Post by daveydave » Wed Feb 06, 2019 9:37 pm

Hi everyone,
I have an opencart site (3.0.2.0) that was hacked via the authorize.aim hack a few months ago. I fixed it, but think something may have been left behind. I found this script that only appears at the checkout:

https://batbing.com/js/bat.min.js

Kapersky labels it as a hostile script.

I've searched all through the website files and the modifications for any reference to that javascript and have found nothing. I even did a file comparison between the original opencart 3.0.2.0 download and the modified site, and could not find anything that could be causing this.

Any idea where I should look to find where this script has been inserted? Its definitely not in the twig files and does not appear to be in the /catalog or /system folders.

Any help would be appreciated, as I'm sitting here scratching my head.

New member

Posts

Joined
Fri Aug 28, 2015 10:26 pm

Post by daveydave » Wed Feb 06, 2019 9:48 pm

Also, as this is relevant, the script does not appear in the website source code, but only when I use the element inspector in either Firefox or Chrome.

Would this suggest that it is being pulled in by another script?

New member

Posts

Joined
Fri Aug 28, 2015 10:26 pm

Post by daveydave » Wed Feb 06, 2019 10:43 pm

Fixed it.

They'd re-written my Google Analytics code to still work with Google but also to pull this script.

New member

Posts

Joined
Fri Aug 28, 2015 10:26 pm

Post by ADD Creative » Thu Feb 07, 2019 5:54 am

I they were able to rewrite your Google Analytics code in the database. They either have access to your database (or cPanel) or to your OpenCart admin. Don't forget to change all your passwords, if you haven't already.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by paulfeakins » Thu Feb 07, 2019 7:30 pm

We recommend these guys in cases of hacking:
https://www.getastra.com/

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by haderz98 » Tue Aug 13, 2019 3:37 am

daveydave wrote:
Wed Feb 06, 2019 10:43 pm
Fixed it.

They'd re-written my Google Analytics code to still work with Google but also to pull this script.
Hi, I think I have the same issue as you. Various scans have reported a malicious link to a javascript file hosted on a different website in the header of my site. Would you be able to provide more information on how you fixed this issue?
Thanks,
Joe

Newbie

Posts

Joined
Sun Aug 11, 2019 1:07 am

Post by letxobnav » Tue Aug 13, 2019 9:07 am

I they were able to rewrite your Google Analytics code in the database
why is that in your database?

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by ADD Creative » Wed Aug 14, 2019 2:33 am

haderz98 wrote:
Tue Aug 13, 2019 3:37 am
daveydave wrote:
Wed Feb 06, 2019 10:43 pm
Fixed it.

They'd re-written my Google Analytics code to still work with Google but also to pull this script.
Hi, I think I have the same issue as you. Various scans have reported a malicious link to a javascript file hosted on a different website in the header of my site. Would you be able to provide more information on how you fixed this issue?
Thanks,
Joe
You need to remove the code and fix your Google Analytics code in the analytics module. I would also recommend you check if your theme has and updates that may have security patches. Also change all your passwords, such as all OpenCart admin logins, all hosting control panel logins, all FTP account, etc.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: Bing [Bot] and 231 guests