Post by MattW » Sat Sep 25, 2010 12:06 pm

I'd be more inclined to suggest it's the host server that has been compromised, given these started ~17th September, and a major security flaw was discovered in the 64bit Kernel

http://www.webhostingtalk.com/showthread.php?t=981925

Image


User avatar
New member

Posts

Joined
Sat Aug 28, 2010 11:37 am
Location - Sheffield

Post by Skyhigh » Thu Sep 30, 2010 2:14 am

I've had two sites compromised in the last 2 months.

Both were hosted with FastDomain/HostMonster - which is getting a lot of brute-force attacks.

Both sites had incredibly poor passwords - changed from my 15 char 'random keys' password, to an "easy to remember" password by the site/company owner. :-/

The only other recent exploit I've seen used is with Solmetra's SPAW editor and it's upload.php file.

LoveMoissanite.com - Moissanite Rings - Proudly Powered by Opencart
[How To] Speed Up Page Content with Opencart - Opencart advocate since 2009


New member

Posts

Joined
Fri Sep 11, 2009 8:12 pm

Post by gavin m » Fri Oct 01, 2010 10:06 pm

Admittedly, my mates site was 1.4.3 but I had upgraded it to 1.4.9.1 when it had been hacked (actually, cleared it and reinstalled) ad it kept getting hit.

The host has now come back with this:
It looks like OpenCart has some exploit vulnerabilities, and the trouble with this is your site is more than likely posted on some hacker forums somewhere with the exact version of OpenCart in the post and exactly what needs done to exploit it:

http://www.exploit-db.com/exploits/15050/
http://packetstormsecurity.org/1003-exp ... rt-sql.txt

Unfortunately there's not much that can be done about this, I'm sure word has been spread to "hackers" that want to make a name for themselves that your site is here with an exploitable opencart installation. I'd recomend changing cart software to something that is not quite as exploitable.
Are those links referring to old exploits that have been fixed in recent build? Just weird it kept happening after cleaning down and re-installing latest version...

Are they just talking rubbish?

Active Member

Posts

Joined
Thu Jun 04, 2009 3:23 pm

Post by Moggin » Fri Oct 01, 2010 10:16 pm

What I don't get is that one of these links refers to fckeditor in 1.4.9.1. And fckeditor isn't in 1.4.9.1. The other refers to v1.3.2.

When you say your mate's site is getting hit, gavin, what's happening...if you're able to say,I mean. What are the hackers trying to do?

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by gavin m » Fri Oct 01, 2010 10:47 pm

Moggin wrote:What I don't get is that one of these links refers to fckeditor in 1.4.9.1. And fckeditor isn't in 1.4.9.1. The other refers to v1.3.2.

When you say your mate's site is getting hit, gavin, what's happening...if you're able to say,I mean. What are the hackers trying to do?
They were dropping files into the Public_HTML of the site. So, when you visited the site, you were presented with a 'You've been hacked by blar' type message.

I actually moved the store to a sub folder called 'store' (actually, reinstalled 1.4.9.1) and locked it all down permissions wise and put a simple redirect into the Public_html with permissions of 444 ont he file so they couldn't change it

Other files kept appearing in the Public_HTML after this but the redirect seemed to work as the site wasn't taken down. note, the site wasn't actually 'live' at this time, we were just testing what would happen as I doubted it was OC and more likely a compromised site on the server that the hackers were using to gain access to others through.

The files would appear, I would delete them, then about 7 to 10 hours later, another file would appear, all with different names (the last was called c99madshell.php)

Active Member

Posts

Joined
Thu Jun 04, 2009 3:23 pm

Post by gavin m » Fri Oct 01, 2010 11:58 pm

Looks like th ehostis determined to slag of opencart, they have now sent this to him:

I know it's not comforting, but it really only takes a small change in the google search to get everything needed for any version of OpenCart in existence:

http://www.google.com/search?hl=en&ie=I ... =&gs_rfai=

http://www.google.com/search?hl=en&ie=I ... =&gs_rfai=
Although, they seem to be ignoring the fact we told them it was 1.4.9.1 as all the results in that second link seem to be about installing it......

Active Member

Posts

Joined
Thu Jun 04, 2009 3:23 pm

Post by Qphoria » Sat Oct 02, 2010 1:48 am

That is because the first thing a host reads is:

"hello my site has been hacked. I am running my opencart store there"

then they search "opencart exploit" and grab the first link they see without bothering to research.

But you can search:
wordpress exploit
oscommerce exploit
drupal exploit
xxxxxx exploit

and there will always be some sort of exploit listed, whether real or not.
These hosts are looking for the quick scapegoat

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by gavin m » Sat Oct 02, 2010 2:23 am

Oh, I totally agree.

It's fine though, my mate has moved to new host and told the others where to stick it.

Active Member

Posts

Joined
Thu Jun 04, 2009 3:23 pm

Post by Moggin » Sat Oct 02, 2010 8:26 am

gavin m wrote:Oh, I totally agree.

It's fine though, my mate has moved to new host and told the others where to stick it.
sounds like a good move; I would have done the same. Q's answer made a lot of sense regarding the slightly bizarre advice offered by the host.

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by sabbosh » Sat Oct 23, 2010 6:42 pm

Hi guys,

My client site was hacked three times now in a month! We did not face any problems for a year and now this :-( We had three different hackers uploading files under public_html and replacing the home page with files showing inappropriate images/text etc. I am using a much older version of OpenCart 1.2.9 which I have extended to add some new features to the website. I have checked whether there was any dompdf folder under system/helper but couldn't find any! How is the hacker able to upload such files? Is there anything else I need to check to prevent this from happening again in the time being until I manage to upgrade to the latest release?

Your help will be highly regarded.

Many thanks,
sabbosh

Newbie

Posts

Joined
Sat Oct 23, 2010 5:48 pm

Post by Xsecrets » Sat Oct 23, 2010 9:17 pm

sabbosh wrote:Hi guys,

My client site was hacked three times now in a month! We did not face any problems for a year and now this :-( We had three different hackers uploading files under public_html and replacing the home page with files showing inappropriate images/text etc. I am using a much older version of OpenCart 1.2.9 which I have extended to add some new features to the website. I have checked whether there was any dompdf folder under system/helper but couldn't find any! How is the hacker able to upload such files? Is there anything else I need to check to prevent this from happening again in the time being until I manage to upgrade to the latest release?

Your help will be highly regarded.

Many thanks,
sabbosh
I think on versions that old there was also a bug with the fckeditor. You can search the forums for it. And of course they may be getting in in some way that doesn't involve opencart at all.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by sabbosh » Sun Oct 24, 2010 8:39 pm

Thank you so much for your feedback! I will look into the bug on fckeditor then and see if I can fix this issue temporarily until I manage to do the upgrade...

Cheers!
sabbosh

Newbie

Posts

Joined
Sat Oct 23, 2010 5:48 pm

Post by PaulSmith1 » Mon Nov 01, 2010 2:28 am

I think web hosting service provider would be responsible for it, because data lies there so you should approach it!

Member of Como Ganhar Dinheiro na Internet Club. Also fan of Monbusho Research Scholarship.


Newbie

Posts

Joined
Mon Nov 01, 2010 2:21 am
Who is online

Users browsing this forum: No registered users and 90 guests