Post by Khal » Wed Jul 12, 2017 8:06 pm

My website has been hacked. Whenever a link is clicked both on the front end and admin panel, several ad popups open up in another page. I have contacted my hosting and they are not very helpful. They restored my site file to an earlier version (from yesterday), but the issue is still there. Other than that, they cannot not offer any assistance. I have been searching frantically on the forum for a solution but cannot find one.

I have checked my site on a malware scanning site and it shows that my site is in fact infected with malware: MW:JS:GEN2?rogueads.unwanted_ads.1

Would someone be willing to debug my website and remove the malware? I would of course be willing to pay. Details can be provided through pm.

Thank you

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by cyclops12 » Wed Jul 12, 2017 8:22 pm

Why not download a fresh version the same as yours then compare all your files to the fresh files.
That way you should be able to find which files have been changed by the hacker

Expert Member

Posts

Joined
Sun Sep 27, 2015 1:10 am

Post by Khal » Wed Jul 12, 2017 8:28 pm

Thank you for the reply. I have also added lots of extensions to my site and I do not want to remove those by mistake. A fresh install will not have these files. Any idea where the hacked files will be for this type of hack? Basically, every time a page is navigated to on the front end, it opens up popup ads.

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by cyclops12 » Thu Jul 13, 2017 1:43 am

Wouldnt know which files exactly but i would look in the header files first and see if you can spot any EXTRA scripts

Expert Member

Posts

Joined
Sun Sep 27, 2015 1:10 am

Post by Khal » Thu Jul 13, 2017 2:12 am

Fortunately my hosting company managed to restore the database to a previous version and now the website seems to be ok. Previously they only restored the files.

I noticed in my control panel that a cron job had been added a few days ago and I think this was the issue. It was affecting the "sessions" folder. I have a sessions folder in my root directory which has code related to the currency. I have been having issues with cache errors related to the currency and switching the currency on the frontend from GBP to USD, so I think this might have something to do with it? Any idea what the sessions folder is for?

Thank you for your help

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by ADD Creative » Thu Jul 13, 2017 7:07 pm

The session folder should not be publicly accessible as it will leave you open to several attacks. If it is move it or ask your host to move it.

Make sure you change all your passwords for your hosting, FTP and Opencart.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Khal » Thu Jul 13, 2017 7:49 pm

My hosting company is absolutely useless. My site was restored to an earlier version but when I checked it on Sucuri, the malware was still there. So I figured out the date and time the malicious code was added and asked for a restore to this date. After going back and forth with them for a day, they finally restored my database to this date but not the files. I will probably have to wait another day or so for them to finally restore the files. But now my site seems to be completely taken over with the malware so I have had to take it offline. I don't know what has changed since the previous restore for it to do this.

I asked them regarding the sessions folder and they say it is not their job to clean up files- I will have to do this myself.

I just don't think they understand the issue at all, because it took the best part of a day going back and forth between several agents for them suggest the site restore.

Yes I changed all of the passwords. The sessions folder is in the root, so it this publically accessible?

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by ADD Creative » Thu Jul 13, 2017 10:10 pm

If it's the root of your account above or the same level as your web directory then it will be fine. If it's under your hostings web directory (example /public_html/sessions/) then is should be moved.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Khal » Thu Jul 13, 2017 10:31 pm

It is under the same level as my web directory so I guess it should be fine. Thanks

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by openhwh » Mon Jul 17, 2017 12:51 pm

So I figured out the date and time the malicious code was added and asked for a restore to this date.

How did you figured out? Then simply remove breached code and and reinstall server + all plugins and get db from backup. Even if there is some crap in db - no code to call it cant activate it :)

Chat to talk about new and cool technologies, including OpenCart. GlobalChat


New member

Posts

Joined
Tue Oct 25, 2016 7:11 pm

Post by Khal » Mon Jul 17, 2017 4:43 pm

I also provided a date and time I thought the code was added, the site restore was made and the website was fine for a few hours. But then it became infected again. I seem to have a nasty bit of malware- sucuri.net cleaned it up and it has come back again twice now. It stays clean for a few hours, then it is infected again.

I think sucuri did not remove the initial infect because my site is now protected by their firewall, and they said a breach of their firewall is very unlikely. So this can only mean that the infection was still lurking somewhere on my site and it has again taken over the entire site. I have had to take it offline.
But this doe not explain how the site was infected after a clean restore.

According to sucuri, they have cleaned many Opencart sites because the code is s very vulnerable to attacks: https://www.exploit-db.com/exploits/39679/

They advised updating the software, but I am reluctant to do this because Opencart 3 is still new and it also might have issues. Also, most of my extensions are not compatible.

I just don't know what to do at this point? I may request another site restore fro my hosts.

Active Member

Posts

Joined
Thu May 24, 2012 9:24 pm
Location - Teesside, UK

Post by ADD Creative » Mon Jul 17, 2017 5:53 pm

https://www.exploit-db.com/exploits/39679/ requires that the server does not have JSON installed. You can check this by checking phpinfo() that JSON is enabled. If JSON is enabled then it's not a problem.

One thing you can do is to check the files on your server against a fresh download of your version of OpenCart, to see if any have been added or changed. viewtopic.php?f=135&t=55091 may help you do this.

If you know when the attacks occurred you could look through your web server, FTP and OpenCart log files for anything suspicions.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 46 guests