvixe guys, but we haven't been able to find out how the hacker continues to get access to the database.
The story: about a week ago, someone contacted my customer by whatsapp, and told him that he had security problems in the website, and asking for $200 bucks to repair the vulnerabilities, or otherwise, he would damage the store. Then he sent several screenshots showing my customer's store admin panel, orders, users, etc.
My customer tried to get more info about the security problems, but the only things the hacker said was the he was using hydra hacking tool (https://www.concise-courses.com/security/what-is-hydra/)
We contacted the host, and immediately changed all passwords and usernames (store's, ftp's, control panel, databas), and implemented other security measures like password protecting admin folder, and blocking ips by htacess.
However, the hacker still has access to the database, he recently set all products prices to 0, for example.
So the question is now, is opencart somehow vulnerable to hydra brute force password cracking, and how, where the hacker is using that tool. Or is it possible we have a problem with the custom template, extensions, etc?
Website is here: http://www.floresdealtura.com/
Best Regards,
Marvin M
Amazing story!
There should be a log for MySQL or enable it in etc/my.cnf
Now you can see when/how/what. Maybe he got root access somehow?
Also I would bind sql access to only the localhost and rule out a remote user.
There should be a log for MySQL or enable it in etc/my.cnf
Now you can see when/how/what. Maybe he got root access somehow?
Also I would bind sql access to only the localhost and rule out a remote user.
Attn: I no longer provide OpenCart extensions, nor future support - this includes forum posts.
Reason: OpenCart version 3+ 
Thanks!
Thanks for your reply. We're really frustrated. We've change all paswords and usernames, and the hacker is till accessing the database somehow. Today, he sent screenshots of the config info!, so this sounds to me like arvixe has a got a hole somewhere allowing the hacker access cpanel no matter how many times we change passwords and users.
We think we been able to track the hacker, and we think this is the guy: https://www.facebook.com/ogunsanmi.akinwumi
From Nigeria, and if you google him, you'll find several hack related posts https://www.google.com/search?q=ogunsan ... umi+hacker
We've blocked his ip, but I guess now he's using a vps or a proxy, so he is still getting access.
The other thing.... arvixe support until now has been terrible, they have just provided generic copy and paste information.
Regards,
Marvin M
We think we been able to track the hacker, and we think this is the guy: https://www.facebook.com/ogunsanmi.akinwumi
From Nigeria, and if you google him, you'll find several hack related posts https://www.google.com/search?q=ogunsan ... umi+hacker
We've blocked his ip, but I guess now he's using a vps or a proxy, so he is still getting access.
The other thing.... arvixe support until now has been terrible, they have just provided generic copy and paste information.
Regards,
Marvin M
You want to thank me for my time! 
Click here to donate
Regardless of what the Hacker may have told you, if he ever had access to your Admin Section, he probably made sure, to keep it. If so, you have no chance, to ever stop it, one single File, or just File-Content, hidden someplace, free downloadable from the OC Extension Board, will allow anyone, to access your Site, as ADMIN, regardless of your Password-Settings, you should know that...
---
According from what I have been reading, he's not a Newbie, but earn's his 'bread' on such, and from what I FOUND, by 'finding/checking' on 'HOT' Mod's, usually paid One's, it obviously seems to be a hobby, of some, to even ADD strange Stuff into 'harmless' looking Opencart Add-On's, paid One's, offered for FREE!!!
---
Therefore, the only way, to find out, would be, to entirely download your Website, to a local PC, and compare it's entire content with the existing ORIGINAL, placed on the PC.
It's gonna be some work
and even more Work, if, possibly, no (updated) FULL Software backup exists.
But this would only be a problem for those, not operating on a professional Level, I assume...
Good Luck
Ernie
hitline.info/shop/
---
According from what I have been reading, he's not a Newbie, but earn's his 'bread' on such, and from what I FOUND, by 'finding/checking' on 'HOT' Mod's, usually paid One's, it obviously seems to be a hobby, of some, to even ADD strange Stuff into 'harmless' looking Opencart Add-On's, paid One's, offered for FREE!!!
---
Therefore, the only way, to find out, would be, to entirely download your Website, to a local PC, and compare it's entire content with the existing ORIGINAL, placed on the PC.
It's gonna be some work
and even more Work, if, possibly, no (updated) FULL Software backup exists.
But this would only be a problem for those, not operating on a professional Level, I assume...
Good Luck
Ernie
hitline.info/shop/
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
If even after changing passwords on cpanel a hacker still has access, he probally has access on a higher level like whm from where you can go to all accounts, or ssh access whre they can access entire server.
This is also expected, as you did block ip adresses, but he still has access
do a reverse whois on server ip and see wich sites are on same server, contact owners and ask if they have the same problem.
if so your host is compromised, and they should solve the matter.
If i would face these problems, i would have moved my site day before yesterday
This is also expected, as you did block ip adresses, but he still has access
do a reverse whois on server ip and see wich sites are on same server, contact owners and ask if they have the same problem.
if so your host is compromised, and they should solve the matter.
If i would face these problems, i would have moved my site day before yesterday
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
Thanks all for your replies. Yeah, I'll run a file compare tool with my local backup, haven't done that yet 
(I should've done that first )
Arvixe finally escalated the issue to a senior support agent, however, the support is still not efficient, it's been more than 4 hours since their last reply... their chat support is useless
The site is running oc 1.5.6.4, would it be a good idea to upgrade to the latest oc version? Is there any easy way to do that (upgrade script)?
Regards,
Marvin M
(I should've done that first )Arvixe finally escalated the issue to a senior support agent, however, the support is still not efficient, it's been more than 4 hours since their last reply... their chat support is useless
The site is running oc 1.5.6.4, would it be a good idea to upgrade to the latest oc version? Is there any easy way to do that (upgrade script)?
Regards,
Marvin M
You want to thank me for my time! Click here to donate
and so deny any other?dmsims wrote:Rather than trying to Block Ip addresses why not just allow yours?
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
as explained by original poster, hack had been on on a higher server level.
when on shared hosting there is nothing you can do to disallow a hacker to your sites.
The hoster is responisble to take care of that.
when on shared hosting there is nothing you can do to disallow a hacker to your sites.
The hoster is responisble to take care of that.
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
Yeah, That's what I think, the hacker must have got access on a higher level. After restoring everything from an older back up, we haven't received any new attack, however, we will probably move to a new host anyways. Arvixe proved to be inefficient, and really slow.
Thanks for all your replies.
Marvin M
Thanks for all your replies.
Marvin M
You want to thank me for my time! Click here to donate
Following the simple security steps from the begining this would never happen to you my friend... anyhow tell them to restore your store completely from the earliest point where you know it was fine... then do the local comparison and please do the htaccess on admin, catalog, system, and the htpsswd to admin also rename admin from the beginning before to do all of this. then use the pathreplaces on vqmod (if you use) and add the renamed folder and theme you use...
go to your db phpmyadmin and check the mysql users table and delete all of them and create a new user there using a password syntax MD5.
Finally NEVER BUT NOT LAST... NEVER! use for a live store Free modules from unknown dev's or give then access to your ftp and even less if you have a vps.
hope this helps, there's tons of good articles on templatemonster how to do all of this (if you don't knew this already).
Have a good one!.
go to your db phpmyadmin and check the mysql users table and delete all of them and create a new user there using a password syntax MD5.
Finally NEVER BUT NOT LAST... NEVER! use for a live store Free modules from unknown dev's or give then access to your ftp and even less if you have a vps.
hope this helps, there's tons of good articles on templatemonster how to do all of this (if you don't knew this already).
Have a good one!.
Hi everyone! The store was restored from an ealier backup, and secured with all possible options and it seems that the hacker doesn't have access anymore. However, there's something we noticed in one of the products name and metatag when checking it directly on the database, there's a script inserted with an url. Upon checking other products, it looks like only two products had it. See attached screenshot:
We think it was added by the hacker, so the scary thing is that this earlier backup already had it.
Regards,
Marvin M
and it seems that the hacker doesn't have access anymore. However, there's something we noticed in one of the products name and metatag when checking it directly on the database, there's a script inserted with an url. Upon checking other products, it looks like only two products had it. See attached screenshot:We think it was added by the hacker, so the scary thing is that this earlier backup already had it.
Regards,
Marvin M
You want to thank me for my time! Click here to donate
so, at least, you know what to check for, when going trough your DB, by use of Notepad++
The Problem remains, on how he got there, by use of a just 'lightly' filtered 'Jscript'-line, in the first place!?
Ernie
The Problem remains, on how he got there, by use of a just 'lightly' filtered 'Jscript'-line, in the first place!?
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Hi marvmen21,
I would just like to make sure you are not having anymore issues with your site.
Regards,
I would just like to make sure you are not having anymore issues with your site.
Regards,
Noah
Arvixe Representative
T: 1-888-278-4939
F: 805-293-8885
Arvixe, LLC - http://www.arvixe.com
Freedom of the web at your fingertips.
Who is online
Users browsing this forum: No registered users and 186 guests
