Demo site hacked

Post Reply

4 posts Page 1 of 1

spikeachu

Active Member

Posts

175

Joined

Fri Mar 12, 2010 6:31 am

Post by spikeachu » Sun Nov 17, 2013 4:37 pm

Hi,

I've had my demo site hacked and forwarded to another site. I've sorted it out, it was a case of removing an iframe from index.php.

I'm curious as to how it happened. Files were placed in the download folder, despite this function being disabled to the demo user.

There are other OC sites on this server, so I don't think it's the server that was compromised, just getting access to the admin area makes the demo install compromisable.

I've posted server logs below;

Code: Select all

115.135.122.150 - - [04/Jan/2013:13:18:08 +0000] "GET /index.php?route=information/information&information_id=3//index.php?route=product/product/upload HTTP/1.1" 200 13143 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:09 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:10 +0000] "GET /index.php?route=information//index.php?route=product/product/upload HTTP/1.1" 404 13161 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:10 +0000] "POST /index.php?route=product/product/upload HTTP/1.1" 200 148 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:18:14 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+) HTTP/1.1" 404 325 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:15 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 333 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:15 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 341 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:16 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+).+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 348 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:19 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:18:20 +0000] "POST //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "libwww-perl/5.834"
180.76.5.163 - - [04/Jan/2013:13:35:35 +0000] "GET /index.php?route=product/category&path=33&sort=p.model&order=ASC HTTP/1.1" 200 28781 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:52 +0000] "GET /index.php?route=information/information&information_id=3//index.php?route=product/product/upload HTTP/1.1" 200 13143 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:54 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:54 +0000] "GET /index.php?route=information//index.php?route=product/product/upload HTTP/1.1" 404 13161 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:55 +0000] "POST /index.php?route=product/product/upload HTTP/1.1" 200 148 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:36:58 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+) HTTP/1.1" 404 325 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:59 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 333 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:36:59 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 341 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:00 +0000] "GET /download/readme.jpg.(.+)(.+)(.+)(.+).+)(.+)(.+)(.+)(.+)(.+) HTTP/1.1" 404 348 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:03 +0000] "GET //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Gigabot/3.0 (http://www.gigablast.com/spider.html)"
115.135.122.150 - - [04/Jan/2013:13:37:04 +0000] "POST //index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "libwww-perl/5.834"
115.135.122.150 - - [04/Jan/2013:13:38:18 +0000] "GET /index.php?route=product/product/upload HTTP/1.1" 200 28 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:19 +0000] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:20 +0000] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
115.135.122.150 - - [04/Jan/2013:13:38:29 +0000] "GET /download/readme.jpg.82d88ed2038c94b2c47c9a1a671c2822 HTTP/1.1" 404 341 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"

Wedding Invitations and Stationery by Love2print

Commercial Mods
Product Colours on Category Page
Cardsave Direct Gateway
Clear Cache
Promotional Watermarks on Images
Multiple Category / Product Templates ** Popular **
Log Failed Login Attempts
Display Eligible Coupons with Products
Twitter Feeds

Have I helped you out or saved you some time? Please donate

spikeachu

Active Member

Posts

175

Joined

Fri Mar 12, 2010 6:31 am

Re: Demo site hacked

Johnathan

Administrator

Posts

8942

Joined

Fri Dec 18, 2009 3:08 am

Post by Johnathan » Sun Nov 17, 2013 11:18 pm

1. Demo admin users can upload files via the "Downloads" area, or using the file manager. Make sure both things are disabled for a demo store.

2. Make sure your "download" folder's permissions are set to 644

3. Add this to your .htaccess file:

Code: Select all

RewriteRule ^download/(.*) /index.php?route=error/not_found [L]

Johnathan

Administrator

Posts

8942

Joined

Fri Dec 18, 2009 3:08 am

Re: Demo site hacked

MarketInSG

Guru Member

Posts

6443

Joined

Wed Nov 16, 2011 11:53 am

Location

Singapore

Post by MarketInSG » Mon Nov 18, 2013 12:40 am

if you look at the logs clearly, the person uploaded through the front end upload function....as usual. Then, I believe he manage to get your encryption key from the admin area. From there, he easily find the name of his uploaded file and there you go...he gotten himself to run any script he uploaded.

Main Website | OpenCart Extensions | Contact Us | Web Hosting | SMS API
Logic Invoice - Open Source Accounting & Invoicing Solution

See our current extensions on OpenCart

MarketInSG

Guru Member

Posts

6443

Joined

Wed Nov 16, 2011 11:53 am

Location - Singapore

Re: Demo site hacked

spikeachu

Active Member

Posts

175

Joined

Fri Mar 12, 2010 6:31 am

Post by spikeachu » Mon Nov 18, 2013 4:11 am

Thanks guys. I'd completely forgotten about the front end upload option. I'm blaming a baby and too many nights of broken sleep ... haha

Still amazes me the lengths that people will go to to steal a $15 mod.