Admin password reset due to hack? [SOLVED] Not a hack!

Dyde i am using oc for past 2 years without any issue an i am damn sure that OC is not an issue, i would reccomend you delete all the website and start again from a clean install coz you never know whats been done to your code, so start again(That will be tiring but Safe.)
Also follow some security tips given by OC team.

bjorn@tshirtsofoz wrote:SO how secure is a standard installation of OpenCart considering my site has been live for almost two weeks and already I've been locked out of the Admin?

There's no reason to jump to the conclusion that it's a security issue. In my experience it's almost always a browser or host issue.

It is secure, provided that you remember to delete /install/ and to delete ocreset.php. If replacing original files failed, then the problem is not obvious. The plain advantages of ocreset.php are instant reset (no mail) and simplicity. I suppose you could try using phpMyAdmin to emplace a NEW RECORD in users, username admin2, pass whatever ocreset gave (it will be encrypted), then retry. You can also try flushing /vqmod/vqcache/. For this your browser cache could be interefering but seems to me probably not (dunno -- but you did hit the wall with more than one browser already).

On a few aspects of security, see links at http://forum.opencart.com/viewtopic.php ... 88#p432488

Those do NOT spring from faults of OC, there are ways in that involve other software and the server itself, where OC, safe enough without any outside help, resides.

Thanks guys, just getting frusterated. I understand most software is pretty secure, just had bad experiences before with a Joomla site being hacked a few times without being able to trace it's source.

@beanbagshop Really don't want to reinstall from scratch, I thought that was the whole idea of backups. I'll look up the security recommendations by the OC team for sure.

@rph I can't see the host being at fault unless there was a software update that caused an incompatibility issue. I run the site on my own VPS, the security has been hardened as much as I can without causing issues. I've tried Chrome, ie, ff and Chrome on my tab, all fail to login with the same issue.

@butte Will have a look into your suggestions and I'll definitely check out that link could have something to do with what I'm facing I reckon.

Thanks for the help guys, fingers crossed I can get this back up and running without starting from scratch.

I don't think you are hacked, but instead, may be your web hosting have made some changes. It seems more like session isn't working on the back end.

EDIT: I just realised I was replying to the wrong thread.....ignore my reply if it doesn't make sense

Well, bjorn@tshirtsofoz, much as I cringe at the thought of bearing good news and moreover might be on quite the wrong track or even the wrong outback here, when I bring up in Firefox 22 what seems to be the only one of you among the several primary domain options to try, I see for both the storefront and the admin log-in a pesky https:// (sans www.) staring unblinkingly at me. You apparently have applied SSL to the entire shebang, hebang, itbang, and 'roobang, perhaps by way of both the SSL checkbox and the config.php files' HTTPS sections, perhaps with added excitement to be found in .htaccess, and that may be befuddling it into punishing you for befuddling it.

Given that possibility, you might try backing up and then revising both config.php files to make the HTTPS sections behave exactly as the HTTP sections, and in then try in phpMyAdmin (after drawing down a backup by Export) to find the field-record intersect where the SSL box was checked and uncheck it, just in order to get inside. Then deal with SSL.

Seems pretty sure that one is yours, ran dns and everything down to you matches. Fortunately, if the foregoing approach is correct and works, your omission of URL above and in your other posts was overcome. As you can see above, at least three of us who do our best to second-guess unknowns dinna think of SSL here even though we see cans of worms of SSL virtually every day.

I would have looked at SSL but haven't only for the fact that it's been working fine for almost two week live, and a while before going live with all the SSL settings applied as they are currently.

I'll still play around with the ssl settings and see what happens.

Cheers for the suggestions.

As a general rule the whole thing should not be SSL (Daniel himself has occasionally emphasized that in posts). Accordingly, what seemed fine may not have been prompted to do something that SSL would interfere with (under that general rule). You could have watched it seem to run just fine, without taking it to what would be limits otherwise. One way or another you found a limit. For now the trick is getting back in; somehow as simple as possible.

Even if it works uneventfully it would not be optimal to use SSL for the entirety of OC. For short general reading on not using SSL for everything . . .
rph: http://forum.opencart.com/viewtopic.php ... 27#p164801
Daniel: http://forum.opencart.com/viewtopic.php ... 43#p135789
Daniel: http://forum.opencart.com/viewtopic.php ... 43#p135940

Thanks butte, I wasn't aware that the whole site shouldn't be under the SSL.

I'll definitely be changing some settings.

---[EDIT]---

Getting somewhere now, WOO HOO! I get a username/password error now. This is actually good as I never received any warning beforehand. Just need to change my password and I should be in

ABSOLUTE LEGENDS!

Thank you all for your help, admin is now accessible.

I'm hoping this is one of the things you learn with OC experience and not just a stupid thing that I've done to cause unnecessary headaches and a bunch of experienced OC users frowning upon me.

I thank you all again for your time and very much appreciated help.

You're quite welcome, and we'll all be tickled that it worked out so simply.

No one with experience will frown. Some of experience starts with booboo one, but blunders tend to make lasting impressions. Some of experience develops (only part of the time, of course) in playing with illegal commands some of which actually do something useful and trying to break things that people aren't supposed to find ways to break. (Wanna really test a tank or a locomotive? Put two-year-olds on and in it.) Only two classes of folks don't make booboos and blunders; unborn, and dead.

We don't really have a short Argh List. Do not leave /install/ a sitting duck, do not turn everything over to SSL, do not forget to make backups of files and databases before it is too late, do not forget to read in advance and follow instructions such as they are, do not neglect to familiarize yourself with directories and files that belong there and to recheck those from time to time for anything that does not belong there, etc.. I suppose one of us can start an Argh List thread to do that.

However, tutorials above active topics in several forums go a long way already. For example, http://forum.opencart.com/viewtopic.php?f=19&t=21479 and http://forum.opencart.com/viewforum.php?f=134 among others.