<Trojan:PHP/RevWebshell.YA!MTB> detected

I hope I'm posting in the right forum.
I made a copy of my OC3 installation by zipping the complete home directory and ftp the zip to my home pc. Upon unzipping, Microsoft Defender gives a warning that Trojan:PHP/RevWebshell.YA!MTB is found in admin/controller/extension/extension/shell.php. The php file indeed looks weird (see attached zip). I have no idea how I got it on the server.
Anyone experienced something like this before?

Does look like some sort of malicious extension, intended to give someone access to the server. Looks like it requires admin access to use, so maybe it was installed as an extension. Check your oc_extension_path table in your database for that file to see if it was part of an extension. You could also check your FTP logs.

Probably best to change all your password related to your store and hosting.

Thanks for your reply. I checked the oc_extension_path table in the database but could not find anything. My guess is the malicious php was put there by a so-called 'customer service representative' that I granted access via an additional account when I was having trouble with some extension (forgot which one). Of course I disabled the additional account right after he/she was finished, but apparently that wasn't enough. I now have deleted the faulty php and changed all my hosting and store related passwords. I will investigate further to see what extension was mingled with and will follow up here.

Hi!

Also check the oc_modufication table, there should be a reverse shell. If the site is infected, write to the PM. Cleaning with 1 year warranty.

halfhope wrote: ↑

Tue Jun 21, 2022 9:33 am

Also check the oc_modufication table, there should be a reverse shell.

Thanks! Somehow the https://github.com/miklcct/opencart_reverse_shell was installed on my system. I managed to remove all files.
Still don't know how it got there. Don't trust these developers that ask for access to your admin is all I can say.

fietsknecht wrote: ↑

Wed Jun 22, 2022 2:29 am

Don't trust these developers that ask for access to your admin is all I can say.

Most work with opencart requires access to the admin panel and FTP.
1. Create separate credentials (FTP/admin) for developers. Disable them or change the password after finishing work.
2. Use password generators, don't create your own password.
3. Watch for all changes in files. You can use my extension FSMonitor for that.
4. Make regular backups of files and databases.

Seems as though a malignant expansion of some kind, planned to give somebody admittance to the server. Appears as though it requires administrator admittance to utilize, so perhaps it was introduced as an expansion. Check your oc_extension_path table in your data set so that that record could check whether it was important for an augmentation. You could likewise check your FTP logs.

Likely best to change all your secret key connected with your store and facilitating.

Hi,

You could also try to put a .httpaswd for the /admin folder. You can do that from Cpanel. This way, anyone who wants to login to your admin, has to first insert the username and password for the admin folder. Even though they may have an admin password, it would be useless unless they also have the first login credentials to the /admin folder.

Hope this helps!
Best regards,

Dear Support, I wanted to take a moment to express my appreciation for your hard work and dedication. Your support has been invaluable and has made a significant impact on my work. Thank you for always going above and beyond. Best regards, John