OpenCart Community

A few weeks ago i saw a sun.html document in my site and deleted it.It reappeared again and i discovered some Turkish/Iranians had hacked my site.I didn't see anything malicious but notified my host who sorted it and advised me that 'We have checked on the server and found that this file has been uploaded via ftp. we have removed the malicious file.
Please ensure that you have set a strong password for your FTP also folders have set permissions as 755 and files 644.
yesterday my site disappeared and on checking with host, we discovered the hackers had left some codes & stuff and have been using my site to send spam emails bringing the server down.
Host said' There were a couple of scripts under /home/wholelif/public_html/system/helper/dompdf/lib/fonts (imagess.php, pink.php, pmp.php and rod.php) and a sub-directory (sb) which included remote scanning scripts, results of remote scans, IRC hacktools and backdoor scripts (malicious tools).I also have the scripts in an tgz as evidence.
Now i have to start from scratch.I understand OC is secure but how did this guys manage to hack thru even after changing passwords? I am worried that i may start afresh with stronger passwords and somehow they may get thru again.
So what advice do you guys have.And Daniel?

you must have had a very old version of opencart. If you look at the stickies on the top of any forum there is a warning about a vulnerability in the dompdf library, but that library hasn't been included in quite some time now.

I had 1.4.8b.
It's weird because i have checked the version i downloaded and it does not have the dompdf stuff!!Did the hacker know this issue and injected it there to do his thing?

the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts

My first question is did you install opencart previously and not delete the dompdf when you upgraded? That could explain why you have the dompdf. Like Q has said though, if they've got FTP access then obviously you need to change your FTP credentials straight away

chiefk wrote:A few weeks ago i saw a sun.html document in my site and deleted it.It reappeared again and i discovered some Turkish/Iranians had hacked my site.I didn't see anything malicious but notified my host who sorted it and advised me that 'We have checked on the server and found that this file has been uploaded via ftp. we have removed the malicious file.
Please ensure that you have set a strong password for your FTP also folders have set permissions as 755 and files 644.
yesterday my site disappeared and on checking with host, we discovered the hackers had left some codes & stuff and have been using my site to send spam emails bringing the server down.
Host said' There were a couple of scripts under /home/wholelif/public_html/system/helper/dompdf/lib/fonts (imagess.php, pink.php, pmp.php and rod.php) and a sub-directory (sb) which included remote scanning scripts, results of remote scans, IRC hacktools and backdoor scripts (malicious tools).I also have the scripts in an tgz as evidence.
Now i have to start from scratch.I understand OC is secure but how did this guys manage to hack thru even after changing passwords? I am worried that i may start afresh with stronger passwords and somehow they may get thru again.
So what advice do you guys have.And Daniel?

most of the time hackers get thorugh via your host. i recommend checkoing your logs for when these files appeared on your server. then go through searchign for the ip that put the files there. if the files just appeared without and funny url stuff then they got in via your host.

I too have just been hacked.

There is now a picture of a Chinese lady on my website (http://www.easypyro.com) and the message
"Hacked By Ux0r { Turkish Hacker } Mavideniz e ve dostlara selamlar!"

Anyway I checked for the dompdf folder before (because I got the iframe attack a while ago) and I definitely deleted it.

I have since upgraded to OC version 1.4.7.

I checked for the dompdf folder again this morning and it's back again! Very strange. I deleted it again.

I am now querying my host to see how the files were uploaded. My host is JustHost in the UK.

Assuming my host gives me a list of files that were uploaded, and I delete them, will that bring my site back to normal? As far as I can see all the original files are still there.

Thanks.

For me they had, i think injected something to 'read' any password changes i did.First i saw a strange html doc i deleted it , came again and got my webhost to delete it but since they had uploaded hacking tools they could come in anytime.
I suggest you back up the database, delete everything on site and do clean install.Also use complex user names & passwords.I'll be changing mine every month!

Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts

If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??

chiefk wrote:

Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts

If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??

It could be that your shared server got hacked and thus access to your files/folders were taken.

whitecollar wrote:... I have since upgraded to OC version 1.4.7.

I checked for the dompdf folder again this morning and it's back again! Very strange. I deleted it again...

The dompdf library was included in the 1.4.7 release. However, the vulnerable file (dompdf.php) was not included in that release. The dompdf library was not included in 1.4.8 or later releases of OpenCart.

It is more likely that the hacker got through by ftp due to a weak username/password combination, or:

i2Paq wrote:It could be that your shared server got hacked and thus access to your files/folders were taken.

i2Paq wrote:

chiefk wrote:

Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts

If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??

It could be that your shared server got hacked and thus access to your files/folders were taken.

No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.

whitecollar wrote:...
I am now querying my host to see how the files were uploaded. My host is JustHost in the UK.

This is the second time in a couple of weeks I have heard of a JustHost site being hacked. Might be a coincidence, might not, though there are a quite a few stories around concerning JustHost anyway.
http://www.justhostreviews.org/justhost ... once-again
Just FYI

chiefk wrote: No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.

As someone in the hosting business, I strongly recommend using the system generated 12 character (or longer) passwords, including not just letters and numbers, but the entire set of keyboard characters. The only one I avoid is the @ which can cause problems in a password. I've wasted an hour trying to connect to a database with a @ in the password, and now avoid it at all times.

Make it as difficult as possible for hackers.

And, they may have gotten into your PC and read your passwords if you have them stored there.

They obviously uploaded the dompdf file then used it for their dirty work.

Not trying to make a sale here, but you might do well to make a change of hosts. You don't need Just Hosting, you also need Security.

I usually use "12346" as my password. as most people stop at "12345"

peteVA wrote:

chiefk wrote: No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.

As someone in the hosting business, I strongly recommend using the system generated 12 character (or longer) passwords, including not just letters and numbers, but the entire set of keyboard characters. The only one I avoid is the @ which can cause problems in a password. I've wasted an hour trying to connect to a database with a @ in the password, and now avoid it at all times.

Make it as difficult as possible for hackers.

And, they may have gotten into your PC and read your passwords if you have them stored there.

They obviously uploaded the dompdf file then used it for their dirty work.

Not trying to make a sale here, but you might do well to make a change of hosts. You don't need Just Hosting, you also need Security.

True.I've designed sites and used the same host and they are very good.Anyway after the incident, i've changed passwords and made them complex and i am now very vigilant.

chiefk wrote:No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.

That is what I would say if I, as a hosting provider, would discover that my server was hacked and my customers had lost their websites......

Looks like it's all go on this front.

My mates site was hacked 2 days ago. Restored it and double checked everything. keep getting files appear in the public_html, the latest being c99madshell.php

So, we basically telling the host that if they don't find the cause (i suspect an insecure site on the same server) then he's moving hosts.

They don't seem too bothered about helping out. Just keep saying 'Make sure you have secure scripts on you site'....

i2Paq wrote:

chiefk wrote:No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.

That is what I would say if I, as a hosting provider, would discover that my server was hacked and my customers had lost their websites......

Funny that, the host has just closed the ticket with the response:

Unfortunately, we do not have any other recommendations that we could do to help you with it. As long as you keep your scripts updated, make srue to maintain secure permissions (no 777 or 666), keep secure passwords (containing numbers, letters capital and lowercase, and special characters), and keep an eye on your server you should be less likely to have this problem.

outstanding. So, everything they can recommend is already being done.

Of course, the pessimistic side of me thinks they found an issue with another site on the server and shut it down and are now just bluffing.