Hacked with Fake Form at Checkout for Credits Card OC 3.0.3.6

Got me with the same thing injected into the default google analytics module of OC3.0.3.8, so neither there is a security hole in that module, or it's someone we gave admin access.

If the affected users can contact me in private and share some thoughts about the developers they gave access to, because I have some suspicions of a very famous module developer, I've given two people access to this particular website, so either is one or the other?

tomeda wrote: ↑

Sun Jun 12, 2022 1:18 am

Got me with the same thing injected into the default google analytics module of OC3.0.3.8, so neither there is a security hole in that module, or it's someone we gave admin access.

If the affected users can contact me in private and share some thoughts about the developers they gave access to, because I have some suspicions of a very famous module developer, I've given two people access to this particular website, so either is one or the other?

It is probably far more likely a vulnerability in a theme of extension has been exploited. For example the Journal them has had issues in the past. You would be best to compare what theme and extensions your are using to see if there is anything in common.

tomeda wrote: ↑

Sun Jun 12, 2022 1:18 am

Got me with the same thing injected into the default google analytics module of OC3.0.3.8, so neither there is a security hole in that module, or it's someone we gave admin access.

If the affected users can contact me in private and share some thoughts about the developers they gave access to, because I have some suspicions of a very famous module developer, I've given two people access to this particular website, so either is one or the other?

It's extremely difficult to detect how a hacker got in. It could have been from emailing the credentials in plain text and they were picked off, it could have been from access to your control panel, FTP access or vulnerabilities in any of the software you're using. It could also be from a server that is not properly hardened. Best recommendation is to get your site protected by a firewall and keep all of your software updated and passwords strong and unique. When you're giving access to a developer, give them their own account credentials and disable / delete it from your site as soon as they're finished.

tomeda wrote: ↑

Sun Jun 12, 2022 1:18 am

If the affected users can contact me in private and share some thoughts about the developers they gave access to, because I have some suspicions of a very famous module developer, I've given two people access to this particular website, so either is one or the other?

The chances someone does it manually are pretty much zero.

I have found the code in half a dozen websites and it's always the same format, enough new lines to "hide" the code below the fold and a fake Analytics snippet that talks to some fox or similar domain.
Because the new lines are there even when there's other code that already pushes the virus below the fold we can assume it's an automatic process that installs the default "Google Analytics" extension, enables it and pastes the code in.

I don't remember if every single affected website was using Journal but the ones I remember were indeed using it.

On top of that, two weeks ago I came across some virus hidden inside public_html/admin/view/image/payment/note that was doing the same thing (was around 15 files in total creating some kind of webpage on the fly). Funnily enough it was ESET that detected it even though I had the site's backup files sitting in my computer since May or so. Also, this specific website was using "OpenCart GDPR" extension which looked like a pirated extension. Since I neither built nor maintain the website I have no idea who installed it but I wouldn't be surprised if the virus was in the installation file.