Post by Majnoon » Fri Jan 27, 2023 9:30 pm

Hello guys.
Today i run Scan on my server and found 2 MALICIOUS files.
Attached are the files for any OC developers to check if they want to propose some kind of fix for it to the core.
Point to be noted.
These files were found in 2 different website directories.
public_html/catalog/controller/error/error.php & /public_html/new/admin/controller/extension/extension/gino/k.php
One site is built on 2.3.0.2 & other one is 3.0.3.8 with default theme and no add on :)

As for security only CSRF extension was added on both sites. From the server side CpHulk is on and some countries were blacklisted.

Attachments

Don't deceive by the name

Don't deceive by the name


Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by JNeuhoff » Fri Jan 27, 2023 9:37 pm

This is not an OpenCart bug. The 2 files you mention are not part of a standard OpenCart. You have to contact the extension author to fix these file.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Majnoon » Fri Jan 27, 2023 10:03 pm

These 2 files doesn't belong to any extensions but these were reported as MALICIOUS files on my server. And i can assure that no access was shared with anyone.
Its likely SQL injection.

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by Majnoon » Fri Jan 27, 2023 10:06 pm

Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.

How do you people avoid/prevent SQL attack on Opencart?

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by johnp » Fri Jan 27, 2023 10:08 pm

Majnoon wrote:
Fri Jan 27, 2023 10:06 pm
Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.

How do you people avoid/prevent SQL attack on Opencart?
I use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:

https://nintechnet.com/ninjafirewall/pro-edition

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by Majnoon » Fri Jan 27, 2023 10:10 pm

johnp wrote:
Fri Jan 27, 2023 10:08 pm
I use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:

https://nintechnet.com/ninjafirewall/pro-edition
Thanks for reply @Johnp I use cloudflare on my other websites and its fine no issue with that. These 2 sites only doesn't had any firewall but only CSRF extension and just Server side CpHulk enabled.

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by johnp » Fri Jan 27, 2023 10:12 pm

Majnoon wrote:
Fri Jan 27, 2023 10:10 pm
johnp wrote:
Fri Jan 27, 2023 10:08 pm
I use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:

https://nintechnet.com/ninjafirewall/pro-edition
Thanks for reply @Johnp I use cloudflare on my other websites and its fine no issue with that. These 2 sites only doesn't had any firewall but only CSRF extension and just Server side CpHulk enabled.
Sounds like Ninja Firewall will do you fine. :)

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by khnaz35 » Fri Jan 27, 2023 10:54 pm

To prevent access to the admin here is my simple solution
Add a new file into your admin name it .htaccess and add this code into it.

Code: Select all

ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ

Order Deny,Allow
Deny from all

#Whitelist Office IP
Allow from your ip address
This code basically will block all the Ips to access admin and send them to above mentioned url :P to let them spend time on Youtube rather then looking into your admin XD

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by ADD Creative » Sat Jan 28, 2023 2:32 am

Majnoon wrote:
Fri Jan 27, 2023 10:06 pm
Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.

How do you people avoid/prevent SQL attack on Opencart?
If you see an error message with a username and password in your browser, you have your server error display settings set incorrectly.

The best way to prevent a SQL injection attack is to fix the vulnerability. A WAF may help, but there is always the chance it can be bypassed.

There are no known SQL injection vulnerabilities in those versions of OpenCart (that don't require admin access). So it's more likely to be a vulnerable extension or the file upload was performed another way. Change all your passwords and check logs (FTP, web access, error, etc.) for anything suspicious.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by JNeuhoff » Sat Jan 28, 2023 3:03 am

khnaz35 wrote:
Fri Jan 27, 2023 10:54 pm
To prevent access to the admin here is my simple solution
Add a new file into your admin name it .htaccess and add this code into it.

Code: Select all

ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ

Order Deny,Allow
Deny from all

#Whitelist Office IP
Allow from your ip address
This code basically will block all the Ips to access admin and send them to above mentioned url :P to let them spend time on Youtube rather then looking into your admin XD
Or just send them into empty space:

Code: Select all

ErrorDocument 403 %{unescape:%00}
:)

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Majnoon » Sat Jan 28, 2023 9:23 am

Thanks guys.
Also can you tell me what do you do to save your db sql injection?

Because when ever someone tries to attack on my website and db throws this type of error.
[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')
So its starts showing the password and username of DB.

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by Majnoon » Sat Jan 28, 2023 9:26 am

ADD Creative wrote:
Sat Jan 28, 2023 2:32 am
If you see an error message with a username and password in your browser, you have your server error display settings set incorrectly.

The best way to prevent a SQL injection attack is to fix the vulnerability. A WAF may help, but there is always the chance it can be bypassed.

There are no known SQL injection vulnerabilities in those versions of OpenCart (that don't require admin access). So it's more likely to be a vulnerable extension or the file upload was performed another way. Change all your passwords and check logs (FTP, web access, error, etc.) for anything suspicious.
Thanks @ADD Creative, I will check this.

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by halfhope » Sat Jan 28, 2023 4:41 pm


My extensions in marketplace. [ security | flexibility | speedup ]


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - San Diego

Post by ADD Creative » Sat Jan 28, 2023 11:23 pm

Majnoon wrote:
Sat Jan 28, 2023 9:23 am
Thanks guys.
Also can you tell me what do you do to save your db sql injection?

Because when ever someone tries to attack on my website and db throws this type of error.
[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')
So its starts showing the password and username of DB.
That's a problem connecting to the database. It's not a direct result of an SQL injection. You can't inject SQL if there is no connection the database. Although it could be the result if an attack is overloading your site.

If you see the username and password of the database in the web browser, then check your error display settings. You need make sure display errors in set to off in all 3 places. Your PHP settings, in system/config/default.php and in the settings. Not only can this cause minor notices and warnings to cause bigger errors, it can also be a security risk.

1. In your PHP settings make sure display_errors is set to Off. Use phpinfo() to check. It should be off by default, but there are lots of rubbish hosts out there.

2. In system/config/default.php set error_display to false.

3. In your OpenCart Setting on the server tab set Display Errors to No.

For more protection you can enable zend.exception_ignore_args in PHP 7.4 and greater.
https://www.php.net/manual/en/ini.core. ... gnore-args

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by paulfeakins » Mon Jan 30, 2023 8:02 pm

Majnoon wrote:
Fri Jan 27, 2023 9:30 pm
Attached are the files for any OC developers to check if they want to propose some kind of fix for it to the core.
As others have said, there are obviously not malicious files in the OpenCart core, so you have been hacked.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by Majnoon » Mon Jan 30, 2023 9:13 pm

paulfeakins wrote:
Mon Jan 30, 2023 8:02 pm
so you have been hacked.
That was the whole purpose to open this thread that opencart team might want to do something more for security. Am sure people here have some awesome ideas. which can be suggested to the OC team.

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by ADD Creative » Mon Jan 30, 2023 10:18 pm

Majnoon wrote:
Mon Jan 30, 2023 9:13 pm
paulfeakins wrote:
Mon Jan 30, 2023 8:02 pm
so you have been hacked.
That was the whole purpose to open this thread that opencart team might want to do something more for security. Am sure people here have some awesome ideas. which can be suggested to the OC team.
There is nothing the OpenCart team do. The two files have nothing to do with OpenCart and have been uploaded somehow. There is no known way this can be done in the two versions of OpenCart you are using (otherwise everybody with have them). They have been uploaded by something unique to you web site, such as an extension/theme, another application, week/stolen passwords, etc.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by paulfeakins » Mon Jan 30, 2023 10:56 pm

Majnoon wrote:
Mon Jan 30, 2023 9:13 pm
That was the whole purpose to open this thread that opencart team might want to do something more for security.
It's highly likely the security hole was YOU - a weak password or dodgy extension, not OpenCart.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by Majnoon » Mon Jan 30, 2023 11:12 pm

Thanks for explanation guys. I was looking into my server also and notice one thing in ModSecurity™ Tools under the hit list:

Code: Select all

Request:	GET /.env
Action Description:	Warning.
Justification:	Matched phrase "/.env" at REQUEST_FILENAME.
& as well as

Code: Select all

Request:	GET /.git/config
Action Description:	Warning.
Justification:	Operator GE matched 5 at TX:inbound_anomaly_score.
Its look like the script person is using to kill the server and database.
I will setup some honey pot on the server https://www.getpagespeed.com/server-set ... block-bots

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm
Who is online

Users browsing this forum: spectreav and 91 guests