Hackers sending email with database screenshots

We've been tracing this pattern over the last couple of weeks where hackers send across an email to store owners with screenshots of their database. And then they offer to disclose the vulnerability (with a detailed report) in exchange of money ofcourse.

After dealing with a few such cases, we realized there seemed to be a pattern/common traits among the compromised stores. The two common patterns found

• Pro order module installed

• Journal theme

Technical details:

The hackers are exploiting the older versions of the PreOrder extension that had no validation implemented for the public function GetPreorderedProduct($product_id). This caused SQLi issues for the sites.

More details right here: https://www.getastra.com/blog/911/plugi ... ase-hacked (included the email hackers send)



On further inspection, turns out an older version of the Pre order module was the culprit. Version we've seen surface a couple of times was 2.9.3. We tried to check if the vulnerability exists in the latest version, thankfully it doesn't

Fix:

• Update the PreOrder module by iSenselabs to the latest version. It's always good to use the latest versions regardless

• Update Journal to the latest version.

• For Astra Security users, SQLi is prevented by default. Always good to use a firewall

Cheers and stay safe!

- Shikhil

Great catch of this! You guys do a great job of protecting websites.

Update Journal to the latest version.

Or better, use a proper web theme instead of the Journal extension, the latter doesn't comply to OpenCart standards and will therefore be of a higher security risk, with unnecessary core engine file modifications.

Well, while ASTRA may make a good job, we should all not forget that not only the extension from Isenselab can be the "evil".

Due some work for new clients (came to me because they had this problem too), I discovered that they had the script adminer installed.
adminer is a database tool - similiar to phpMyAdmin.
See: https://www.adminer.org/en/

And these clients did not install that tool - some stupid and lazy developers before have used it.
And did not remove it.
The more: the version they have used, had massive security holes - can be read here: https://github.com/vrana/adminer/blob/m ... hanges.txt

While this tool may help some developers to have a temporary access to the database - what for - it must be deleted afterwards.
So to all those users who are in the need of a developer:
1. argue that you want to have a full changelog what was done, was was repaired, what was used
2. developer must delete/ uninstall all used external tools
3. never give access (does no matter through which tool) to your database - these datas are yours, and nobody has to view them (see als the GDPR in such cases)
4. if the developer need access to the database, he must argue why. And the shopowner hast to verify that the data is NOT misused

If a shop is compromised because such scripts like adminer are still left on the server, these webshop owners are entitled for indemnification.

JNeuhoff wrote: ↑

Mon Sep 21, 2020 6:16 pm

Update Journal to the latest version.

Or better, use a proper web theme instead of the Journal extension, the latter doesn't comply to OpenCart standards and will therefore be of a higher security risk, with unnecessary core engine file modifications.

I personally agree but good luck stopping those that already have it and continue to use it. Since it's still being used, it's good that they caught this. Journal aside, Astra does great for all websites they protect.