Detection is correct:
HEUR:Trojan.Linux.Agent.go
Best regards,
Alexander Al. Kolesnikov, Malware Analyst, Kaspersky Lab
---
https://www.google.com/search?q=HEUR%3A ... 8&oe=utf-8
---
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Too funny!
So what does it do?!? Come on, this is just starting to get fun! Awe, I don't want to stare at Wireshark, but..IP_CAM wrote: ↑Mon May 13, 2019 8:25 amHello,
Detection is correct:
HEUR:Trojan.Linux.Agent.go
Best regards,
Alexander Al. Kolesnikov, Malware Analyst, Kaspersky Lab
---
https://www.google.com/search?q=HEUR%3A ... 8&oe=utf-8
---
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
your Site might possibly be shut down by your Hoster soon,
because of that, like this one:
http://www.benadislifeline.com/admin/
Better, scrap your Code, and clean out your Server, in full, and then,
start again from Scratch. And check every single file first, by
comparing it's content with a clean virgin Edition. By use of
my aged Win-Commander, such can done in a minute ...
Good Luck!
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
The used trojan is living somewhere on your server now and only a reinstall can remove it(you can try to use antivirus to remove it but you will never be sure it is gone!) After reinstall make sure you install an decent antivirus like Sentinel/Warden/ClamAV or some other premium antivirus.
Your security on the server must be very bad if you didnt have antivirus running (which should have stopped this virus from running)
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
Because this could have been blocked at the front door if the extension installer stopped the install as soon as it saw these in the code.
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
probably also depending on the OC Version+Mods used. !
Samples Lines:
Code: Select all
(base64_decode($product[1])
$encryption_key = base64_decode($value);
$tag = base64_encode($iv);
return base64_encode($encrypted . '::' . $iv);
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
My 2 cents would be that things like base64_decode or gzinflate or curl should be locked out by default for extensions. Someone should have to change a config file on the backend to enable some PHP functions for extensions to use, majority of them don't need these types of tools. Although I don't like that the spreadsheet upload extension uses curl to phone home, I have also started another extension (posted in these forums) that uses curl to do real time order posting. I think there should be a config file that blocks / allows some of these PHP functions to help with security. That's pretty simple to employ.
On my new server with OC, I already see it getting slammed with brute force at /admin trying to get in again. So, I'll throw away this new server too. I'll kick up another one, install apache and config htpasswd at the base directory before I install OC. Then I'll change the /admin directory to another location, and put htpasswd on the admin directory before taking htpasswd off the base directory. That should avoid most of the static right at the gate. I'm all ears if there are other OC modifications anyone suggests.
Jim
https://www.carguygarage.com
Yahoo Store since 2006 moved to OpenCart on January 24, 2020
Users browsing this forum: No registered users and 211 guests