Post by butte » Sun Dec 01, 2013 12:07 pm

Add attack finding its way to catalog/controller/product/product.php on Linux in http://forum.opencart.com/viewtopic.php ... 62#p458962 . . . more than 18 months after 2012 April http://www.waraxe.us/content-84.html concerning Windows.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Calcite » Sun Dec 01, 2013 7:17 pm

This one was attempted today using (I assume) a spoofed IP address 65.55.215.73 (Bingbot)
http://www.mysite.com/upload/7d98201587 ... 3fad6e.jpg

I assume this is the same sort of attack?

Active Member

Posts

Joined
Fri Dec 30, 2011 3:21 am

Post by butte » Sun Dec 01, 2013 11:51 pm

Yes, probably as a text file masquerating as .jpg instead (7d98201587a55a3e9f5bb6b50d3fad6e.jpg) even if the initial block of content is remnant graphical gibberish intended to trick the operating system, followed by what was meant to be executable text ending with the nominally invisible end of file mark. The link is now going 404, maybe you already deleted it. Just delete that and what will often be another three files with it, those work together to shift extensions and fire .php, and may be impotent or potent. Any *jpg* and any route* file should be deleted. Use MarketInSG's free vqmod posted above to secure the directory, works v. well. You can also upload a zero-byte (hollow) index.html in order to insert the default first-tried index that will prevent seeing directory content if .htaccess is gutted. You can check zero-byte index.html files by eye -- at zero they are still hollow; the ones that are 44 bytes require looking inside them to see that the correct 44 bytes are there, and that takes time to review.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by feelie75 » Tue Mar 11, 2014 2:14 am

I just discovered all of those route.php3.txt* files and aaaaaa.jpg and product.shtml.jpg.* files in my download directory and found this thread.

I'm using OpenCart 1.5.5. They were not executable. I just went into my Admin Settings for my site and added a 'z' in front of all the allowed upload extensions (so incase I do want uploads someday I can revert the change easily).

Thanks for the thread guys! Glad to know it was just an attempt but no harm done.

Newbie

Posts

Joined
Sat Aug 17, 2013 1:34 am

Post by butte » Wed Mar 19, 2014 9:10 pm

feelie75, go ahead and set normal allowed file extensions and mime types, use instead MarketInSG's file explained and downloadable above at http://forum.opencart.com/viewtopic.php ... 20#p403255 . . . it protects /download/ from external uploading.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by i2Paq » Sat Apr 04, 2015 2:07 am

Just found out I had 2 sites with these type of files in the download.

Running 1.5.5.1 and 1.5.6.

Encryption keys where long and difficult.

Protected my download now with a .htacces.

What do they gain from having those files there?

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by rph » Sat Apr 04, 2015 3:06 am

What generally happens is an attacker will use a script to search for OpenCart stores and try a known exploit. In this case you aren't actually vulnerable to it but it does still leave a file on your site.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by i2Paq » Sat Apr 04, 2015 4:41 am

rph wrote:What generally happens is an attacker will use a script to search for OpenCart stores and try a known exploit. In this case you aren't actually vulnerable to it but it does still leave a file on your site.
OK, I see.

I removed the files, secured the folder with an .htaccess that will not allow any files there and on the sites running vqmod I also used the .xml found in this topic.

I will watch my sites the next few weeks.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands
Who is online

Users browsing this forum: Ahrefs [Bot] and 128 guests