Post by chiefk » Sat Sep 18, 2010 1:07 am

A few weeks ago i saw a sun.html document in my site and deleted it.It reappeared again and i discovered some Turkish/Iranians had hacked my site.I didn't see anything malicious but notified my host who sorted it and advised me that 'We have checked on the server and found that this file has been uploaded via ftp. we have removed the malicious file.
Please ensure that you have set a strong password for your FTP also folders have set permissions as 755 and files 644.

yesterday my site disappeared and on checking with host, we discovered the hackers had left some codes & stuff and have been using my site to send spam emails bringing the server down.
Host said' There were a couple of scripts under /home/wholelif/public_html/system/helper/dompdf/lib/fonts (imagess.php, pink.php, pmp.php and rod.php) and a sub-directory (sb) which included remote scanning scripts, results of remote scans, IRC hacktools and backdoor scripts (malicious tools).I also have the scripts in an tgz as evidence.
Now i have to start from scratch.I understand OC is secure but how did this guys manage to hack thru even after changing passwords? I am worried that i may start afresh with stronger passwords and somehow they may get thru again.
So what advice do you guys have.And Daniel?
Last edited by i2Paq on Sat Sep 18, 2010 3:55 am, edited 2 times in total.
Reason: Title made less panicking

New member

Posts

Joined
Fri May 22, 2009 7:52 pm

Post by Xsecrets » Sat Sep 18, 2010 1:26 am

you must have had a very old version of opencart. If you look at the stickies on the top of any forum there is a warning about a vulnerability in the dompdf library, but that library hasn't been included in quite some time now.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by chiefk » Sat Sep 18, 2010 2:12 am

I had 1.4.8b.
It's weird because i have checked the version i downloaded and it does not have the dompdf stuff!!Did the hacker know this issue and injected it there to do his thing?

New member

Posts

Joined
Fri May 22, 2009 7:52 pm

Post by Qphoria » Sat Sep 18, 2010 2:25 am

the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by JAY6390 » Sat Sep 18, 2010 2:27 am

My first question is did you install opencart previously and not delete the dompdf when you upgraded? That could explain why you have the dompdf. Like Q has said though, if they've got FTP access then obviously you need to change your FTP credentials straight away

Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by Daniel » Sat Sep 18, 2010 4:10 am

chiefk wrote:A few weeks ago i saw a sun.html document in my site and deleted it.It reappeared again and i discovered some Turkish/Iranians had hacked my site.I didn't see anything malicious but notified my host who sorted it and advised me that 'We have checked on the server and found that this file has been uploaded via ftp. we have removed the malicious file.
Please ensure that you have set a strong password for your FTP also folders have set permissions as 755 and files 644.

yesterday my site disappeared and on checking with host, we discovered the hackers had left some codes & stuff and have been using my site to send spam emails bringing the server down.
Host said' There were a couple of scripts under /home/wholelif/public_html/system/helper/dompdf/lib/fonts (imagess.php, pink.php, pmp.php and rod.php) and a sub-directory (sb) which included remote scanning scripts, results of remote scans, IRC hacktools and backdoor scripts (malicious tools).I also have the scripts in an tgz as evidence.
Now i have to start from scratch.I understand OC is secure but how did this guys manage to hack thru even after changing passwords? I am worried that i may start afresh with stronger passwords and somehow they may get thru again.
So what advice do you guys have.And Daniel?

most of the time hackers get thorugh via your host. i recommend checkoing your logs for when these files appeared on your server. then go through searchign for the ip that put the files there. if the files just appeared without and funny url stuff then they got in via your host.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by whitecollar » Wed Sep 22, 2010 6:28 pm

I too have just been hacked.

There is now a picture of a Chinese lady on my website (http://www.easypyro.com) and the message
"Hacked By Ux0r { Turkish Hacker } Mavideniz e ve dostlara selamlar!"

Anyway I checked for the dompdf folder before (because I got the iframe attack a while ago) and I definitely deleted it.

I have since upgraded to OC version 1.4.7.

I checked for the dompdf folder again this morning and it's back again! Very strange. I deleted it again.

I am now querying my host to see how the files were uploaded. My host is JustHost in the UK.

Assuming my host gives me a list of files that were uploaded, and I delete them, will that bring my site back to normal? As far as I can see all the original files are still there.

Thanks.

New member

Posts

Joined
Wed Sep 09, 2009 10:31 pm

Post by chiefk » Wed Sep 22, 2010 6:41 pm

For me they had, i think injected something to 'read' any password changes i did.First i saw a strange html doc i deleted it , came again and got my webhost to delete it but since they had uploaded hacking tools they could come in anytime.
I suggest you back up the database, delete everything on site and do clean install.Also use complex user names & passwords.I'll be changing mine every month!

New member

Posts

Joined
Fri May 22, 2009 7:52 pm

Post by chiefk » Wed Sep 22, 2010 6:43 pm

Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts
If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??

New member

Posts

Joined
Fri May 22, 2009 7:52 pm

Post by i2Paq » Wed Sep 22, 2010 6:46 pm

chiefk wrote:
Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts
If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??
It could be that your shared server got hacked and thus access to your files/folders were taken.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by fido-x » Wed Sep 22, 2010 7:44 pm

whitecollar wrote:... I have since upgraded to OC version 1.4.7.

I checked for the dompdf folder again this morning and it's back again! Very strange. I deleted it again...
The dompdf library was included in the 1.4.7 release. However, the vulnerable file (dompdf.php) was not included in that release. The dompdf library was not included in 1.4.8 or later releases of OpenCart.

It is more likely that the hacker got through by ftp due to a weak username/password combination, or:
i2Paq wrote:It could be that your shared server got hacked and thus access to your files/folders were taken.

Image
Modules for OpenCart 2.3.0.2
Homepage Module [Free - since OpenCart 0.7.7]
Multistore Extensions
Store Manager Multi-Vendor/Multi-Store management tool

If you're not living on the edge ... you're taking up too much space!


User avatar
Expert Member

Posts

Joined
Sat Jun 28, 2008 1:09 am
Location - Tasmania, Australia

Post by chiefk » Wed Sep 22, 2010 9:50 pm

i2Paq wrote:
chiefk wrote:
Qphoria wrote:the dompdf hack only edited files to add some add scripts to the bottom. If your host said they used ftp to access it, then that is completely separate. There are no relationships from the ftp account on your domain to any scripts
If i did not have the dompdf file initially( when in installed 1.4.8b), how did it get there??
It could be that your shared server got hacked and thus access to your files/folders were taken.
No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.

New member

Posts

Joined
Fri May 22, 2009 7:52 pm

Post by Moggin » Wed Sep 22, 2010 10:13 pm

whitecollar wrote:...
I am now querying my host to see how the files were uploaded. My host is JustHost in the UK.
This is the second time in a couple of weeks I have heard of a JustHost site being hacked. Might be a coincidence, might not, though there are a quite a few stories around concerning JustHost anyway.
http://www.justhostreviews.org/justhost ... once-again
Just FYI

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am

Post by peteVA » Wed Sep 22, 2010 11:30 pm

chiefk wrote: No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
As someone in the hosting business, I strongly recommend using the system generated 12 character (or longer) passwords, including not just letters and numbers, but the entire set of keyboard characters. The only one I avoid is the @ which can cause problems in a password. I've wasted an hour trying to connect to a database with a @ in the password, and now avoid it at all times.

Make it as difficult as possible for hackers.

And, they may have gotten into your PC and read your passwords if you have them stored there.

They obviously uploaded the dompdf file then used it for their dirty work.

Not trying to make a sale here, but you might do well to make a change of hosts. You don't need Just Hosting, you also need Security. :)

A Trusted Wholesale Dropshipper
Web Hosting Under $ 5.00 Month! FREE Shopping Carts!
25,000+ Real Wholesale & Dropship Sources!


User avatar
Active Member

Posts

Joined
Mon Jul 20, 2009 8:25 am

Post by Qphoria » Thu Sep 23, 2010 1:44 am

I usually use "12346" as my password. as most people stop at "12345" :joker:

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by chiefk » Thu Sep 23, 2010 5:11 pm

peteVA wrote:
chiefk wrote: No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
As someone in the hosting business, I strongly recommend using the system generated 12 character (or longer) passwords, including not just letters and numbers, but the entire set of keyboard characters. The only one I avoid is the @ which can cause problems in a password. I've wasted an hour trying to connect to a database with a @ in the password, and now avoid it at all times.

Make it as difficult as possible for hackers.

And, they may have gotten into your PC and read your passwords if you have them stored there.

They obviously uploaded the dompdf file then used it for their dirty work.

Not trying to make a sale here, but you might do well to make a change of hosts. You don't need Just Hosting, you also need Security. :)
True.I've designed sites and used the same host and they are very good.Anyway after the incident, i've changed passwords and made them complex and i am now very vigilant.

New member

Posts

Joined
Fri May 22, 2009 7:52 pm

Post by i2Paq » Fri Sep 24, 2010 1:42 am

chiefk wrote:No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
That is what I would say if I, as a hosting provider, would discover that my server was hacked and my customers had lost their websites...... ;)

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by gavin m » Fri Sep 24, 2010 4:09 am

Looks like it's all go on this front.

My mates site was hacked 2 days ago. Restored it and double checked everything. keep getting files appear in the public_html, the latest being c99madshell.php

So, we basically telling the host that if they don't find the cause (i suspect an insecure site on the same server) then he's moving hosts.

They don't seem too bothered about helping out. Just keep saying 'Make sure you have secure scripts on you site'....

Active Member

Posts

Joined
Thu Jun 04, 2009 3:23 pm

Post by gavin m » Sat Sep 25, 2010 12:20 am

i2Paq wrote:
chiefk wrote:No, they told me clearly (after their server went down)that it was my site that was been used by the hackers.
Also my password had a mixture of numbers & letters.I have changed it and i ma hoping there will not be repeat.
That is what I would say if I, as a hosting provider, would discover that my server was hacked and my customers had lost their websites...... ;)
Funny that, the host has just closed the ticket with the response:
Unfortunately, we do not have any other recommendations that we could do to help you with it. As long as you keep your scripts updated, make srue to maintain secure permissions (no 777 or 666), keep secure passwords (containing numbers, letters capital and lowercase, and special characters), and keep an eye on your server you should be less likely to have this problem.
outstanding. So, everything they can recommend is already being done.

Of course, the pessimistic side of me thinks they found an issue with another site on the server and shut it down and are now just bluffing. :clown:

Active Member

Posts

Joined
Thu Jun 04, 2009 3:23 pm
Who is online

Users browsing this forum: MSN [Bot] and 14 guests