Page 1 of 1
Opencart & its Security ?
Posted: Fri Jan 27, 2023 9:30 pm
by Majnoon
Hello guys.
Today i run Scan on my server and found 2 MALICIOUS files.
Attached are the files for any OC developers to check if they want to propose some kind of fix for it to the core.
Point to be noted.
These files were found in 2 different website directories.
public_html/catalog/controller/error/error.php &
/public_html/new/admin/controller/extension/extension/gino/k.php
One site is built on 2.3.0.2 & other one is 3.0.3.8 with default theme and no add on
As for security only CSRF extension was added on both sites. From the server side CpHulk is on and some countries were blacklisted.
Re: Opencart & its Security ?
Posted: Fri Jan 27, 2023 9:37 pm
by JNeuhoff
This is not an OpenCart bug. The 2 files you mention are not part of a standard OpenCart. You have to contact the extension author to fix these file.
Re: Opencart & its Security ?
Posted: Fri Jan 27, 2023 10:03 pm
by Majnoon
These 2 files doesn't belong to any extensions but these were reported as MALICIOUS files on my server. And i can assure that no access was shared with anyone.
Its likely SQL injection.
Re: Opencart & its Security ?
Posted: Fri Jan 27, 2023 10:06 pm
by Majnoon
Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.
How do you people avoid/prevent SQL attack on Opencart?
Re: Opencart & its Security ?
Posted: Fri Jan 27, 2023 10:08 pm
by johnp
Majnoon wrote: ↑Fri Jan 27, 2023 10:06 pm
Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.
How do you people avoid/prevent SQL attack on Opencart?
I use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:
https://nintechnet.com/ninjafirewall/pro-edition
Re: Opencart & its Security ?
Posted: Fri Jan 27, 2023 10:10 pm
by Majnoon
Thanks for reply @Johnp I use cloudflare on my other websites and its fine no issue with that. These 2 sites only doesn't had any firewall but only CSRF extension and just Server side CpHulk enabled.
Re: Opencart & its Security ?
Posted: Fri Jan 27, 2023 10:12 pm
by johnp
Majnoon wrote: ↑Fri Jan 27, 2023 10:10 pm
Thanks for reply @Johnp I use cloudflare on my other websites and its fine no issue with that. These 2 sites only doesn't had any firewall but only CSRF extension and just Server side CpHulk enabled.
Sounds like Ninja Firewall will do you fine.

Re: Opencart & its Security ?
Posted: Fri Jan 27, 2023 10:54 pm
by khnaz35
To prevent access to the admin here is my simple solution
Add a new file into your admin name it .htaccess and add this code into it.
Code: Select all
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ
Order Deny,Allow
Deny from all
#Whitelist Office IP
Allow from your ip address
This code basically will block all the Ips to access admin and send them to above mentioned url

to let them spend time on Youtube rather then looking into your admin XD
Re: Opencart & its Security ?
Posted: Sat Jan 28, 2023 2:32 am
by ADD Creative
Majnoon wrote: ↑Fri Jan 27, 2023 10:06 pm
Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.
How do you people avoid/prevent SQL attack on Opencart?
If you see an error message with a username and password in your browser, you have your server error display settings set incorrectly.
The best way to prevent a SQL injection attack is to fix the vulnerability. A WAF may help, but there is always the chance it can be bypassed.
There are no known SQL injection vulnerabilities in those versions of OpenCart (that don't require admin access). So it's more likely to be a vulnerable extension or the file upload was performed another way. Change all your passwords and check logs (FTP, web access, error, etc.) for anything suspicious.
Re: Opencart & its Security ?
Posted: Sat Jan 28, 2023 3:03 am
by JNeuhoff
khnaz35 wrote: ↑Fri Jan 27, 2023 10:54 pm
To prevent access to the admin here is my simple solution
Add a new file into your admin name it .htaccess and add this code into it.
Code: Select all
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ
Order Deny,Allow
Deny from all
#Whitelist Office IP
Allow from your ip address
This code basically will block all the Ips to access admin and send them to above mentioned url

to let them spend time on Youtube rather then looking into your admin XD
Or just send them into empty space:

Re: Opencart & its Security ?
Posted: Sat Jan 28, 2023 9:23 am
by Majnoon
Thanks guys.
Also can you tell me what do you do to save your db sql injection?
Because when ever someone tries to attack on my website and db throws this type of error.
[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')
So its starts showing the password and username of DB.
Re: Opencart & its Security ?
Posted: Sat Jan 28, 2023 9:26 am
by Majnoon
ADD Creative wrote: ↑Sat Jan 28, 2023 2:32 am
If you see an error message with a username and password in your browser, you have your server error display settings set incorrectly.
The best way to prevent a SQL injection attack is to fix the vulnerability. A WAF may help, but there is always the chance it can be bypassed.
There are no known SQL injection vulnerabilities in those versions of OpenCart (that don't require admin access). So it's more likely to be a vulnerable extension or the file upload was performed another way. Change all your passwords and check logs (FTP, web access, error, etc.) for anything suspicious.
Thanks @ADD Creative, I will check this.
Re: Opencart & its Security ?
Posted: Sat Jan 28, 2023 4:41 pm
by halfhope
Re: Opencart & its Security ?
Posted: Sat Jan 28, 2023 11:23 pm
by ADD Creative
Majnoon wrote: ↑Sat Jan 28, 2023 9:23 am
Thanks guys.
Also can you tell me what do you do to save your db sql injection?
Because when ever someone tries to attack on my website and db throws this type of error.
[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')
So its starts showing the password and username of DB.
That's a problem connecting to the database. It's not a direct result of an SQL injection. You can't inject SQL if there is no connection the database. Although it could be the result if an attack is overloading your site.
If you see the username and password of the database in the web browser, then check your error display settings. You need make sure display errors in set to off in all 3 places. Your PHP settings, in system/config/default.php and in the settings. Not only can this cause minor notices and warnings to cause bigger errors, it can also be a security risk.
1. In your PHP settings make sure display_errors is set to Off. Use
phpinfo() to check. It should be off by default, but there are lots of rubbish hosts out there.
2. In system/config/default.php set error_display to false.
3. In your OpenCart Setting on the server tab set Display Errors to No.
For more protection you can enable zend.exception_ignore_args in PHP 7.4 and greater.
https://www.php.net/manual/en/ini.core. ... gnore-args
Re: Opencart & its Security ?
Posted: Mon Jan 30, 2023 8:02 pm
by paulfeakins
Majnoon wrote: ↑Fri Jan 27, 2023 9:30 pm
Attached are the files for any OC developers to check if they want to propose some kind of fix for it to the core.
As others have said, there are obviously not malicious files in the OpenCart core, so you have been hacked.
Re: Opencart & its Security ?
Posted: Mon Jan 30, 2023 9:13 pm
by Majnoon
paulfeakins wrote: ↑Mon Jan 30, 2023 8:02 pm
so you have been hacked.
That was the whole purpose to open this thread that opencart team might want to do something more for security. Am sure people here have some awesome ideas. which can be suggested to the OC team.
Re: Opencart & its Security ?
Posted: Mon Jan 30, 2023 10:18 pm
by ADD Creative
Majnoon wrote: ↑Mon Jan 30, 2023 9:13 pm
paulfeakins wrote: ↑Mon Jan 30, 2023 8:02 pm
so you have been hacked.
That was the whole purpose to open this thread that opencart team might want to do something more for security. Am sure people here have some awesome ideas. which can be suggested to the OC team.
There is nothing the OpenCart team do. The two files have nothing to do with OpenCart and have been uploaded somehow. There is no known way this can be done in the two versions of OpenCart you are using (otherwise everybody with have them). They have been uploaded by something unique to you web site, such as an extension/theme, another application, week/stolen passwords, etc.
Re: Opencart & its Security ?
Posted: Mon Jan 30, 2023 10:56 pm
by paulfeakins
Majnoon wrote: ↑Mon Jan 30, 2023 9:13 pm
That was the whole purpose to open this thread that opencart team might want to do something more for security.
It's highly likely the security hole was YOU - a weak password or dodgy extension, not OpenCart.
Re: Opencart & its Security ?
Posted: Mon Jan 30, 2023 11:12 pm
by Majnoon
Thanks for explanation guys. I was looking into my server also and notice one thing in ModSecurity™ Tools under the hit list:
Code: Select all
Request: GET /.env
Action Description: Warning.
Justification: Matched phrase "/.env" at REQUEST_FILENAME.
& as well as
Code: Select all
Request: GET /.git/config
Action Description: Warning.
Justification: Operator GE matched 5 at TX:inbound_anomaly_score.
Its look like the script person is using to kill the server and database.
I will setup some honey pot on the server
https://www.getpagespeed.com/server-set ... block-bots