Post by reactivem » Fri Jul 26, 2019 7:54 pm

Hi, my Opencart 3.0.2 was hacked about 3 times in the last few weeks. Specifically a binary file of size about 3MB was uploaded to the opencart installation under /admin folder. The binary filename is 3.03_config and performs DDoS attacks to remote servers, specifically Wordpress sites. The server is a CentOS 6.10 with Plesk.

The process shows from the console when running `top` but does not show with `ps aux` for some reason. In addition, if I kill the process, it starts again immediately. To permanently stop the process I have to delete it first and then kill it. I cant figure whether it is executed remotely with an http request or not.

After the first attack a few weeks ago, I went ahead and renamed the admin folder and also added htpasswd protection to the folder. In addition I have changed the ftp password. Today, the very same file is placed in /catalog/view/ folder which I again deleted and killed.

Any of you have had the same or similar experience? Any advice is really appreciated.

Lefteris
--
Check out my free module CoreAdmin for Opencart


User avatar
Newbie

Posts

Joined
Tue Mar 27, 2018 12:22 am

Post by Johnathan » Fri Jul 26, 2019 10:06 pm

Sounds like someone has access to your server, either through FTP info or a backdoor. I'd make sure you change all usernames/passwords associated with the site, and have your web host (or a security company) do a scan on your server for malicious files.

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by ADD Creative » Sun Jul 28, 2019 11:31 pm

Compare your OpenCart install to a clean download, in case any files have been modified. Go through your server logs (web access, FTP access, etc.) for any clue as to how the upload was done.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by wrick0 » Mon Jul 29, 2019 2:45 pm

make sure you have modsecurity installed on your webserver to prevent sql injections

New member

Posts

Joined
Fri Jan 18, 2019 10:00 pm

Post by johnp » Mon Jul 29, 2019 6:17 pm

Although it's old and not supported any more I still use Crawlprotect on my OC sites. It's a must have for me.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD 2.6.1 lover, user and geek.
Fast and Affordable Service for Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
https://www.asandwhenbusinessservices.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK
Who is online

Users browsing this forum: No registered users and 6 guests