Post by JEfromCanada » Thu Apr 30, 2020 3:50 pm

I'm not sure this is the right place to post, but I'll try anyway. A friend of mine has an OC 3.0.2.0 website using the Journal2 theme. Today, she received an "Enquiry" (i.e. an email from the Contact Us page) that contained an extortion demand. The demand may or may not be real. With her permission, I examined server logs and found the IP address that had left the message. I then checked the log for other accesses by the same IP address and found multiple attempts to probe various javascript files. But, other than various GET commands, the only POST that I found was to the Contact Us form.

Does anyone here know whether the Contact Us form is vulnerable to an SQL injection or any other attack that would allow an attacker to access the database? And can anyone suggest a way to determine whether a backdoor or other attack vector has been installed?

Thank you for your help.

New member

Posts

Joined
Thu May 23, 2013 1:49 am

Post by JNeuhoff » Thu Apr 30, 2020 4:07 pm

The Contact Us page, along with the account/ checkout registration pages, and the product returns page, will be vulnerable to spambot attacks, even with captchas enabled. We have anti-spambot software, but it's for OpenCart, not for Journal2.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by JEfromCanada » Thu Apr 30, 2020 8:03 pm

Thanks for the reply. I'm not worried about spambot attacks. I'm worried about SQL Injections or any other vulnerability that would allow the site to be compromised. She gets spam all the time. This time, the message was a threat, and I want to be sure the threat is not real.

New member

Posts

Joined
Thu May 23, 2013 1:49 am

Post by JNeuhoff » Thu Apr 30, 2020 8:29 pm

As far as I know from experience, OpenCart is pretty safe as regards SQL injection attacks. We get SQL injection attempts on clients' websites all the time, and the server usually returns a 404 reply (Page not found). It might be a good idea to block the IP-address of that person. You should be able to find out whether that person is real, or a spambot, by examining the access.log. Spambots usually don't do complete page loads, and sometimes they use unusual user-agent strings. You can also check the sender's IP-address at e.g. https://whatismyipaddress.com/blacklist-check

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by JEfromCanada » Thu Apr 30, 2020 9:50 pm

Thanks for the follow-up. When you say "access.log" is this an OpenCart file located somewhere within the OpenCart folder structure? Because I looked at the server's raw access log (from cPanel) to find the IP addresses (there were multiple scan/POST attempts from different people) and identified the regions where the most recent attacks originated.

New member

Posts

Joined
Thu May 23, 2013 1:49 am

Post by JNeuhoff » Thu Apr 30, 2020 10:09 pm

I was talking about the server's access.log which, as you stated correctly, can be seen via the cPanel's raw access log.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am

Who is online

Users browsing this forum: No registered users and 4 guests