Today i run Scan on my server and found 2 MALICIOUS files.
Attached are the files for any OC developers to check if they want to propose some kind of fix for it to the core.
Point to be noted.
These files were found in 2 different website directories.
public_html/catalog/controller/error/error.php & /public_html/new/admin/controller/extension/extension/gino/k.php
One site is built on 2.3.0.2 & other one is 3.0.3.8 with default theme and no add on
As for security only CSRF extension was added on both sites. From the server side CpHulk is on and some countries were blacklisted.
Attachments
Don't deceive by the name
Don't deceive by the name
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
How do you people avoid/prevent SQL attack on Opencart?
I use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:
https://nintechnet.com/ninjafirewall/pro-edition
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Thanks for reply @Johnp I use cloudflare on my other websites and its fine no issue with that. These 2 sites only doesn't had any firewall but only CSRF extension and just Server side CpHulk enabled.johnp wrote: ↑Fri Jan 27, 2023 10:08 pmI use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:
https://nintechnet.com/ninjafirewall/pro-edition
Sounds like Ninja Firewall will do you fine.Majnoon wrote: ↑Fri Jan 27, 2023 10:10 pmThanks for reply @Johnp I use cloudflare on my other websites and its fine no issue with that. These 2 sites only doesn't had any firewall but only CSRF extension and just Server side CpHulk enabled.johnp wrote: ↑Fri Jan 27, 2023 10:08 pmI use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:
https://nintechnet.com/ninjafirewall/pro-edition
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Add a new file into your admin name it .htaccess and add this code into it.
Code: Select all
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ
Order Deny,Allow
Deny from all
#Whitelist Office IP
Allow from your ip address
Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature
If you see an error message with a username and password in your browser, you have your server error display settings set incorrectly.
The best way to prevent a SQL injection attack is to fix the vulnerability. A WAF may help, but there is always the chance it can be bypassed.
There are no known SQL injection vulnerabilities in those versions of OpenCart (that don't require admin access). So it's more likely to be a vulnerable extension or the file upload was performed another way. Change all your passwords and check logs (FTP, web access, error, etc.) for anything suspicious.
Or just send them into empty space:khnaz35 wrote: ↑Fri Jan 27, 2023 10:54 pmTo prevent access to the admin here is my simple solution
Add a new file into your admin name it .htaccess and add this code into it.
This code basically will block all the Ips to access admin and send them to above mentioned url to let them spend time on Youtube rather then looking into your admin XDCode: Select all
ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ Order Deny,Allow Deny from all #Whitelist Office IP Allow from your ip address
Code: Select all
ErrorDocument 403 %{unescape:%00}
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Also can you tell me what do you do to save your db sql injection?
Because when ever someone tries to attack on my website and db throws this type of error.
So its starts showing the password and username of DB.[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')
Thanks @ADD Creative, I will check this.ADD Creative wrote: ↑Sat Jan 28, 2023 2:32 amIf you see an error message with a username and password in your browser, you have your server error display settings set incorrectly.
The best way to prevent a SQL injection attack is to fix the vulnerability. A WAF may help, but there is always the chance it can be bypassed.
There are no known SQL injection vulnerabilities in those versions of OpenCart (that don't require admin access). So it's more likely to be a vulnerable extension or the file upload was performed another way. Change all your passwords and check logs (FTP, web access, error, etc.) for anything suspicious.
My extensions in marketplace. [ security | flexibility | speedup ]
That's a problem connecting to the database. It's not a direct result of an SQL injection. You can't inject SQL if there is no connection the database. Although it could be the result if an attack is overloading your site.Majnoon wrote: ↑Sat Jan 28, 2023 9:23 amThanks guys.
Also can you tell me what do you do to save your db sql injection?
Because when ever someone tries to attack on my website and db throws this type of error.So its starts showing the password and username of DB.[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')
If you see the username and password of the database in the web browser, then check your error display settings. You need make sure display errors in set to off in all 3 places. Your PHP settings, in system/config/default.php and in the settings. Not only can this cause minor notices and warnings to cause bigger errors, it can also be a security risk.
1. In your PHP settings make sure display_errors is set to Off. Use phpinfo() to check. It should be off by default, but there are lots of rubbish hosts out there.
2. In system/config/default.php set error_display to false.
3. In your OpenCart Setting on the server tab set Display Errors to No.
For more protection you can enable zend.exception_ignore_args in PHP 7.4 and greater.
https://www.php.net/manual/en/ini.core. ... gnore-args
As others have said, there are obviously not malicious files in the OpenCart core, so you have been hacked.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
That was the whole purpose to open this thread that opencart team might want to do something more for security. Am sure people here have some awesome ideas. which can be suggested to the OC team.
There is nothing the OpenCart team do. The two files have nothing to do with OpenCart and have been uploaded somehow. There is no known way this can be done in the two versions of OpenCart you are using (otherwise everybody with have them). They have been uploaded by something unique to you web site, such as an extension/theme, another application, week/stolen passwords, etc.
It's highly likely the security hole was YOU - a weak password or dodgy extension, not OpenCart.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
Code: Select all
Request: GET /.env
Action Description: Warning.
Justification: Matched phrase "/.env" at REQUEST_FILENAME.
Code: Select all
Request: GET /.git/config
Action Description: Warning.
Justification: Operator GE matched 5 at TX:inbound_anomaly_score.
I will setup some honey pot on the server https://www.getpagespeed.com/server-set ... block-bots
Users browsing this forum: No registered users and 321 guests