Post by theone » Mon Mar 13, 2017 7:05 pm

hello,
today i found my site has been hacked by DeadlyCrew.İNFO/Deadly-Warrior.
just front end has been hacked i guess. so what should i do now, should i just restore my backup or any way to find out where is the weak point?

my site www.unlocksolution.com

waiting for your advice.

thank you

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 7:20 pm

im hosting with a2hosting.com with their shared hosting. i already asked them about his hack and waiting for their reply.

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 8:59 pm

from a2hosting i got this reply -
"Hello,
Thank you for contacting A2 Hosting!

It was not due to the server. There are any number of ways a site can be hacked. A2 hosting cannot provide forensic details on every site that is hacked unfortunately. We can provide you with methods to clean the hack however. "

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by theone » Mon Mar 13, 2017 10:04 pm

i think it was done through google analytic module . i found this code in google analytic module

Code: Select all

<html>
<head>
<link rel=”icon” type=”image/png” href=”http://img.webme.com/pic/i/iconvar/turk-b-2.png” />
<title>DeadlyCrew.İNFO/Deadly-Warrior</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<body bgcolor="black">
<center><img src="http://i.hizliresim.com/W09o88.png" width="700" height="400" alt="Hacked!" /></center>
<h2><center><font face="arial" size="5" color="white">Biz Ancak<font color="red"> rükuda eğiliriz</font></center></h2>
<br>
<center><font face="arial" size="3" color="white">DeadlyCrew dont forget 18 March!<br>We dont forget anyone!<br> We are Turk!
<br>We are celebrating 18th March Canakkale Victory
<br>Canakkale is impassable<font color="red"></font></center><br><center><font face="arial" size="3" color="white">DeadlyCrew.İNFO | <font face="arial" size="3" color="RED">  DELİLER TİM</FONT></center>
<embed src="https://www.youtube.com/v/eltPkGySVYQ&autoplay=1" type="application/x-shockwave-flash" height="0" width="0"></embed>
</body>
</html>

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by ADD Creative » Fri Mar 17, 2017 10:56 pm

I would check your server logs for access to anything under /admin/. Look for IP addresses that aren't yours.

Also check your FTP logs.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by theone » Mon Mar 20, 2017 9:53 pm

well if i search "DeadlyCrew dont forget 18 March" on google i can see many other web sites powered by opencart were hacked including mine. and i already confirmed with my hosting which is a2hosting they confirmed it was not due to shared hosting..

however i have disabled google analytic module for now just to be in safe side.

New member

Posts

Joined
Sat Oct 30, 2010 9:09 am

Post by ADD Creative » Tue Mar 21, 2017 11:23 pm

I can't see that disabling the Google Analytics extension will prevent further attacks. If they could modify its contents then they can re-enable it.

If you want to check for any weak points look for access to admin/index.php?route=extension/analytics/google_analytics (or any other suspicious activity) in your server logs. If you look at the IP address and then see what was the first entry point from that IP address.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by angela » Sun Mar 26, 2017 10:10 am

theone wrote:
Mon Mar 13, 2017 10:04 pm
i think it was done through google analytic module . i found this code in google analytic module
Which module are you using? The one that comes with opencart, or a 3rd party extension?

How did your host suggest to 'clean' it up? Detailed cleaning instructions can point you toward the method of entry.

User avatar
New member

Posts

Joined
Fri Dec 02, 2016 2:14 am

Post by pretrator » Tue Feb 12, 2019 6:32 pm

Hi,
I am new to the opencart community,
Today i found my website hacked,
Well there was same google analytics edited.
I have a strong password on admin panel Also.
Any idea to anyone.

Newbie

Posts

Joined
Sat Jul 07, 2018 12:24 pm

Post by ADD Creative » Thu Feb 14, 2019 11:33 pm

What version of OpenCart? Was the code that you entered into the Google Analytics module changed or the PHP files themselves? Have you clicked on any links that have taken you to your admin login?

Check your FTP logs. Check your web access logs for access to admin/index.php?route=extension/analytics/google_analytics or anything else that looks suspicious.

Change all your passwords.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by procheck » Wed Mar 27, 2019 5:54 am

You might want to try and add this firewall. It's only $40 USD/year
https://nintechnet.com/ninjafirewall/pro-edition/ (get the Pro+ Edition).

You can identify and block problem IP's. While nothing is perfect, it at least gives you another level of security.

New member

Posts

Joined
Tue Jul 23, 2013 9:42 am

Post by victorj » Wed Mar 27, 2019 6:12 am

Every host has acces to root level of a shared server and therefor can deliver all access logs to any site of that server.
There are raw access logs, ftp access logs mysql logs in fact almost anything is logged.
So when a host tells you he cant give you any logs most of time it just means there server is compromised and more sites are hacked.
They just wont admit it and like to keep it quiet leaving you in the dark.
When infected it simple to check if on shared hosting.
you know your sites ip adres, if not check your domainname dns.
use this site to find out wich saites are on shared hosting
https://www.yougetsignal.com/tools/web- ... eb-server/
Check all those sites.
If you find more compromised sites you know it happend on server level.

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Eigen productie en snelle levering.
https://123-deurrubbers.com


User avatar
Expert Member

Posts

Joined
Sat Jun 25, 2011 4:09 am
Location - Alkmaar Holland

Post by Specimen » Tue May 21, 2019 5:51 am

This can be rather tricking. I hope that here you'll find some tips.

Newbie

Posts

Joined
Mon May 20, 2019 4:58 pm

Post by EvolveWebHosting » Fri Jun 14, 2019 1:35 am

Here's a free solution for anyone no matter who your hosting provider is. Try it for 30 days and if you don't like it, you don't have to pay for a monthly / annual license thereafter. Comodo will scan and remove any malware and you are protected by a Firewall and connected to a CDN for faster content delivery. If you've got any questions about it, use our live chat. If you don't want to pay for the service after 30 days, Comodo will still scan for malware and clean it up 2x / month for no charge.

Simple, 'hands off' website security

https://www.evolvewebhost.com/account/c ... add&pid=47

Image
https://www.evolvewebhost.com
$10.49 .com Registration and $9.99 .com Transfers in now
Guaranteed top level opencart performance and support. Risk free 30 day money back guarantee & free transfers.
Image


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA
Who is online

Users browsing this forum: No registered users and 8 guests