i've had 3 Opencart 3 sites hacked this week with the same exploit (identified by our malware detector as php.hex.hex.hex.hex.hex.hex.and exploit). Manifested as code appended to the end of the config file. Using server rules i've blocked all traffic from high risk countries but what i'm concerned about is that, although the file had been modified, the last modified date had not altered. Does anyone have any guidance on blocking this type of incursion ?
These are my two goto add-ons for problems like yours:pixelhaus wrote: ↑Thu Jun 27, 2024 5:24 pmi've had 3 Opencart 3 sites hacked this week with the same exploit (identified by our malware detector as php.hex.hex.hex.hex.hex.hex.and exploit). Manifested as code appended to the end of the config file. Using server rules i've blocked all traffic from high risk countries but what i'm concerned about is that, although the file had been modified, the last modified date had not altered. Does anyone have any guidance on blocking this type of incursion ?
Ninja Firewall
https://nintechnet.com/ninjafirewall/pro-edition
The free version of Ninja Firewall is fine.
Cidram
https://github.com/CIDRAM/CIDRAM
Plus an admin security extension. Not perfect but pretty good.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Yeah blocking countries is very weak, they could easily use VPNs.
You need to find out exactly how they got in. It's most likely to be weak FTP or admin passwords IMO.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Legendary Member
In the age of VPN and cloud services, all countries are high risk countries.johnp wrote: ↑Thu Jun 27, 2024 6:34 pmThese are my two goto add-ons for problems like yours:pixelhaus wrote: ↑Thu Jun 27, 2024 5:24 pmi've had 3 Opencart 3 sites hacked this week with the same exploit (identified by our malware detector as php.hex.hex.hex.hex.hex.hex.and exploit). Manifested as code appended to the end of the config file. Using server rules i've blocked all traffic from high risk countries but what i'm concerned about is that, although the file had been modified, the last modified date had not altered. Does anyone have any guidance on blocking this type of incursion ?
Ninja Firewall
https://nintechnet.com/ninjafirewall/pro-edition
The free version of Ninja Firewall is fine.
Cidram
https://github.com/CIDRAM/CIDRAM
Plus an admin security extension. Not perfect but pretty good.
Cidram blocks cloud services etc.nonnedelectari wrote: ↑Thu Jun 27, 2024 7:27 pmIn the age of VPN and cloud services, all countries are high risk countries.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Its not about blocking cloud services as many legit bots use them as well, it is about blocking malicious attempts.johnp wrote: ↑Thu Jun 27, 2024 7:30 pmCidram blocks cloud services etc.nonnedelectari wrote: ↑Thu Jun 27, 2024 7:27 pmIn the age of VPN and cloud services, all countries are high risk countries.
The point is that professional hackers no longer use their own ip addresses, they use a VPN or rent a server from amazon or rackspace in your very own country which will have ips belonging to your very own country, therefore, blocking ips from the old "high risk" countries like Ukraine, PRC, Nigeria, etc is only giving you a false sense of security.
Blocking ips is a futile strategy unless it is to counter an ongoing (D)DOS attack.
Ninja Firewall blocks hack attempts and code injections plus lots more.nonnedelectari wrote: ↑Thu Jun 27, 2024 9:13 pmIts not about blocking cloud services as many legit bots use them as well, it is about blocking malicious attempts.johnp wrote: ↑Thu Jun 27, 2024 7:30 pmCidram blocks cloud services etc.nonnedelectari wrote: ↑Thu Jun 27, 2024 7:27 pmIn the age of VPN and cloud services, all countries are high risk countries.
The point is that professional hackers no longer use their own ip addresses, they use a VPN or rent a server from amazon or rackspace in your very own country which will have ips belonging to your very own country, therefore, blocking ips from the old "high risk" countries like Ukraine, PRC, Nigeria, etc is only giving you a false sense of security.
Blocking ips is a futile strategy unless it is to counter an ongoing (D)DOS attack.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
It's likely that the modified time was changed back to the original time to cover up the change. To block the exploit you need to know what exploit was used. Your malware detector may just be reporting where it found malicious code, not how it was injected.
Most common issue is weak or stolen passwords, so make sure you identify and change all passwords related to your hosting. Any other applications in your same hosting could also be an issue. There are also poor quality Third party extensions.
Going through you log files can sometimes help if you know when it happened.
Most common issue is weak or stolen passwords, so make sure you identify and change all passwords related to your hosting. Any other applications in your same hosting could also be an issue. There are also poor quality Third party extensions.
Going through you log files can sometimes help if you know when it happened.
Tired to write such again and again: OpenCart itself is stable and secure enough, not to be hacked.
When it comes to a "hacked" OpenCart instance, our experience shows these scenarious are the open door for hackers, script kiddies and bots:
1. Wordpress
2. obfuscated OpenCart Extensions (while forbidden, still available)
3. stolen templates and extensions (from obscure download sites)
4. access to the store for untrusted so called "developers"
5. left tools by "developers" and "maintainers" like adminer, phpinfo etc. (under different names, but same functionality)
6. forgotten login data (store, FTP, database, server)
7. wrong/missing settings server (cPanel, Plesk, WHM)
All these are in the responsibility of the store owner and/or server admin.
Why Wordpress?
I have seen a few clients having both (OpenCart & WordPress) on the same server.
While Wordpress will have it's audience, but when it comes to security, Wordpress is one of the most open systems!
The more when no updates are made.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Good reply from @osworx there.
I'd add that very weak passwords seem to be the most common way in in our experience.
I'd add that very weak passwords seem to be the most common way in in our experience.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Legendary Member
Ah .. correct .. forgot that!paulfeakins wrote: ↑Fri Jun 28, 2024 6:30 pmGood reply from @osworx there.
I'd add that very weak passwords seem to be the most common way in in our experience.
So:
8. weak passwords
9. weak user name
The best of that (had one client what that in the past):
username: admin
password: admin (and also 12345)
To summarize that:
A. never use as username admin
B. password must not be that complicated, at least it should not shorter than 8 digits long, best a combination if letters, numbers and characters.
Like a1b2c3#*
When it comes to IT: the most failure and weakest link is ... sitting in front of the screen
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Hi!
Once I wrote post about algorithm of cleaning here. Also I have a site/server cleaning service with 1 year warranty in extensions area.
Once I wrote post about algorithm of cleaning here. Also I have a site/server cleaning service with 1 year warranty in extensions area.
My FREE extensions in marketplace. [ security | flexibility | speedup ]
Who is online
Users browsing this forum: No registered users and 22 guests
