Opencart hacked!

[OC2PS]

My website was defaced a few days ago. At first it seemed like only index.html had been replaced, but on closer review I found some additional files. On sending these files to several antivirus labs, finally today they were confirmed as malware. One of the files makes a reference to Opencart, so I suspect that the hack exploited a vulnerability in Opencart (also because other avenues like FTP etc seem not to have been used).

 

I have posted all these files on Opencart forums

http://forum.opencart.com/viewtopic.php?f=10&t=40443

 

I think Prestashop team should have a look at these files and ensure that PS doesn't have similar issues.

[Mike Kranzler]

Hi OC2PS,

I will pass this along to our development team to see what we can learn and potentially apply to further secure our own system.

 

-Mike

[opencart]

actually you got the information completely wrong.

 

the hack you posted a link to was a hack from a few years ago that was removed but someone else reposted it rather than searching the forum.

 

another person posted a false blind sql injection hack recently after testing the development version from the svn rather than using a version that can be downloaded from the opencart site.

 

There was one real hack recently using the cache that took the site down by replacing the index.php with a blank one.

 

the hack could not give hackers access to the site or any customer information though.

[OC2PS]

The hack I posted was a hack from my website from 7 September 2011. Opencart have, without giving any reason, removed my thread. So I wanted to attach the files here, but the system says filesize too big (tar archive size 450kb). Mike, can I send it to you?

 

Also, I sent the files for analysis and Avira had the following response dated 12 Sept 2011:

(I missed a couple of files when sending to Avira; have now sent after receiving their response)

 

We received the following archive files:

File ID Filename Size (Byte) Result

26291402 malware.tgz 425.53 KB OK

A listing of files contained inside archives alongside their results can be found below:

File ID Filename Size (Byte) Result

26291401 index.html 903 Byte CLEAN

26291403 byroe.jpg 27.9 KB MALWARE

26291404 BSK-SPM.txt 2.46 KB MALWARE

26291405 coo.php 38.38 KB MALWARE

26291406 bs.txt 141.46 KB MALWARE

26291407 oto2.txt 2.37 KB MALWARE

26291408 otot1.txt 209 Byte CLEAN

26291409 osq.txt 119.77 KB MALWARE

26291410 ipays.jpg 32.93 KB MALWARE

26291411 asu.jpg 75.98 KB MALWARE

26291412 allnet.jpg 55.92 KB MALWARE

26291413 item1.txt 120.51 KB MALWARE

26291414 zz1.txt 125.37 KB MALWARE

26291415 up.jpg 12.22 KB MALWARE

26291416 topi.jpg 17.45 KB MALWARE

26291417 sarung.jpg 189.21 KB MALWARE

26291418 j2.txt 34.02 KB MALWARE

26291419 j1.txt 33.94 KB MALWARE

26291420 down.jpg 32.03 KB MALWARE

26291421 daster.jpg 17.26 KB MALWARE

26291422 cocok.txt 5.81 KB MALWARE

26291423 bess.jpg 4.16 KB MALWARE

26291424 au.php 243.33 KB MALWARE

 

Please find a detailed report concerning each individual sample below:

 

Filename Result

index.html CLEAN

The file 'index.html' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

 

Filename Result

byroe.jpg MALWARE

The file 'byroe.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.Y.1. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.11.11.37.

 

Filename Result

BSK-SPM.txt MALWARE

The file 'BSK-SPM.txt' has been determined to be 'MALWARE'. Our analysts named the threat Perl/IRCBot.AQ. The term "PERL/" denotes a script-virus written in the PERL script language.Detection will be added to our virus definition file (VDF) with one of the next updates.

 

Filename Result

coo.php MALWARE

The file 'coo.php' has been determined to be 'MALWARE'. Our analysts named the threat PHP/PHPShell.M. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

 

Filename Result

bs.txt MALWARE

The file 'bs.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Agent.EG.1. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.11.08.56.

 

Filename Result

oto2.txt MALWARE

The file 'oto2.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/BackDoor.AR. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.01.01.173.

 

Filename Result

otot1.txt CLEAN

The file 'otot1.txt' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

 

Filename Result

osq.txt MALWARE

The file 'osq.txt' has been determined to be 'MALWARE'. Our analysts named the threat PERL/IrcBot.AC. The term "PERL/" denotes a script-virus written in the PERL script language.Detection is added to our virus definition file (VDF) starting with version 7.11.04.118.

 

Filename Result

ipays.jpg MALWARE

The file 'ipays.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PHP/C99Shell.F. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 6.37.00.232.

 

Filename Result

asu.jpg MALWARE

The file 'asu.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PERL/IrcBot.AX. The term "PERL/" denotes a script-virus written in the PERL script language.Detection is added to our virus definition file (VDF) starting with version 7.10.08.156.

 

Filename Result

allnet.jpg MALWARE

The file 'allnet.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IRCBOT.K. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.10.05.135.

 

Filename Result

item1.txt MALWARE

The file 'item1.txt' has been determined to be 'MALWARE'. Our analysts named the threat PERL/IrcBot.AC. The term "PERL/" denotes a script-virus written in the PERL script language.Detection is added to our virus definition file (VDF) starting with version 7.11.04.118.

 

Filename Result

zz1.txt MALWARE

The file 'zz1.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Agent.EG.1. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.11.08.56.

 

Filename Result

up.jpg MALWARE

The file 'up.jpg' has been determined to be 'MALWARE'. Our analysts named the threat Perl/ShellBot.AN. The term "PERL/" denotes a script-virus written in the PERL script language.Detection will be added to our virus definition file (VDF) with one of the next updates.

 

Filename Result

topi.jpg MALWARE

The file 'topi.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.AC. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.11.13.227.

 

Filename Result

sarung.jpg MALWARE

The file 'sarung.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PHP/C99Shell.F. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 6.37.00.232. Please note that Avira's proactive heuristic detection module AHeAD detected this threat up front without the latest VDF update as: HEUR/HTML.Malware.

 

Filename Result

j2.txt MALWARE

The file 'j2.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IRCBOT.EW. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.11.00.153.

 

Filename Result

j1.txt MALWARE

The file 'j1.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IRCBOT.EW. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.11.00.153.

 

Filename Result

down.jpg MALWARE

The file 'down.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PERL/Shellbot.a.6. The term "PERL/" denotes a script-virus written in the PERL script language.Detection is added to our virus definition file (VDF) starting with version 7.00.00.07.

 

Filename Result

daster.jpg MALWARE

The file 'daster.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.AC. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.11.13.227.

 

Filename Result

cocok.txt MALWARE

The file 'cocok.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Mailsend.A. The term "PHP/" denotes a PHP scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.10.11.223.

 

Filename Result

bess.jpg MALWARE

The file 'bess.jpg' has been determined to be 'MALWARE'. Our analysts named the threat PHP/SQLDump.A. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

 

Filename Result

au.php MALWARE

The file 'au.php' has been determined to be 'MALWARE'. Our analysts named the threat PHP/HackTool.G. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

[OC2PS]

Based on Avira's responses above

Detection will be added to our virus definition file (VDF) with one of the next updates.

Detection is added to our virus definition file (VDF) starting with version 7.10.11.223.

it is clear that this is a new issue not some old, solved problem as opencart seems to indicate above.

[OC2PS]

Also, in the pack of the malware files, the file pi.txt refers explicitly to Opencart, which leads me to believe that the hack exploited an Opencart vulnerability.

 

This is how pi.txt starts

# OpenCart Scanner

# Coded by ^s0n_g0ku^

# mabuak[at]live.com

# Thanks to

# vrs-hack, all member kepri-cyber.org

[opencart]

its not a new hack and the fact that you are using Avira to detect infected files that have been uploaded to your site and which do not come with any opencart distribution shows that you don;t know what you are talking about.

 

i deleted your post because its was reported and fixed over 3 years ago.

[OC2PS]

I'm not using Avira to detect infected files. If you read my post, I submitted the malware files to several antivirus labs and I quoted Avira's response above.

 

You deleted the post (at the Opencart forum) instead of responding to it...makes me skeptical of your response here that the hack was detected and fixed.

 

Avira certainly seem to think that these are new malicious scripts.

[Raphaël Malié]

Hello OC2PS,

I think that if you have any potential issue or problem with opencart or any other script you should post on their forum, if they have deleted your thread they probably had a good reason to do it. Maybe try to contact their team by PM, it's better to discuss about security with PM.

[OC2PS]

I don't want to discuss Opencart's security. I just want to share the malicious files with Prestashop's developers so that they can examine them and ensure that Prestashop does not suffer from the same vulnerabilities.

[Raphaël Malié]

The problem is not infected files, but how your files were infected. You should check your Apache logs in priority, and try to retrieve how the hacker gained access to your server. There is a great chance that your hack come from an other script on your server.

[Mike Kranzler]

Hi everybody,

This is a PrestaShop forum, so since this isn't related to PrestaShop's software, I am going to close this topic.

 

-Mike