Please ensure that you have set a strong password for your FTP also folders have set permissions as 755 and files 644.
yesterday my site disappeared and on checking with host, we discovered the hackers had left some codes & stuff and have been using my site to send spam emails bringing the server down.
Host said' There were a couple of scripts under /home/wholelif/public_html/system/helper/dompdf/lib/fonts (imagess.php, pink.php, pmp.php and rod.php) and a sub-directory (sb) which included remote scanning scripts, results of remote scans, IRC hacktools and backdoor scripts (malicious tools).I also have the scripts in an tgz as evidence.
Now i have to start from scratch.I understand OC is secure but how did this guys manage to hack thru even after changing passwords? I am worried that i may start afresh with stronger passwords and somehow they may get thru again.
So what advice do you guys have.And Daniel?
Reason: Title made less panicking
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
chiefk wrote:A few weeks ago i saw a sun.html document in my site and deleted it.It reappeared again and i discovered some Turkish/Iranians had hacked my site.I didn't see anything malicious but notified my host who sorted it and advised me that 'We have checked on the server and found that this file has been uploaded via ftp. we have removed the malicious file.
Please ensure that you have set a strong password for your FTP also folders have set permissions as 755 and files 644.
yesterday my site disappeared and on checking with host, we discovered the hackers had left some codes & stuff and have been using my site to send spam emails bringing the server down.
Host said' There were a couple of scripts under /home/wholelif/public_html/system/helper/dompdf/lib/fonts (imagess.php, pink.php, pmp.php and rod.php) and a sub-directory (sb) which included remote scanning scripts, results of remote scans, IRC hacktools and backdoor scripts (malicious tools).I also have the scripts in an tgz as evidence.
Now i have to start from scratch.I understand OC is secure but how did this guys manage to hack thru even after changing passwords? I am worried that i may start afresh with stronger passwords and somehow they may get thru again.
So what advice do you guys have.And Daniel?
most of the time hackers get thorugh via your host. i recommend checkoing your logs for when these files appeared on your server. then go through searchign for the ip that put the files there. if the files just appeared without and funny url stuff then they got in via your host.
OpenCart®
Project Owner & Developer.
There is now a picture of a Chinese lady on my website (http://www.easypyro.com) and the message
"Hacked By Ux0r { Turkish Hacker } Mavideniz e ve dostlara selamlar!"
Anyway I checked for the dompdf folder before (because I got the iframe attack a while ago) and I definitely deleted it.
I have since upgraded to OC version 1.4.7.
I checked for the dompdf folder again this morning and it's back again! Very strange. I deleted it again.
I am now querying my host to see how the files were uploaded. My host is JustHost in the UK.
Assuming my host gives me a list of files that were uploaded, and I delete them, will that bring my site back to normal? As far as I can see all the original files are still there.
Thanks.
I suggest you back up the database, delete everything on site and do clean install.Also use complex user names & passwords.I'll be changing mine every month!
If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts
It could be that your shared server got hacked and thus access to your files/folders were taken.chiefk wrote:If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
The dompdf library was included in the 1.4.7 release. However, the vulnerable file (dompdf.php) was not included in that release. The dompdf library was not included in 1.4.8 or later releases of OpenCart.whitecollar wrote:... I have since upgraded to OC version 1.4.7.
I checked for the dompdf folder again this morning and it's back again! Very strange. I deleted it again...
It is more likely that the hacker got through by ftp due to a weak username/password combination, or:
i2Paq wrote:It could be that your shared server got hacked and thus access to your files/folders were taken.
Modules for OpenCart 2.3.0.2
Homepage Module [Free - since OpenCart 0.7.7]
Multistore Extensions
Store Manager Multi-Vendor/Multi-Store management tool
If you're not living on the edge ... you're taking up too much space!
No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.i2Paq wrote:It could be that your shared server got hacked and thus access to your files/folders were taken.chiefk wrote:If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
This is the second time in a couple of weeks I have heard of a JustHost site being hacked. Might be a coincidence, might not, though there are a quite a few stories around concerning JustHost anyway.whitecollar wrote:...
I am now querying my host to see how the files were uploaded. My host is JustHost in the UK.
http://www.justhostreviews.org/justhost ... once-again
Just FYI
As someone in the hosting business, I strongly recommend using the system generated 12 character (or longer) passwords, including not just letters and numbers, but the entire set of keyboard characters. The only one I avoid is the @ which can cause problems in a password. I've wasted an hour trying to connect to a database with a @ in the password, and now avoid it at all times.chiefk wrote: No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
Make it as difficult as possible for hackers.
And, they may have gotten into your PC and read your passwords if you have them stored there.
They obviously uploaded the dompdf file then used it for their dirty work.
Not trying to make a sale here, but you might do well to make a change of hosts. You don't need Just Hosting, you also need Security.
A Trusted Wholesale Dropshipper
Web Hosting Under $ 5.00 Month! FREE Shopping Carts!
25,000+ Real Wholesale & Dropship Sources!
True.I've designed sites and used the same host and they are very good.Anyway after the incident, i've changed passwords and made them complex and i am now very vigilant.peteVA wrote:As someone in the hosting business, I strongly recommend using the system generated 12 character (or longer) passwords, including not just letters and numbers, but the entire set of keyboard characters. The only one I avoid is the @ which can cause problems in a password. I've wasted an hour trying to connect to a database with a @ in the password, and now avoid it at all times.chiefk wrote: No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
Make it as difficult as possible for hackers.
And, they may have gotten into your PC and read your passwords if you have them stored there.
They obviously uploaded the dompdf file then used it for their dirty work.
Not trying to make a sale here, but you might do well to make a change of hosts. You don't need Just Hosting, you also need Security.
That is what I would say if I, as a hosting provider, would discover that my server was hacked and my customers had lost their websites......chiefk wrote:No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
My mates site was hacked 2 days ago. Restored it and double checked everything. keep getting files appear in the public_html, the latest being c99madshell.php
So, we basically telling the host that if they don't find the cause (i suspect an insecure site on the same server) then he's moving hosts.
They don't seem too bothered about helping out. Just keep saying 'Make sure you have secure scripts on you site'....
Funny that, the host has just closed the ticket with the response:i2Paq wrote:That is what I would say if I, as a hosting provider, would discover that my server was hacked and my customers had lost their websites......chiefk wrote:No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
outstanding. So, everything they can recommend is already being done.Unfortunately, we do not have any other recommendations that we could do to help you with it. As long as you keep your scripts updated, make srue to maintain secure permissions (no 777 or 666), keep secure passwords (containing numbers, letters capital and lowercase, and special characters), and keep an eye on your server you should be less likely to have this problem.
Of course, the pessimistic side of me thinks they found an issue with another site on the server and shut it down and are now just bluffing.
Users browsing this forum: No registered users and 14 guests