Hi, my Opencart 3.0.2 was hacked about 3 times in the last few weeks. Specifically a binary file of size about 3MB was uploaded to the opencart installation under /admin folder. The binary filename is 3.03_config and performs DDoS attacks to remote servers, specifically Wordpress sites. The server is a CentOS 6.10 with Plesk.
The process shows from the console when running `top` but does not show with `ps aux` for some reason. In addition, if I kill the process, it starts again immediately. To permanently stop the process I have to delete it first and then kill it. I cant figure whether it is executed remotely with an http request or not.
After the first attack a few weeks ago, I went ahead and renamed the admin folder and also added htpasswd protection to the folder. In addition I have changed the ftp password. Today, the very same file is placed in /catalog/view/ folder which I again deleted and killed.
Any of you have had the same or similar experience? Any advice is really appreciated.
Sounds like someone has access to your server, either through FTP info or a backdoor. I'd make sure you change all usernames/passwords associated with the site, and have your web host (or a security company) do a scan on your server for malicious files.
Compare your OpenCart install to a clean download, in case any files have been modified. Go through your server logs (web access, FTP access, etc.) for any clue as to how the upload was done.
Although it's old and not supported any more I still use Crawlprotect on my OC sites. It's a must have for me.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Who is online
Users browsing this forum: No registered users and 193 guests
