hacked, possible exploit

Hi Guys,

ive been working with opencart for quite a while now(well over a year anyway), recently my opencart site came under attack from phpshell scripts which i found sitting in the downloads folder, which had the perms 0755 (as stated the perms should be in the install docs),

as with any php shell they have had pretty much full access, im just worried that there may be some exploit sitting somewhere since i found these shells ive shoved the perms to 000 so everything is restricted, its possible many more site's may have these shell scripts sitting in there downloads folder.


anyone have any ideas where the problem could of occurred weather its php side or perms side?
essentially i could be both...


anyway all thought and ideas appreciated
thanks
Ice

I am guessing you are on an older version of Opencart rather than 1.5.6?

If so this thread may be of interest to you.

Regards,

Stokey

You don't have to be on 1.5.6 to prevent that. Just make sure you keep your directories protected from uploads, and change your encryption key

No but from reading the thread it looked like it only had a chance of working on older installs with weak encryption password or incorrectly configured servers.

It is essential reading nevertheless and I have used your vQmod to disable uploads, thank you for that MarketInSG

If I didn't remember wrongly, since v1.5.4 onwards, it uses mcrypt and that should be even better.

I can't think of any code in opencart that facilitates file uploading to the root store path. My guess is that it got on there from another shared host on the server. It happens quite often on shared servers. Generally they are not specifically aimed at you, just generically copied out and falls where it lands. I got hacked the other day on my shared dev site but it was really just a generic index.php replacer. No harm done. Best to keep index.php set to 444 or 644 for live store. Only really need to change perms when upgrading or running vQmod installer, then set it back to protect it.

all the uploads got into the download folder. You should set up a v1.5.1.x installation and put it live, wait for their bots to upload their scripts and you have lots of info to study