Add attack finding its way to catalog/controller/product/product.php on Linux in http://forum.opencart.com/viewtopic.php ... 62#p458962 . . . more than 18 months after 2012 April http://www.waraxe.us/content-84.html concerning Windows.
This one was attempted today using (I assume) a spoofed IP address 65.55.215.73 (Bingbot)
http://www.mysite.com/upload/7d98201587 ... 3fad6e.jpg
I assume this is the same sort of attack?
http://www.mysite.com/upload/7d98201587 ... 3fad6e.jpg
I assume this is the same sort of attack?
Yes, probably as a text file masquerating as .jpg instead (7d98201587a55a3e9f5bb6b50d3fad6e.jpg) even if the initial block of content is remnant graphical gibberish intended to trick the operating system, followed by what was meant to be executable text ending with the nominally invisible end of file mark. The link is now going 404, maybe you already deleted it. Just delete that and what will often be another three files with it, those work together to shift extensions and fire .php, and may be impotent or potent. Any *jpg* and any route* file should be deleted. Use MarketInSG's free vqmod posted above to secure the directory, works v. well. You can also upload a zero-byte (hollow) index.html in order to insert the default first-tried index that will prevent seeing directory content if .htaccess is gutted. You can check zero-byte index.html files by eye -- at zero they are still hollow; the ones that are 44 bytes require looking inside them to see that the correct 44 bytes are there, and that takes time to review.
I just discovered all of those route.php3.txt* files and aaaaaa.jpg and product.shtml.jpg.* files in my download directory and found this thread.
I'm using OpenCart 1.5.5. They were not executable. I just went into my Admin Settings for my site and added a 'z' in front of all the allowed upload extensions (so incase I do want uploads someday I can revert the change easily).
Thanks for the thread guys! Glad to know it was just an attempt but no harm done.
I'm using OpenCart 1.5.5. They were not executable. I just went into my Admin Settings for my site and added a 'z' in front of all the allowed upload extensions (so incase I do want uploads someday I can revert the change easily).
Thanks for the thread guys! Glad to know it was just an attempt but no harm done.
feelie75, go ahead and set normal allowed file extensions and mime types, use instead MarketInSG's file explained and downloadable above at http://forum.opencart.com/viewtopic.php ... 20#p403255 . . . it protects /download/ from external uploading.
Just found out I had 2 sites with these type of files in the download.
Running 1.5.5.1 and 1.5.6.
Encryption keys where long and difficult.
Protected my download now with a .htacces.
What do they gain from having those files there?
Running 1.5.5.1 and 1.5.6.
Encryption keys where long and difficult.
Protected my download now with a .htacces.
What do they gain from having those files there?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
What generally happens is an attacker will use a script to search for OpenCart stores and try a known exploit. In this case you aren't actually vulnerable to it but it does still leave a file on your site.
-Ryan
OK, I see.rph wrote:What generally happens is an attacker will use a script to search for OpenCart stores and try a known exploit. In this case you aren't actually vulnerable to it but it does still leave a file on your site.
I removed the files, secured the folder with an .htaccess that will not allow any files there and on the sites running vqmod I also used the .xml found in this topic.
I will watch my sites the next few weeks.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Who is online
Users browsing this forum: Ahrefs [Bot] and 128 guests