Post by sandraolt » Tue Jul 09, 2024 8:41 am

We received this notification from our card processor today:
We received notification from Visa of a potential data compromise event at FL REAL ESTATE SCHOOL, MID 496407439884. Specifically, Visa has identified 45 cards used legitimately at this location between 2/14/24 and 5/14/24 that later experienced fraud.
Please immediately investigate your network and systems for any signs of malware of underlying vulnerabilities. Visa recommends the following containment and remediation actions:
• Run anti-virus/anti-malware scans on web servers
• Remove malicious code
• Change administrative passwords
• Ensure shopping cart is upgraded or patched to latest version
• Removing any software packages no longer needed or patch plug-in applications
• Review source code and databases for malware
We upgraded our anti-virus/anti-malware system at the beginning of May and they found one malware called pr.php
The server security people deleted it, but now we are being asked specifically what information was exposed. Does anyone know of this particular malware?
Other than the obvious things like changing users/passwords and updating the site as reported here is ther anything else I should be doing?



1. Your Exact OpenCart Version Version 3.0.3.8
2. Used Template/Theme: CodingBrains created a custom theme based on default and an older custom theme (created specifically for the site)
3. (Additional) Installed Extension(s)
Knowband Blocker Knowband 1.4 07/04/2024 02:46 PM
KLAVIYO Integration [3xxx] HuntBee OpenCart Services 2.4.0 05/22/2024 12:27 PM
Redirect Manager Clear Thinking, LLC v2023-5-11 05/01/2024 05:33 PM
Modification Manager Opencart-templates 3.0.0.12 01/16/2024 08:01 AM
d_opencart_patch Dreamvention 3.1.10 01/16/2024 07:45 AM
d_twig_manager Dreamvention 2.1.2 01/16/2024 07:44 AM
KLAVIYO Integration [mpcheckout] HuntBee OpenCart Services 2.3.4 01/05/2024 03:45 AM
Base Plugin from HuntBee [3xxx] HuntBee OpenCart Services 3.0.0 12/07/2023 11:05 PM
SEO - Canonical (Installation Pending) HuntBee OpenCart Services 4 12/05/2023 10:46 AM
Enable Installer to access anywhere in admin, catalog, system fo HuntBee OpenCart Services 1.0.1 10/31/2023 04:43 PM
New Returns E-mail Clear Thinking, LLC v2023-5-05 10/13/2023 01:44 PM
Event Manager Codinginspect 1.0 10/13/2023 03:47 AM
ADV Sales Report ADV Reports and Statistics 4.5 10/10/2023 05:41 PM
Quick Checkout By ModulePoints ModulePoints 3x 10/04/2023 01:23 PM
d_seo_module Dreamvention 3.0.0 10/03/2023 04:30 PM
d_seo_module_blog Dreamvention 3.0.0 10/03/2023 04:30 PM
Menu Editor gun88 + SergeTkach fix for OC 3 1.2 08/03/2023 01:57 PM
Show Modules J P Senthil Kumar 1.0 07/25/2023 05:08 PM

4. (Additional) Installed Translation(s) none
5. Used php Version PHP 7.3 (ea-php73)

New member

Posts

Joined
Thu Aug 01, 2013 2:51 am

Post by halfhope » Tue Jul 09, 2024 1:36 pm

Hi!

You need to find and fix all compromised files. 

If you want to do everything yourself, I recently answered this topic here. There is a link to my dead blog, where there is an article in Russian on how to properly clean the site. The approach to cleaning the site is described there in some detail.

If you need a guarantee, then I have a service for cleaning websites and servers from viruses with a 1-year guarantee. Upon completion of the work, you will receive a detailed report with recommendations. 

Best regards, Talgat.

My FREE extensions in marketplace. [ security | flexibility | speedup ]


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - San Diego

Post by ADD Creative » Tue Jul 09, 2024 7:44 pm

You will need to compare all the files on your serve with know clean ones. You will also need to check content in you database. You will need to work out how your site got infected.

Your extension list mentions a Dreamvention blog. You might want to look at this topic. viewtopic.php?t=223230

www.add-creative.co.uk


Guru Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by sandraolt » Thu Jul 11, 2024 4:41 am

I checked through the whole database and the only weird text was in the oc_customer_login table
there was someone with IP 38.54.104.223 who input code 169 rows were saved in the database
Here are the first several if they will help someone close an attack vector:

[quote](8640, '${9898*323}', '38.54.104.223', 1, '2024-03-14 23:22:21', '2024-03-14 23:22:21'),
(8641, 'test', '38.54.104.223', 5, '2024-03-14 23:22:49', '2024-03-14 23:22:52'),
(8642, 'vabxvsyh', '38.54.104.223', 6, '2024-03-14 23:23:01', '2024-03-15 05:52:56'),
(8643, '1b5dstfzseo', '38.54.104.223', 1, '2024-03-14 23:23:04', '2024-03-14 23:23:04'),
(8644, 'qzfvbzdsegc=', '38.54.104.223', 1, '2024-03-14 23:23:05', '2024-03-14 23:23:05'),
(8645, 'tnb4edwc', '38.54.104.223', 1, '2024-03-14 23:23:05', '2024-03-14 23:23:05'),
(8646, 'vabxvsyh&n935758=v908084', '38.54.104.223', 1, '2024-03-14 23:23:05', '2024-03-14 23:23:05'),
(8647, '${9999941+9999603}', '38.54.104.223', 1, '2024-03-14 23:23:06', '2024-03-14 23:23:06'),
(8648, 'vabxvsyh<esi:include src="http://bxss.me/rpb.png"/>', '38.54.104.223', 2, '2024-03-14 23:23:06', '2024-03-14 23:23:43'),
(8649, 'vabxvsyh%0abcc:074625.5527-27249.5527.01b20.19797.2@bxss.me', '38.54.104.223', 1, '2024-03-14 23:23:06', '2024-03-14 23:23:06'),
(8650, 'to@example.com>%0d%0abcc:074625.5527-27250.5527.01b20.19797.2@bxss.me', '38.54.104.223', 1, '2024-03-14 23:23:07', '2024-03-14 23:23:07'),
(8651, 'response.write(9518332*9131489)', '38.54.104.223', 1, '2024-03-14 23:23:07', '2024-03-14 23:23:07'),
(8652, ')', '38.54.104.223', 2, '2024-03-14 23:23:07', '2024-03-14 23:23:50'),
(8653, '\'+response.write(9518332*9131489)+\'', '38.54.104.223', 1, '2024-03-14 23:23:08', '2024-03-14 23:23:08'),
(8654, '12345\'"\\\'\\");|]*%00{%0d%0a<%00>%bf%27\'????', '38.54.104.223', 1, '2024-03-14 23:23:08', '2024-03-14 23:23:08'),
[/quote]

New member

Posts

Joined
Thu Aug 01, 2013 2:51 am

Post by sandraolt » Thu Jul 11, 2024 4:52 am

ADD Creative wrote:
Tue Jul 09, 2024 7:44 pm
You will need to compare all the files on your serve with know clean ones. You will also need to check content in you database. You will need to work out how your site got infected.

Your extension list mentions a Dreamvention blog. You might want to look at this topic. viewtopic.php?t=223230
I have contacted the theme developer to see if they can do that since they modified some files on the site. Also, our site doesn't allow reviews, uploads, or other posts. The only forms on the site are the login form and the checkout page.

New member

Posts

Joined
Thu Aug 01, 2013 2:51 am

Post by HAO » Tue Jan 07, 2025 10:14 pm

sandraolt wrote:
Thu Jul 11, 2024 4:41 am
I checked through the whole database and the only weird text was in the oc_customer_login table
there was someone with IP 38.54.104.223 who input code 169 rows were saved in the database
Here are the first several if they will help someone close an attack vector:
(8640, '${9898*323}', '38.54.104.223', 1, '2024-03-14 23:22:21', '2024-03-14 23:22:21'),
(8641, 'test', '38.54.104.223', 5, '2024-03-14 23:22:49', '2024-03-14 23:22:52'),
(8642, 'vabxvsyh', '38.54.104.223', 6, '2024-03-14 23:23:01', '2024-03-15 05:52:56'),
(8643, '1b5dstfzseo', '38.54.104.223', 1, '2024-03-14 23:23:04', '2024-03-14 23:23:04'),
(8644, 'qzfvbzdsegc=', '38.54.104.223', 1, '2024-03-14 23:23:05', '2024-03-14 23:23:05'),
(8645, 'tnb4edwc', '38.54.104.223', 1, '2024-03-14 23:23:05', '2024-03-14 23:23:05'),
(8646, 'vabxvsyh&n935758=v908084', '38.54.104.223', 1, '2024-03-14 23:23:05', '2024-03-14 23:23:05'),
(8647, '${9999941+9999603}', '38.54.104.223', 1, '2024-03-14 23:23:06', '2024-03-14 23:23:06'),
(8648, 'vabxvsyh<esi:include src="http://bxss.me/rpb.png"/>', '38.54.104.223', 2, '2024-03-14 23:23:06', '2024-03-14 23:23:43'),
(8649, 'vabxvsyh%0abcc:074625.5527-27249.5527.01b20.19797.2@bxss.me', '38.54.104.223', 1, '2024-03-14 23:23:06', '2024-03-14 23:23:06'),
(8650, 'to@example.com>%0d%0abcc:074625.5527-27250.5527.01b20.19797.2@bxss.me', '38.54.104.223', 1, '2024-03-14 23:23:07', '2024-03-14 23:23:07'),
(8651, 'response.write(9518332*9131489)', '38.54.104.223', 1, '2024-03-14 23:23:07', '2024-03-14 23:23:07'),
(8652, ')', '38.54.104.223', 2, '2024-03-14 23:23:07', '2024-03-14 23:23:50'),
(8653, '\'+response.write(9518332*9131489)+\'', '38.54.104.223', 1, '2024-03-14 23:23:08', '2024-03-14 23:23:08'),
(8654, '12345\'"\\\'\\");|]*%00{%0d%0a<%00>%bf%27\'????', '38.54.104.223', 1, '2024-03-14 23:23:08', '2024-03-14 23:23:08'),
I've also seen similar code, But it was generated 3 years ago. Will such code cause system security problems?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm
Who is online

Users browsing this forum: No registered users and 2 guests