Backdoor / Malware infects also OpenCart

Today Sucuri published an article about a new Turkish Backdoor / Malware attack which can affect also OpenCart.
Interesting, that beside big CMS like Joomla or Wordpress, also OpenCart and Prestashop is the "target".

"Goal" of this is, to redirect traffic, steal credit cards and other sensitive information, hijack resources to mine for cryptocurrencies, or even serve unwanted ads. [quoted]

The script try to find the folder ../system/config/ and place then inside a new file which acts then as "bridge".
BEFORE, it tries to chmod (change Permission) the file index.php in the root to 0644.

Important to say here, that your websop should have the correct permissions (usually 0644 for files, 0755 for folders - some hoster use other permissions, if the differ, ask them before you change files and folders "like a Idiot" to 0666 or 0777 (as seen in this forum!)).

Read the full article here

OSWorX wrote: ↑

Wed Oct 07, 2020 5:24 am

The script try to find the folder ../system/config/ and place then inside a new file which acts then as "bridge".
BEFORE, it tries to chmod (change Permission) the file index.php in the root to 0644.

Ok, so how does it do this?

What settings would make an OpenCart site vulnerable?

paulfeakins wrote: ↑

Wed Oct 07, 2020 4:27 pm

What settings would make an OpenCart site vulnerable?

OpenCart itself is secure.
But not anymore, if for example other instances of WordPress with old code and not updated system are hosted on the same Server.
Or other scripts which are unsecure - and scriptkiddies will find them!
e.g. there was a thread here not long ago about adminer.

Another security hole is to give away FTP and/or Backend access data to unknown people.
Let them work, get no changelog back.
And after the work is done, access (Backend &/or FTP) are not deleted.

More, nobody will check afterwards what such "developers" have used (tools) or what they have changed inside the scripts.
Have seen here also manual added backdoors.

What I have seen also, clients hand out backend access data to everyone and all.
But no FTP access data .. because theyr argument is, that this not secure to give that to an unknown person.
Funny fact is, that exactly those stores have the FTP data in the Store configuration stored - readable (and therefore useable afterwards).

Another story are "self maintained" Servers.
And no glue what to do there.

Webstore Owners are no technicians!
The have not to be.
But they should know who they can trust.

OpenCart itself is secure.
But are the people working with it secure?

OpenCart itself is secure.
But are the people working with it secure?

This should be used as the Opencart's sub-title.

Leaving outdated / unused files on a server with your main website files is always an easy hacking target. It doesn't matter how or where a hacker gets in. Once they're in, they have access to EVERYTHING. This is why it's never good to host multiple domains on the same cPanel account and it's best to have an active firewall / malware scanning solution in place at all times. Life gets busy and people forget about the old files or a developer leaves old files around and the owner of the site doesn't even know that they are there. Strong and unique passwords are only a part of the battle against hackers.

If you're going to leave outdated files on your server for any reason, atleast move them to the folder above public_html or change the file permissions to 000 so they can't be modified.

But not anymore, if for example other instances of WordPress with old code and not updated system are hosted on the same Server.

Well, I never understud, why some obviously add non-related 'Code' to
an Onlineshop Site, regardless of, what Software-Brand it might be. It's
contrary to any Security Concept, especially, when it comes to Code like
Wordpress and/or other popular Tools.
Ernie

OSWorX wrote: ↑

Wed Oct 07, 2020 5:45 pm

paulfeakins wrote: ↑

Wed Oct 07, 2020 4:27 pm

What settings would make an OpenCart site vulnerable?

Another security hole is to give away FTP and/or Backend access data to unknown people.

So this is only an issue if someone already has access to the filesystem?

In that case I'm not really sure how this is news?

OSWorX wrote: ↑

Wed Oct 07, 2020 5:45 pm

e.g. there was a thread here not long ago about adminer.

Got a link?

Thread about adminer here: viewtopic.php?f=179&t=219149
The News?
1. OpenCart (beside Joomla, Prestashop) is mentioned - and affected!
2. Stealing customer data (Creditcard, Bank, etc.) is not new, but a serious action
3. Cannot be written as much as can be, Webstoreowners, Admins, Staff (everybody who has access to the backend and server) must be aware of such risks

News?
Not really .. "business as usual" ..
Good for us (you, me and serious developers), bad for Storeowners.

So this is only an issue if someone already has access to the filesystem?

Don't know, read the article - but I guess.
Otherwise such scripts cannot be placed on a server.

.. but wait .. there is another option: getting Extensions, Templates, Themes, etc. from unserious sites (because Commercial Extensions there are free ..), can lead to a security hole!
Not only one, but finally: one is enough!

Soooo, lets recap this "News" for a second..

A guy by the name of Krasimir Konov, that for job is a "Sucuri's Malware Analyst who joined the company in 2014", writes a blog in which he recommends people to use Sucuri Wordpress Plugin that does cost $199.99 per year, sold by the company he works for, and you don't really see the problem???

I'm sure Krasimir is a good guy, but are you familiar with the phrase "Conflict of interest"...

Oh, and just to make it a bit easier for you, the plugin does say:

Sucuri WordPress Plugin Compatibility

Keep in mind that the Sucuri Security plugin requires WordPress version 3.6 or higher, and administrative privileges for installation.

Do you think that would/could be wrong??

Sometimes, people try to sell bridges...

Burt65 wrote: ↑

Fri Oct 09, 2020 8:21 am

Soooo, lets recap this "News" for a second..

And another second ..

Nobody in the Article there said anything about Wordpress.
Nobody in the Article said something about any plugin.

Fine when you read more than it's written in the article, but irrelevant here.
I really don't know what your problem is?!

This Company, those Writers are nothing for me, don't need them and never will need them in future.

So what do you want to tell me, us?
Your answer sound like those people saying "Covid19" is nothing .. only another type of Influenca.

OSWorX wrote: ↑

Fri Oct 09, 2020 11:13 am

Burt65 wrote: ↑

Fri Oct 09, 2020 8:21 am

Soooo, lets recap this "News" for a second..

And another second ..

Nobody in the Article there said anything about Wordpress.
Nobody in the Article said something about any plugin.

Fine when you read more than it's written in the article, but irrelevant here.
I really don't know what your problem is?!

This Company, those Writers are nothing for me, don't need them and never will need them in future.

So what do you want to tell me, us?
Your answer sound like those people saying "Covid19" is nothing .. only another type of Influenca.

Jesus Christ, man...

YOU posted the link to the article in your first post!! Did you read the entire article???

I don't have a problem reading an English article to the end where the link for the purchase of the plugin is provided..
I don't have a problem in seeing that the article is just an articulated way of advertising their plugins..
Maybe, I'm not the one with the problem here..

Here, this is the link you posted in your first post, but this time just read it to the end and then click on the link provided there...

Read the full article here

Burt65 wrote: ↑

Fri Oct 09, 2020 2:57 pm

YOU posted the link to the article in your first post!! Did you read the entire article???

I don't have a problem reading an English article to the end where the link for the purchase of the plugin is provided..
I don't have a problem in seeing that the article is just an articulated way of advertising their plugins..
.. but this time just read it to the end and then click on the link provided there...

I have read the full article, but why should i click on a link leads me to plugin I do not need?
When you do that, your fault.

And that they want to sell their services, why not - I do not get anything from them.
The more, services like that (as so many others), are calculating with the "stupidy" of too many users.
But this is their (users) own fault.

If Websiteowners would have an "Eye" on their own security, not editing server settings they do not know what for they are, not installing Extensions from unsecure Sites, they would not need services like them.
As said, not everybody can be a serveradmin, technician or developer, better they sell their goods and let that business do the Professionals.
The "Web" would be more secure ..

p.s.: this article and their website is like this here: OpenCart Blog (basically no difference).
Everybody wants to sell everything .. that's why most of the people are here ..

That's a bit different from before...

OSWorX wrote: ↑

Fri Oct 09, 2020 11:13 am

And another second ..
Nobody in the Article there said anything about Wordpress.
Nobody in the Article said something about any plugin.
Fine when you read more than it's written in the article, but irrelevant here.
I really don't know what your problem is?!

OSWorX wrote: ↑

Fri Oct 09, 2020 4:52 pm

I have read the full article, but why should i click on a link leads me to plugin I do not need?
When you do that, your fault.

You should have clicked on the link so to have an actual understanding of what the author was aiming at, and more importantly, his targeted audience.. People that use WP not people that simply use Opencart. That's why both myself and Paul didn't see this as "News". It definitely doesn't need to be in the announcements, unless you are getting a share of the profit for advertising the plugin on Sucuri behalf!

OSWorX wrote: ↑

Fri Oct 09, 2020 4:52 pm

And that they want to sell their services, why not - I do not get anything from them.

Again, is not a service, is an unnecessary plugin that will set you back $199.99 per year!

OSWorX wrote: ↑

Fri Oct 09, 2020 4:52 pm

p.s.: this article and their website is like this here: OpenCart Blog (basically no difference).
Everybody wants to sell everything .. that's why most of the people are here ..

Oh I see, so now you are explaining to me, what a blog is, after I just pointed it out to you that it wasn't a "news" but just an advertisement blog...

You are a funny, man.. full of contradictions, but funny