Post by mrniss99 » Tue Mar 06, 2018 11:42 pm

Hello,
I am sharing hosting space with a friend of mine. We both use Opencart 2.0.1.1. Last week I had some strange pop up whenever I went to use my admin panel asking for billing information (see attached image). Last night it was brought to my attention that his site is getting the same pop up when a user goes to view a category. I have done some discovery with Fiddler but can not really come up with anything substantial. If anyone has any ideas we both would greatly appreciate the input.

Thanks in advance!

Image

Newbie

Posts

Joined
Thu Nov 21, 2013 1:28 am

Post by sarthakinfotech » Wed Mar 07, 2018 1:30 am

hi
would you please send me url of the site.

Good Day,
Hiren
opencart tips and tricks ,
opencart blogs , opencart extensions/themes , custom development.


User avatar
Active Member

Posts

Joined
Tue Aug 05, 2014 1:12 am
Location - india

Post by paulfeakins » Wed Mar 07, 2018 7:49 pm

Suggest you employ a developer from Commercial Support to fix this ASAP as it could be a hacking attempt to get your customer details.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Expert Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by rgbrewer » Sat Mar 10, 2018 3:57 am

I did some digging through the site --

Its being dumped in after the opencart footer, so my guess is it is a standalone php file that someone snuck into your server.

It is a <form> element and its not calling any external site, so when you fill it out, the form is being submitted to a script that is on your server.

You may have some luck searching your sites files for the following:

<form class="magent_form">

Someone definitely got in to your site, who knows what other havoc they have caused. Your first instinct should be shut it down, reload from a clean backup, and change all your passwords.

New member

Posts

Joined
Sat Apr 22, 2017 9:30 am

Post by ADYX2000 » Tue Mar 27, 2018 11:11 pm

Hi, i would be interested to know if you have managed to resolve this issue, and/or found any further details.
I know someone who has had the same thing happen, and to me it would appear to be more of an exploit, rather
than a breach of your admin login or FTP access etc.

I suspect it could be via a module that has some current weakness.
I noticed that vqcache had some updated files
E.G vq2-system_modification_catalog_controller_product_product.php

Newbie

Posts

Joined
Thu Jul 06, 2017 9:43 pm

Post by ADYX2000 » Thu Mar 29, 2018 12:12 am

Narrowed this down to it being a hacked/exploited version of jquery-2.1.1.min.js
Question is, how did they managed to get at the file?(It's not via FTP or admin breach directly)

Newbie

Posts

Joined
Thu Jul 06, 2017 9:43 pm
Who is online

Users browsing this forum: No registered users and 9 guests