Malicious JavaScript injected

Quote

Post by masterross » Sat Jan 25, 2020 1:06 am

Hi guys,

Looks like one of my clients site was injected with Malicious code.
OC 2.3.0.2 standart theme
./catalog/view/javascript/common.js
./catalog/view/theme/default/template/checkout/payment_method.tpl
was modified trying to steal CC info.
I check the logs and on that date I see SQL injection tries from IP 185.183.104.83
like these:

Code: Select all

https://www.example.com/index.php?route=product/product&path=4_16&product_id=-2689 UNION ALL SELECT 6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657,6657
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-3731 UNION ALL SELECT 3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948,3948
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-5461 UNION ALL SELECT 4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172,4172
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-4566 UNION ALL SELECT 2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037,2037
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-1822 UNION ALL SELECT 2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783,2783
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-5245 UNION ALL SELECT 2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895,2895
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-1163 UNION ALL SELECT 1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950,1950
What to do against such attacks?

Thanks!

Pottery Glaze shop

masterross
New member
Posts
68
Joined
Mon Jan 02, 2017 7:07 pm
Top

Re: Malicious JavaScript injected

Quote

Post by IP_CAM » Sat Jan 25, 2020 1:46 am

Kill the son of a bitch, or remove the Shop Software, that's all you can do against such attacks ... :laugh:
Or better, just make sure, to have the Site secured according latest standards, that's all you can do.
Ernie

And contact the Fellows in charge:
abuse-mailbox: abuse@m247.ro
e-mail: nmc@m247.com

Code: Select all

Host-Informationen für "185.183.104.83":
  IP-Adresse:  185.183.104.83
  Hostname:    (Nicht verfügbar)

Netzwerkanfrage:

Netzwerkanfrage für "185.183.104.83" bei "whois.iana.org":

refer:        whois.ripe.net

inetnum:      185.0.0.0 - 185.255.255.255
organisation: RIPE NCC
status:       ALLOCATED

whois:        whois.ripe.net

changed:      2011-02
source:       IANA

Die Auskunft von "whois.iana.org" verweist auf den Whois-Server "whois.ripe.net".

Weitergeleitete Netzwerkanfrage für "185.183.104.83" bei "whois.ripe.net":

inetnum:        185.183.104.0 - 185.183.104.255
netname:        M247-LTD-Zurich
descr:          M247 LTD Zurich Infrastructure
country:        CH
geoloc:         47.3667 8.5500
admin-c:        GBXS12-RIPE
mnt-domains:    GLOBALAXS-MNT
tech-c:         GBXS12-RIPE
status:         LIR-PARTITIONED PA
mnt-routes:     GLOBALAXS-MNT
mnt-by:         uk-ukwebsolutions-1-mnt
created:        2016-12-23T10:34:49Z
last-modified:  2016-12-29T12:11:36Z
source:         RIPE

role:           GLOBALAXS ZURICH NOC
address:        Saegereistrasse 35
address:        CH-8152 Glattbrugg,Switzerland
e-mail:         nmc@m247.com
tech-c:         CB2407-RIPE
tech-c:         JB3482-RIPE
abuse-mailbox:  abuse@m247.ro
nic-hdl:        GBXS12-RIPE
mnt-by:         GLOBALAXS-MNT
created:        2016-06-16T11:23:30Z
last-modified:  2018-07-20T08:21:30Z
source:         RIPE

route:          185.183.104.0/24
origin:         AS9009
mnt-by:         GLOBALAXS-MNT
created:        2016-12-23T10:51:35Z
last-modified:  2016-12-23T10:51:35Z
source:         RIPE

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.

User avatar
IP_CAM
Legendary Member
Posts
13012
Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Top

Re: Malicious JavaScript injected

Quote

Post by ADD Creative » Sat Jan 25, 2020 2:04 am

First thing, if you haven't already is change all the passwords to all the OpenCart admin users, all hosting control panel logins, all FTP accounts, ect. Remove and logins that are not longer required.

The most likely way for someone to modify those files would be by using a weak or stolen password. Check your servers FTP logs for changes to those files, maybe ask your host.

Check all your other files on the server for changes. There may of been a backdoor installed that the attacker can use again.

The SQL injection tries you see are just attempts, as far as I know there is no known vulnerability in 2.3.0.2 for route=product/product. They are probably unrelated unless you have a vulnerable extension. What extensions are you using, if any?
Last edited by ADD Creative on Sat Jan 25, 2020 10:24 pm, edited 1 time in total.

www.add-creative.co.uk

ADD Creative
Expert Member
Posts
4634
Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Top

Re: Malicious JavaScript injected

Quote

Post by masterross » Sat Jan 25, 2020 6:30 am

Thx guys,

Baning IPs won't help :)
Not sure are these queries related but they are thousands and attacker did 4 requests for each string
The links start with these:

Code: Select all

https://www.example.com/index.php?route=product/product&path=4_16&product_id=6946
https://www.example.com/index.php?route=product/product&path=4_16&product_id=(SELECT (CASE WHEN (8854=5847) THEN 431 ELSE (SELECT 5847 UNION SELECT 6199) END))
https://www.example.com/index.php?route=product/product&path=4_16&product_id=(SELECT (CASE WHEN (3079=3079) THEN 431 ELSE (SELECT 8386 UNION SELECT 2067) END))
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-1240
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-1844) OR 1006=7813
https://www.example.com/index.php?route=product/product&path=4_16&product_id=-2648) OR 1079=1079
and end with the ones in the first post.
The date matched with edited files.

So I need to write ModSecurity rule but I'm not good with regex.
Anyone can help?

Pottery Glaze shop

masterross
New member
Posts
68
Joined
Mon Jan 02, 2017 7:07 pm
Top

Re: Malicious JavaScript injected

Quote

Post by OSWorX » Sat Jan 25, 2020 6:58 am

You wrote:
masterross wrote:
Sat Jan 25, 2020 1:06 am
 OC 2.3.0.2 standart theme
./catalog/view/javascript/common.js
./catalog/view/theme/default/template/checkout/payment_method.tpl
was modified trying to steal CC info.
What was modified?
What you are posting then below, are only unqualified tries to inject some useless which have no impact (beside the bandwith and your server load).

So, before posting here endless queries, tell us first what the "modifications" are.
Otherwise the header and this thread is completely irrelevant!

Beside this all, I know not one security hole in the complete OpenCart 2.3.0.2 release.
Could it be, that you have also other webs on the same server - like this f**** Wordpress - installed?

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.

User avatar
OSWorX
Guru Member
Posts
7532
Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria
Top

Re: Malicious JavaScript injected

Quote

Post by OSWorX » Sat Jan 25, 2020 7:03 am

masterross wrote:
Sat Jan 25, 2020 1:06 am
 Looks like one of my clients site ..
Clients site .. and what are you doing here in the free forum?
You should post such question in the commercial section or hire one of the professionals!

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.

User avatar
OSWorX
Guru Member
Posts
7532
Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria
Top
Post Reply
Return to “Security & Server”
Who is online

Users browsing this forum: No registered users and 54 guests