Hello,
Detection is correct:
HEUR:Trojan.Linux.Agent.go
Best regards,
Alexander Al. Kolesnikov, Malware Analyst, Kaspersky Lab
---
https://www.google.com/search?q=HEUR%3A ... 8&oe=utf-8
---
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Too funny!
So what does it do?!? Come on, this is just starting to get fun! Awe, I don't want to stare at Wireshark, but..IP_CAM wrote: ↑Mon May 13, 2019 8:25 amHello,
Detection is correct:
HEUR:Trojan.Linux.Agent.go
Best regards,
Alexander Al. Kolesnikov, Malware Analyst, Kaspersky Lab
---
https://www.google.com/search?q=HEUR%3A ... 8&oe=utf-8
---
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
What does it do ? It links your Server to something else, and
your Site might possibly be shut down by your Hoster soon,
because of that, like this one:
http://www.benadislifeline.com/admin/
Better, scrap your Code, and clean out your Server, in full, and then,
start again from Scratch. And check every single file first, by
comparing it's content with a clean virgin Edition. By use of
my aged Win-Commander, such can done in a minute ...
Good Luck!
Ernie
your Site might possibly be shut down by your Hoster soon,
because of that, like this one:
http://www.benadislifeline.com/admin/
Better, scrap your Code, and clean out your Server, in full, and then,
start again from Scratch. And check every single file first, by
comparing it's content with a clean virgin Edition. By use of
my aged Win-Commander, such can done in a minute ...
Good Luck!
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
You need to do a complete reinstall of your server, you have been infected by a trojan. The attacker might have used a rootkit to infect your server and if you just reinstall opencart it wont solve anything, from what ive seen in the logs the opencart was just used to infect your server, it doesnt contain malicious code like miners/cc stealers. Lesson learned, next time dont use a simple password.
The used trojan is living somewhere on your server now and only a reinstall can remove it(you can try to use antivirus to remove it but you will never be sure it is gone!) After reinstall make sure you install an decent antivirus like Sentinel/Warden/ClamAV or some other premium antivirus.
Your security on the server must be very bad if you didnt have antivirus running (which should have stopped this virus from running)
The used trojan is living somewhere on your server now and only a reinstall can remove it(you can try to use antivirus to remove it but you will never be sure it is gone!) After reinstall make sure you install an decent antivirus like Sentinel/Warden/ClamAV or some other premium antivirus.
Your security on the server must be very bad if you didnt have antivirus running (which should have stopped this virus from running)
I already kicked up a whole new server on a different IP and installed OC on it many days ago. No worries there. And I had disabled SELinux on that server, didn't want to mess around configuring it since I am still unsure if I will move to OC anyway. It was all just a test server for me. I see now this OC extension thing is a huge hole.
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
Is there any good reason for an extension to ever use : base64_decode or gzinflate
Because this could have been blocked at the front door if the extension installer stopped the install as soon as it saw these in the code.
Because this could have been blocked at the front door if the extension installer stopped the install as soon as it saw these in the code.
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
Well, base64_decode does exist, in a few Files at least,
probably also depending on the OC Version+Mods used. !
Samples Lines:
probably also depending on the OC Version+Mods used. !
Samples Lines:
Code: Select all
(base64_decode($product[1])
$encryption_key = base64_decode($value);
$tag = base64_encode($iv);
return base64_encode($encrypted . '::' . $iv);
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Ok, doesn't seem like the normal case though.
My 2 cents would be that things like base64_decode or gzinflate or curl should be locked out by default for extensions. Someone should have to change a config file on the backend to enable some PHP functions for extensions to use, majority of them don't need these types of tools. Although I don't like that the spreadsheet upload extension uses curl to phone home, I have also started another extension (posted in these forums) that uses curl to do real time order posting. I think there should be a config file that blocks / allows some of these PHP functions to help with security. That's pretty simple to employ.
On my new server with OC, I already see it getting slammed with brute force at /admin trying to get in again. So, I'll throw away this new server too. I'll kick up another one, install apache and config htpasswd at the base directory before I install OC. Then I'll change the /admin directory to another location, and put htpasswd on the admin directory before taking htpasswd off the base directory. That should avoid most of the static right at the gate. I'm all ears if there are other OC modifications anyone suggests.
My 2 cents would be that things like base64_decode or gzinflate or curl should be locked out by default for extensions. Someone should have to change a config file on the backend to enable some PHP functions for extensions to use, majority of them don't need these types of tools. Although I don't like that the spreadsheet upload extension uses curl to phone home, I have also started another extension (posted in these forums) that uses curl to do real time order posting. I think there should be a config file that blocks / allows some of these PHP functions to help with security. That's pretty simple to employ.
On my new server with OC, I already see it getting slammed with brute force at /admin trying to get in again. So, I'll throw away this new server too. I'll kick up another one, install apache and config htpasswd at the base directory before I install OC. Then I'll change the /admin directory to another location, and put htpasswd on the admin directory before taking htpasswd off the base directory. That should avoid most of the static right at the gate. I'm all ears if there are other OC modifications anyone suggests.
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
Who is online
Users browsing this forum: No registered users and 211 guests
