Post by IP_CAM » Mon May 13, 2019 8:25 am

Hello,
Detection is correct:
HEUR:Trojan.Linux.Agent.go
Best regards,
Alexander Al. Kolesnikov, Malware Analyst, Kaspersky Lab
---
https://www.google.com/search?q=HEUR%3A ... 8&oe=utf-8
---

I am no longer active at the OC Forum, to reach me, contact: jti@jacob.ch
My latest free Opencart LIGHT 1.5.6.5 Source is available on demand: http://www.ebikes.li/shop/
900+ FREE OC Extension-Repositories - from OC v.1.5.x up, on the
world's largest OC-related Github Site: https://github.com/IP-CAM
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by head_dunce » Mon May 13, 2019 8:50 am

IP_CAM wrote:
Mon May 13, 2019 5:15 am
mostof todays Badcode no longer hurts a well-done XP ;)
Too funny!

IP_CAM wrote:
Mon May 13, 2019 8:25 am
Hello,
Detection is correct:
HEUR:Trojan.Linux.Agent.go
Best regards,
Alexander Al. Kolesnikov, Malware Analyst, Kaspersky Lab
---
https://www.google.com/search?q=HEUR%3A ... 8&oe=utf-8
---
So what does it do?!? Come on, this is just starting to get fun! Awe, I don't want to stare at Wireshark, but..

Jim
Middle Caicos, Turks and Caicos Islands


Active Member

Posts

Joined
Thu Apr 04, 2019 11:50 pm

Post by IP_CAM » Mon May 13, 2019 9:49 am

What does it do ? It links your Server to something else, and
your Site might possibly be shut down by your Hoster soon,
because of that, like this one:
http://www.benadislifeline.com/admin/
Better, scrap your Code, and clean out your Server, in full, and then,
start again from Scratch. And check every single file first, by
comparing it's content with a clean virgin Edition. By use of
my aged Win-Commander, such can done in a minute ... :D
Good Luck!
Ernie

I am no longer active at the OC Forum, to reach me, contact: jti@jacob.ch
My latest free Opencart LIGHT 1.5.6.5 Source is available on demand: http://www.ebikes.li/shop/
900+ FREE OC Extension-Repositories - from OC v.1.5.x up, on the
world's largest OC-related Github Site: https://github.com/IP-CAM
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by wrick0 » Mon May 13, 2019 5:56 pm

You need to do a complete reinstall of your server, you have been infected by a trojan. The attacker might have used a rootkit to infect your server and if you just reinstall opencart it wont solve anything, from what ive seen in the logs the opencart was just used to infect your server, it doesnt contain malicious code like miners/cc stealers. Lesson learned, next time dont use a simple password.

The used trojan is living somewhere on your server now and only a reinstall can remove it(you can try to use antivirus to remove it but you will never be sure it is gone!) After reinstall make sure you install an decent antivirus like Sentinel/Warden/ClamAV or some other premium antivirus.

Your security on the server must be very bad if you didnt have antivirus running (which should have stopped this virus from running)

New member

Posts

Joined
Fri Jan 18, 2019 10:00 pm

Post by head_dunce » Mon May 13, 2019 6:32 pm

I already kicked up a whole new server on a different IP and installed OC on it many days ago. No worries there. And I had disabled SELinux on that server, didn't want to mess around configuring it since I am still unsure if I will move to OC anyway. It was all just a test server for me. I see now this OC extension thing is a huge hole.

Jim
Middle Caicos, Turks and Caicos Islands


Active Member

Posts

Joined
Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Mon May 13, 2019 8:04 pm

Is there any good reason for an extension to ever use : base64_decode or gzinflate
Because this could have been blocked at the front door if the extension installer stopped the install as soon as it saw these in the code.

Jim
Middle Caicos, Turks and Caicos Islands


Active Member

Posts

Joined
Thu Apr 04, 2019 11:50 pm

Post by IP_CAM » Tue May 14, 2019 9:24 am

Well, base64_decode does exist, in a few Files at least,
probably also depending on the OC Version+Mods used. ! :D
Samples Lines:

Code: Select all

(base64_decode($product[1])
$encryption_key = base64_decode($value);
$tag = base64_encode($iv);
return base64_encode($encrypted . '::' . $iv);

I am no longer active at the OC Forum, to reach me, contact: jti@jacob.ch
My latest free Opencart LIGHT 1.5.6.5 Source is available on demand: http://www.ebikes.li/shop/
900+ FREE OC Extension-Repositories - from OC v.1.5.x up, on the
world's largest OC-related Github Site: https://github.com/IP-CAM
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by head_dunce » Tue May 14, 2019 10:37 am

Ok, doesn't seem like the normal case though.

My 2 cents would be that things like base64_decode or gzinflate or curl should be locked out by default for extensions. Someone should have to change a config file on the backend to enable some PHP functions for extensions to use, majority of them don't need these types of tools. Although I don't like that the spreadsheet upload extension uses curl to phone home, I have also started another extension (posted in these forums) that uses curl to do real time order posting. I think there should be a config file that blocks / allows some of these PHP functions to help with security. That's pretty simple to employ.

On my new server with OC, I already see it getting slammed with brute force at /admin trying to get in again. So, I'll throw away this new server too. I'll kick up another one, install apache and config htpasswd at the base directory before I install OC. Then I'll change the /admin directory to another location, and put htpasswd on the admin directory before taking htpasswd off the base directory. That should avoid most of the static right at the gate. I'm all ears if there are other OC modifications anyone suggests.

Jim
Middle Caicos, Turks and Caicos Islands


Active Member

Posts

Joined
Thu Apr 04, 2019 11:50 pm
Who is online

Users browsing this forum: No registered users and 6 guests