Post by fietsknecht » Mon Jun 20, 2022 11:21 pm

I hope I'm posting in the right forum.
I made a copy of my OC3 installation by zipping the complete home directory and ftp the zip to my home pc. Upon unzipping, Microsoft Defender gives a warning that Trojan:PHP/RevWebshell.YA!MTB is found in admin/controller/extension/extension/shell.php. The php file indeed looks weird (see attached zip). I have no idea how I got it on the server.
Anyone experienced something like this before?

Newbie

Posts

Joined
Fri Dec 27, 2019 9:03 pm

Post by ADD Creative » Tue Jun 21, 2022 12:41 am

Does look like some sort of malicious extension, intended to give someone access to the server. Looks like it requires admin access to use, so maybe it was installed as an extension. Check your oc_extension_path table in your database for that file to see if it was part of an extension. You could also check your FTP logs.

Probably best to change all your password related to your store and hosting.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by fietsknecht » Tue Jun 21, 2022 1:47 am

Thanks for your reply. I checked the oc_extension_path table in the database but could not find anything. My guess is the malicious php was put there by a so-called 'customer service representative' that I granted access via an additional account when I was having trouble with some extension (forgot which one). Of course I disabled the additional account right after he/she was finished, but apparently that wasn't enough. I now have deleted the faulty php and changed all my hosting and store related passwords. I will investigate further to see what extension was mingled with and will follow up here.

Newbie

Posts

Joined
Fri Dec 27, 2019 9:03 pm

Post by halfhope » Tue Jun 21, 2022 9:33 am

Hi!

Also check the oc_modufication table, there should be a reverse shell. If the site is infected, write to the PM. Cleaning with 1 year warranty.

My extensions in marketplace. [ security | flexibility | speedup ]


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - San Diego

Post by fietsknecht » Wed Jun 22, 2022 2:29 am

halfhope wrote:
Tue Jun 21, 2022 9:33 am
Also check the oc_modufication table, there should be a reverse shell.
Thanks! Somehow the https://github.com/miklcct/opencart_reverse_shell was installed on my system. I managed to remove all files.
Still don't know how it got there. Don't trust these developers that ask for access to your admin is all I can say.

Newbie

Posts

Joined
Fri Dec 27, 2019 9:03 pm

Post by halfhope » Thu Jun 23, 2022 2:07 am

fietsknecht wrote:
Wed Jun 22, 2022 2:29 am
Don't trust these developers that ask for access to your admin is all I can say.
Most work with opencart requires access to the admin panel and FTP.
1. Create separate credentials (FTP/admin) for developers. Disable them or change the password after finishing work.
2. Use password generators, don't create your own password.
3. Watch for all changes in files. You can use my extension FSMonitor for that.
4. Make regular backups of files and databases.

My extensions in marketplace. [ security | flexibility | speedup ]


User avatar
Active Member

Posts

Joined
Tue Dec 10, 2013 9:44 pm
Location - San Diego

Post by Rahino » Thu Jul 07, 2022 5:47 pm

Seems as though a malignant expansion of some kind, planned to give somebody admittance to the server. Appears as though it requires administrator admittance to utilize, so perhaps it was introduced as an expansion. Check your oc_extension_path table in your data set so that that record could check whether it was important for an augmentation. You could likewise check your FTP logs. :o

Likely best to change all your secret key connected with your store and facilitating.

Newbie

Posts

Joined
Thu Jul 07, 2022 5:41 pm

Post by eugensovar » Thu Jul 21, 2022 2:39 pm

Hi,

You could also try to put a .httpaswd for the /admin folder. You can do that from Cpanel. This way, anyone who wants to login to your admin, has to first insert the username and password for the admin folder. Even though they may have an admin password, it would be useless unless they also have the first login credentials to the /admin folder.

Hope this helps!
Best regards,

Newbie

Posts

Joined
Mon Aug 31, 2015 1:18 pm

Post by john123marshal » Mon Jan 30, 2023 10:28 pm

Dear Support, I wanted to take a moment to express my appreciation for your hard work and dedication. Your support has been invaluable and has made a significant impact on my work. Thank you for always going above and beyond. Best regards, John :)


Posts

Joined
Tue Jul 26, 2022 4:08 am
Who is online

Users browsing this forum: No registered users and 19 guests