NEW HACKING into /download/ . . . This time there is a hacking console, German, not as fully and viciously featured as a certain Russian one but able to change directories and permissions, see all files, drop below public directory, download and upload files, and create files. Equipped with "shift" php to fiddle with double-extensions. This one with some support files along with it is an example of shifting filespecs to execute the php in a double-extension or even, as here, a multiple-extension (above, http://forum.opencart.com/viewtopic.php ... 60#p431729
). THIS is the sort of thing we were waiting not to see, and now we are seeing it.
(A) SPECS . . .
46,663 Merch Aslum price list-1.xlsx.89fa80a366e6288f338cc13b34fa9103
(B) "OBNOXIOSITY" . . .
MALICIOUS, INJECTION, IMPOTENT, 5.3 KB:
MALICIOUS, INJECTION, 0.6 KB:
MALICIOUS, COMPILED/MINIFIED, 46.7 KB:
Merch Aslum price list-1.xlsx.89fa80a366e6288f338cc13b34fa9103
HIGHLY MALICIOUS, PROUD OF HIMSELF PLUS INJECTION AND EXTENSION-SHIFTING WITH SUPPORT FILES FOR THAT, HACKING CONSOLE ITSELF, 70.1 KB:
(C) The latter three are identical except in name, and as [anything].php execute. When such files are found, delete them, they are addressable in /download/ via http. If you use vqmod, install MarketInSG's utility (above, http://forum.opencart.com/viewtopic.php ... 20#p403255
, his http://forum.opencart.com/download/file.php?id=16828
), otherwise rename /download/. If one is a console, immediately check integrity of .htaccess (or rename .htaccess.txt to .htaccess -- with basedir / properly set), change database password, rename /download/ if not using the utility, change both config.php to match those changes. LEARN your tree, you are the foremost scanner for whatever does not belong, and for wrong permissions (yet, again, directories 755, files 644 -- or better, IF you know what you are doing ON your own server, Linux distributions have their own idiosyncrasies). THIS VERSION of THIS CONSOLE file is 70 kb; variants of the vicious Russian one range 29 kb to 43 kb.
(D) This is not a fault in OC itself. ALL web software has some directories and files with basic names that are readily guessed and tested. It is not practical (not sane, either) to avoid using any word in any dictionary. You can rename /download/ and make the corresponding changes in both config.php files as soon as you install OC, just as you can rename and make those changes for /admin/. Be certain to activate .htaccess (rename .htaccess.txt -- with basedir / properly set), as well as to remove /install/, when installation or upgrade is done.