OpenCart Community

Evening all,

I am running OC V 1.4.9.3 which was upgraded.

Last week I was making some changes to my categories and when checking homepage was greeted with a black screen and message saying "owned by ghost_cyber a.k.a CivO Ngaw|HackerL|nK Team", i immediately contacted my host who looked in to the issue and informed me off the following

"reviewing the account there has been several exploit attempts to scripts under your account. Most notably it appears that the hacked files was uploaded through the admin file manager. Please make sure to change your back end password and that the script that you are using is upgraded to the most current version to prevent further exploitation.

At this time I have removed the defaced page from your account."

They sorted the problem but were basically saying this was an OC issue.
I changed all my password from back end to even changing passwords for FTP & C Panel and all has been ok until this evening.

Whilst writing product description for a new product in my Admin panel I noticed I was getting the egg timer which I thought was odd as I was just writing text, went and checked my home page and there is the horrible message again.

I have contacted host who are in the process of dealing with it but was hoping someone on there could please help me. How are they doing it as it seems it only happens if I am logged in admin making changes? I don't want this to keep happening so any help would be hugely appreciated.

Thanks
Debbie

have you run a virus scanner on your computer?

Hi again,

I am currently running OC V 1.4.9.3 which is an upgrade from an earlier version. After having some home page issues and possible website being hacked I have just done a search on the forum and found some posts referring to both domPDF and FCKeditor...

When checking my directory I have found both these folders and need to know if they should be deleted? Do I delete the whole folder or is it just certain files within the folder?

Please advise?
Thanks
Debbie

Hi,

I have run full virus scanner and malware scanner on PC several times and both report nothing found.

Host have just come back and said "The index.html file was modified through the same way, the admin file manager"
Quite blunt with also!!

Debbie

I would delete the whole folders. neither folder is distributed with opencart anymore.

Thank you, both deleted.

Merged, please keep it in one post if related.

Thanks.

My apologies i2Paq

Could still have these folders have been the cause? So scared of logging in my admin panel now in case it happens again.

Probably a good idea to change the name of the admin folder to something else as well. If you do, remember that you will need to change the admin config file as well.

Not sure if this will help stop the problem in the future, but I always think it's a good idea to do this.

Dompdf is safe to use IF you remove the "dompdf.php" file from the dompdf folder, as this is the file that is used for "attacks", by passing variables through the address line in the form:
http://www.yourstore.com/system/helper/ ... some_value

Removing the "dompdf.php" file from the package (as recommended by the developers) prevents this from happening.

The FCKeditor should be completely removed.

Thank you all, I downloaded the latest version of OC and checked file directories and see that domPDF and FCKeditor files are no longer there so have being deleted. After pushing host company for more information it seems the file was being accessed through

"admin/view/javascript/fckeditor/editor/filemanager/connectors/php/connector.php"

Debbie