Remaining alert to exact names and extensions will be important for all of us to look for. The "cacne.language" (MarketInSG) calls to mind customary attacks in Windows using "explore" and even "explorer" for commonly expected "explorer" plus an extension that is .exe, .dll, etc., in the wrong directory setting.
For what it's worth, the code (over there) may be relatively impotent, cached or not (http://forum.opencart.com/viewtopic.php ... 62#p411723
I am satisfied that OC itself and properly set up Apache (not necessarily IIS), php, mysql, supportive Linux (even Windows), etc., are secure in their own right (per rph's short list). There are still ways in, and ways to find those, even if we change default encryption keys and default dir names (even without converting admin/ or download/ to gibberish).
A long known avenue in is whereami.cgi, which allows throughput commands, and which if found should be expunged on the spot (some blogs still use it, for example). With an installed hacker console (a sight to behold), manipulating filespecs to lop .trailers in order to launch an executable extension is easy, along with playing havoc with dir and file permissions by resetting them to favor the malicious access; all via http, and all within literally two seconds per connection. Those are both part of a now aborted globally operated instance I'll shortly summarize in a post. It's one of two noted at (3) and (4) at http://forum.opencart.com/viewtopic.php ... 95#p408895