Post by Ljubo » Wed Jun 04, 2014 5:33 am

Hi to all!
Running a heavily modded v.1.5.3.1 oc store.
This morning I have received an email from google with warning about suspicious phishing content was found on my site and that I should check it carefully with my host.
I did it and the hosting company just suspended me informing that my site is hacked and that there is a lot of malicious codes inside that are injected. They advised me to clean it, to solve vulnerability problems so after that they would check it again...
Luckily for me, I am not accepting credit cards online... store is based on COD sale.

Can anybody make some advise about what to do, how to clean the store, what to change to improve security issues...?
I asked my hosting provider to just publish backup of last clean version (they are doing automated daily backups), but they answered that is not the way to do it, that I should first solve vulnerability problems first...
But, from my point of view, I think that probably the best way to do it is to get backup of last clean version and then to improve security...
I am not sure whether they would accept it or not... Waiting for their reply now.
In the meantime, I would really appreciate some advise from you guys about proper way to do things in both cases (how to clean the site and what to do to improve security issues).
THANKS!

Active Member

Posts

Joined
Mon Jan 31, 2011 10:07 pm
Location - Serbia

Post by rph » Wed Jun 04, 2014 5:56 am

Technically you're both right. The proper procedure is to plug the vulnerability and roll back to the last known safe version of the website. The problem is websites can be compromised many different ways so until you know how the hack was achieved it's not safe to revert the site. Ask your host if they have any info on how the breach occurred.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by victorj » Wed Jun 04, 2014 5:58 am

Opencart is secure, it is hard to beleive that acces was made through opencart.
most likely your site was ahcked using ftp credentials.

i would recomend first to change all your log incredentials for your hosting ftp email adresses.

make sure your computer is clean and use a trusted ftp program from a reliable source.
also check all server logs to find when and who had access to your site ie ftp logs etc, if possible ask your host to supply them to you in order to indentify how your site was hacked.

restore your site and make sure all malicious code is gone.

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Eigen productie en snelle levering.
https://123-deurrubbers.com


User avatar
Expert Member

Posts

Joined
Sat Jun 25, 2011 4:09 am
Location - Alkmaar Holland

Post by IP_CAM » Wed Jun 04, 2014 8:33 am

In order to find out, I would download the entire Site-Content, as well as a copy of the DB, to my local Machine, then, I would FIRST check the DB, using my Notepad++, then, every file, not directly identified as beeing a part of OC source, for it's content, before proceeding with others. This would be a good Solution to 'locate' a potentially OPEN DOOR as well as the consequences of it. ( and telling others here, what it was...)

If the DB contains 'bad stuff', then, it is not nessessarely Your Site with the open door for the break-in, it could come as well from an attack against someone else or a general attack onto the Hosters Server-DB-Sections. But they would not tell you that anyway....!

If one has 'named/passworded' a Shop-DB with popular/simple Data, because one then was short on time, this could be the reason for time, one needs to invest later, to pay the price for doing so... ( just an advise for Newbie's)

keep us informed!

Ernie

For Sale: Turnkey URLs with Opencart installed
My latest Opencart LIGHT Testsite: http://www.bigmax.ch/
Attacker IP Blocks are denied from further access to my Sites!
Just contact me for more Information at: jti@jacob.ch
860+ FREE OC Extension-Repositories - from OC v.1.5.x up
on the largest Opencart-Mod Github Site: https://github.com/IP-CAM
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Dhaupin » Wed Jun 04, 2014 8:54 am

Well the thing about this is its public facing exploit, and if theyre talking about injected code it would imply its javascript and/or some platform running in a deep nested folder? Google cant see parse level nor DB level to catch a server side exploit per-say unless something makes itself known. First place to look? The CGI bin (hidden in plain view). Clear any caches. Look for weird folders in caches. Run ClamAV for the heck of it.

If you did things right, you didnt touch core files...upload a fresh store and over-write all the defaults. Check both configs, htaccess, and php.ini's even above store level. Then crawl the store files with the modified columns sorted so you can see freshest changed files which would be your defaults. Look at every added file that isnt your fresh date. If something looks fishy, note it for next step to see who made it.

Assuming youre using a linux server: you should make sure you or your host has APF and Cpanel Hulk enabled to prevent and autoban future brute force login attempts. SSH into server and check /var/log/messages for bans. In that log you should also be able to see who is logging in to ftp, whats being renamed/uploaded, IP they came from, etc. If you know times of the day you def werent working, wanna check a date modified you found above, or IP's that def werent yours (even if they used your account/pass) thats a start. Use this to track down file edits. There is also /var/log/secure which will expose your SSH log...look for same fishyness on those edit dates. If you wanna check mail/exim for zombiemailers, there are a few different places. Just google for linux mail logs. If its a prob, use WHM to turn off remote domain mail, (or possibly for "nobody" user) or add your domain to etc/remotedomains and this will lock em out from sending. Mind your "top" too for crazy amounts of httpd or resources beyond whats suppost to be currently online. Finally, check out the old school cpanel stats. It has alot of decent info about raw backlinks. If you see "shooters" or bad-webs junk pointing to your site, it implies something was/is running to intercept them or youre part of some kinda proxy forwarder.

Im not that firmilar with DB exploits nor OC schema, but you can also use PHPmyadmin to search for any strange/foreign/hax chars across the whole database. Use these views to look for strange tables, cols, or other databases too. Check your users to make sure there is 1 and only 1 who can use the DB. Change the DB user password to something cryptic using the PW creater in cpanel. Update store configs. Then with a start of chars, you can search /usr/local/apache/logs/access_log for possible link injection attempts for them, and the IP it came from.

Once you get yourself to a spot where you think you have a nice overview run it through avg, norton, mcafee, and google web scanners to see if there is anything you possibly missed. Thats a start to it!

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by ocaddons » Wed Jun 04, 2014 11:49 am

@Ljubo,

I feel that it is not a good idea to restore your website to an earlier state. Restoring your website without investigating or removing the malware could still leave your website in the vulnerable state. So the better approach is to find the vulnerability, restore your site and then fix the vulnerability.

The following tools could scan your web site to find the vulnerability:

-- http://sitecheck.sucuri.net/
-- http://www.websitedefender.com/

BEST PRACTICES TO PROTECT CORE FILES

-- Make sure that all your file permissions are set to 644.(Except the folds that should be writable for opencart)
-- Strong Shell, FTP, Database, OpenCart admin passwords.
-- Do not modify or replace core OpenCart files.

Security is the most important task for the store owner. It is necessary to backup files and database data frequently.

Image
Image

EMail: support@ocaddons.com


User avatar
New member

Posts

Joined
Fri Dec 27, 2013 10:21 am


Post by Ljubo » Sat Jun 14, 2014 10:23 pm

I thank you all for prompt reply and I am deeply sorry for not getting back with news earlier.

To cut the story short, the problem was with hacked shared server of the hosting company and not my opencart store.
Local resell company did not admit it, but all the facts before and after were suggesting that was what really happened.

Anyway, damage was only in inserted some new files and folders in the root folder of my account.
After deleting them all, changing some passwords and rechecking the functionality of the store, everything was just fine.

Thanks for support guys!

Active Member

Posts

Joined
Mon Jan 31, 2011 10:07 pm
Location - Serbia
Who is online

Users browsing this forum: Bing [Bot] and 73 guests