I found a site of mine had the modified version of the hacked authorize.net payment plugin as well as the replacement login.php and payments.php page in the admin folder.
I was able to correct the problem by finding the date files were modified and replacing them from a backup.
How was the hacker able to get in? How can I patch this up? I remember deleting the uploads folder on 1.5.6 to sort this but can't think how the hacker is getting in on version 3.0.2.0
You could check for FTP access logs from around the time the files were added / changed. You may have to ask your host for them. You could also check you web access logs for anything that looks suspicious.
Also check for thing like, suspicious files in the storage/upload directory (which shouldn't be publicly accessible), admin accounts you didn't add, FTP accounts that aren't used anymore that may have weak passwords, etc.
Of cause if you haven't already, change all your passwords.
Also check for thing like, suspicious files in the storage/upload directory (which shouldn't be publicly accessible), admin accounts you didn't add, FTP accounts that aren't used anymore that may have weak passwords, etc.
Of cause if you haven't already, change all your passwords.
Some recent posts about the same issue that may be helpful to you.
viewtopic.php?f=202&t=207977
viewtopic.php?f=202&t=208006
viewtopic.php?f=202&t=207894
Was it a clean install of OpenCart 3 or did you upgrade from a previous version? Also what theme are you using?
viewtopic.php?f=202&t=207977
viewtopic.php?f=202&t=208006
viewtopic.php?f=202&t=207894
Was it a clean install of OpenCart 3 or did you upgrade from a previous version? Also what theme are you using?
Try using Crawlprotect. That will block hack attempts and log the IP addresses.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Lots of info here:
https://www.antropy.co.uk/blog/opencart ... orize-net/
https://www.antropy.co.uk/blog/opencart ... orize-net/
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Guru Member
@paulfeakins: Very informative Information! 
---
@johnp: -Try using Crawlprotect- would not help much, after someone already
placed some BadCode into a Software, because it automatically reroutes Payments to
other Addresses, after an order has been made, without the need to be 'called' from
somewhere else.
But if one really wants to make sure, better remove all NOT USED payments 'physically'
from OC Software, as well as all 'internal' linkings and 'variables', related to such Code.
But it's not as easy, as it might sound, one should therefore better not try, to achieve such,
if one is not familiar with OpenCart Source, and it's way of doing things.
I removed Amazon, Authorizenet, Openbay, eBay, as well as some PP Payment Methods,
especially under the aspect, that some of the fundamental Initialisation is beeing
done by OC-Default during startup already, and so possibly ALLOWS BadCode to execute,
without the need, to add some startup-routines somewhere in the first place, and where
they could be found as well ...
Who knows ?! I will never understand, how someone can use a Shop Site for anything else
anyway, but getting a free box full of tools does not 'make' a 'certified' Mechanic either...
Technically and security-wise, it's as unprofessional as something can be done.
But I am no Coder, so, I just don't know. And on my Test Sites, there is no Wordpress,
and/or other potentially 'dangerous' Code, when it comes to find a hole. And I get
bombarded with that WP Crab Hack Code, on a regular Schedule.
But strictly technically, and from a Swiss Point of View, it makes no sense anyway,
to have bunches of files, placed on a Server, for not one single good reason. It's like
driving around in a Car with a trunk full of empty bottles ... 
And one so never gets to the GTMetrix OC Top Scorers either
Ernie
---
OC startup.php Content, the last few lines:
Image Link:
download/file.php?mode=view&id=36011
---
@johnp: -Try using Crawlprotect- would not help much, after someone already
placed some BadCode into a Software, because it automatically reroutes Payments to
other Addresses, after an order has been made, without the need to be 'called' from
somewhere else.
But if one really wants to make sure, better remove all NOT USED payments 'physically'
from OC Software, as well as all 'internal' linkings and 'variables', related to such Code.
But it's not as easy, as it might sound, one should therefore better not try, to achieve such,
if one is not familiar with OpenCart Source, and it's way of doing things.
I removed Amazon, Authorizenet, Openbay, eBay, as well as some PP Payment Methods,
especially under the aspect, that some of the fundamental Initialisation is beeing
done by OC-Default during startup already, and so possibly ALLOWS BadCode to execute,
without the need, to add some startup-routines somewhere in the first place, and where
they could be found as well ...
Who knows ?! I will never understand, how someone can use a Shop Site for anything else
anyway, but getting a free box full of tools does not 'make' a 'certified' Mechanic either...
Technically and security-wise, it's as unprofessional as something can be done.
But I am no Coder, so, I just don't know. And on my Test Sites, there is no Wordpress,
and/or other potentially 'dangerous' Code, when it comes to find a hole. And I get
bombarded with that WP Crab Hack Code, on a regular Schedule.
But strictly technically, and from a Swiss Point of View, it makes no sense anyway,
to have bunches of files, placed on a Server, for not one single good reason. It's like
driving around in a Car with a trunk full of empty bottles ...
And one so never gets to the GTMetrix OC Top Scorers either
Ernie
---
OC startup.php Content, the last few lines:
Code: Select all
require_once(DIR_SYSTEM . 'library/template.php');
require_once(DIR_SYSTEM . 'library/openbay.php');
require_once(DIR_SYSTEM . 'library/ebay.php');
require_once(DIR_SYSTEM . 'library/amazon.php');
require_once(DIR_SYSTEM . 'library/amazonus.php');
download/file.php?mode=view&id=36011
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I should have said upload clean files before installing Crawlprotect. As always Ernie you have given a great answer. 
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Who is online
Users browsing this forum: halfhope and 509 guests
