I've had two sites compromised in the last 2 months.
Both were hosted with FastDomain/HostMonster - which is getting a lot of brute-force attacks.
Both sites had incredibly poor passwords - changed from my 15 char 'random keys' password, to an "easy to remember" password by the site/company owner. :-/
The only other recent exploit I've seen used is with Solmetra's SPAW editor and it's upload.php file.
Both were hosted with FastDomain/HostMonster - which is getting a lot of brute-force attacks.
Both sites had incredibly poor passwords - changed from my 15 char 'random keys' password, to an "easy to remember" password by the site/company owner. :-/
The only other recent exploit I've seen used is with Solmetra's SPAW editor and it's upload.php file.
LoveMoissanite.com - Moissanite Rings - Proudly Powered by Opencart
[How To] Speed Up Page Content with Opencart - Opencart advocate since 2009
Admittedly, my mates site was 1.4.3 but I had upgraded it to 1.4.9.1 when it had been hacked (actually, cleared it and reinstalled) ad it kept getting hit.
The host has now come back with this:
Are they just talking rubbish?
The host has now come back with this:
Are those links referring to old exploits that have been fixed in recent build? Just weird it kept happening after cleaning down and re-installing latest version...It looks like OpenCart has some exploit vulnerabilities, and the trouble with this is your site is more than likely posted on some hacker forums somewhere with the exact version of OpenCart in the post and exactly what needs done to exploit it:
http://www.exploit-db.com/exploits/15050/
http://packetstormsecurity.org/1003-exp ... rt-sql.txt
Unfortunately there's not much that can be done about this, I'm sure word has been spread to "hackers" that want to make a name for themselves that your site is here with an exploitable opencart installation. I'd recomend changing cart software to something that is not quite as exploitable.
Are they just talking rubbish?
What I don't get is that one of these links refers to fckeditor in 1.4.9.1. And fckeditor isn't in 1.4.9.1. The other refers to v1.3.2.
When you say your mate's site is getting hit, gavin, what's happening...if you're able to say,I mean. What are the hackers trying to do?
When you say your mate's site is getting hit, gavin, what's happening...if you're able to say,I mean. What are the hackers trying to do?
They were dropping files into the Public_HTML of the site. So, when you visited the site, you were presented with a 'You've been hacked by blar' type message.Moggin wrote:What I don't get is that one of these links refers to fckeditor in 1.4.9.1. And fckeditor isn't in 1.4.9.1. The other refers to v1.3.2.
When you say your mate's site is getting hit, gavin, what's happening...if you're able to say,I mean. What are the hackers trying to do?
I actually moved the store to a sub folder called 'store' (actually, reinstalled 1.4.9.1) and locked it all down permissions wise and put a simple redirect into the Public_html with permissions of 444 ont he file so they couldn't change it
Other files kept appearing in the Public_HTML after this but the redirect seemed to work as the site wasn't taken down. note, the site wasn't actually 'live' at this time, we were just testing what would happen as I doubted it was OC and more likely a compromised site on the server that the hackers were using to gain access to others through.
The files would appear, I would delete them, then about 7 to 10 hours later, another file would appear, all with different names (the last was called c99madshell.php)
Looks like th ehostis determined to slag of opencart, they have now sent this to him:
Although, they seem to be ignoring the fact we told them it was 1.4.9.1 as all the results in that second link seem to be about installing it......I know it's not comforting, but it really only takes a small change in the google search to get everything needed for any version of OpenCart in existence:
http://www.google.com/search?hl=en&ie=I ... =&gs_rfai=
http://www.google.com/search?hl=en&ie=I ... =&gs_rfai=
That is because the first thing a host reads is:
"hello my site has been hacked. I am running my opencart store there"
then they search "opencart exploit" and grab the first link they see without bothering to research.
But you can search:
wordpress exploit
oscommerce exploit
drupal exploit
xxxxxx exploit
and there will always be some sort of exploit listed, whether real or not.
These hosts are looking for the quick scapegoat
"hello my site has been hacked. I am running my opencart store there"
then they search "opencart exploit" and grab the first link they see without bothering to research.
But you can search:
wordpress exploit
oscommerce exploit
drupal exploit
xxxxxx exploit
and there will always be some sort of exploit listed, whether real or not.
These hosts are looking for the quick scapegoat
sounds like a good move; I would have done the same. Q's answer made a lot of sense regarding the slightly bizarre advice offered by the host.gavin m wrote:Oh, I totally agree.
It's fine though, my mate has moved to new host and told the others where to stick it.
Hi guys,
My client site was hacked three times now in a month! We did not face any problems for a year and now this :-( We had three different hackers uploading files under public_html and replacing the home page with files showing inappropriate images/text etc. I am using a much older version of OpenCart 1.2.9 which I have extended to add some new features to the website. I have checked whether there was any dompdf folder under system/helper but couldn't find any! How is the hacker able to upload such files? Is there anything else I need to check to prevent this from happening again in the time being until I manage to upgrade to the latest release?
Your help will be highly regarded.
Many thanks,
sabbosh
My client site was hacked three times now in a month! We did not face any problems for a year and now this :-( We had three different hackers uploading files under public_html and replacing the home page with files showing inappropriate images/text etc. I am using a much older version of OpenCart 1.2.9 which I have extended to add some new features to the website. I have checked whether there was any dompdf folder under system/helper but couldn't find any! How is the hacker able to upload such files? Is there anything else I need to check to prevent this from happening again in the time being until I manage to upgrade to the latest release?
Your help will be highly regarded.
Many thanks,
sabbosh
I think on versions that old there was also a bug with the fckeditor. You can search the forums for it. And of course they may be getting in in some way that doesn't involve opencart at all.sabbosh wrote:Hi guys,
My client site was hacked three times now in a month! We did not face any problems for a year and now this :-( We had three different hackers uploading files under public_html and replacing the home page with files showing inappropriate images/text etc. I am using a much older version of OpenCart 1.2.9 which I have extended to add some new features to the website. I have checked whether there was any dompdf folder under system/helper but couldn't find any! How is the hacker able to upload such files? Is there anything else I need to check to prevent this from happening again in the time being until I manage to upgrade to the latest release?
Your help will be highly regarded.
Many thanks,
sabbosh
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
I think web hosting service provider would be responsible for it, because data lies there so you should approach it!
Member of Como Ganhar Dinheiro na Internet Club. Also fan of Monbusho Research Scholarship.
Who is online
Users browsing this forum: No registered users and 90 guests