Post by Rainforest » Wed Sep 15, 2021 11:41 pm

We were just doing a routing check on our site after an upgrade to from 2.3.x to 3.0.3.8.
One of our extensions was flagged. Two of the files in the extension were brought to our attention as possible dirty files.

One is an image but it doesn't open in an image editor. I did open it up in Notepad and it shows PHP code?

Does this look suspicious? I don't want to raise the alarm just yet or contact the author. It's an extension in the marketplace.

Code: Select all

<?php $eJOB = 'ICRyUXRUID0gJ0lDUkZhRTlZSUQwZ0owbERValZsUjJSWFNVUXdaMG93YkVSVmFrcHJZa1UxY0ZOVlVYZGFNRzkzWWtWU1ZtSnJjRlZaYkZKeVpVWk9WbFZZWkdGTlJ6a3pXV3RXYjFZeVNsbFJiVGxXWW01Q2RsbHRlRTlrVjA1RlZXMTRhVkl6VVRKV1ZFa3hVVEpHYzFSclpGTmlWRlpvVld4a2IyVnNjRVZTYm1SWFZsUkdTVmxyWkRCVk1ERlhZVE5rV0dFeFdrOVViR1JQVmpKS1IySkdhR2xXTW1oNFZrWmtlazFWTlZkaVJtUm9VbFUxVDFWc1pEUmxSbEp5V1hwR1ZsSXhXbGRWTWpWUFYwWmFSbU5JV21GU00xSjZWV3RhY21WWFVrWmxSazVPVmxjNU5WWnFSbE5VTVZsNVZXdGthbEp0YUZCV2ExWkxWRlphV1dOR1pFOVdiVko2VjJ0V2EyRkZNWE5YYkZaYVZsZE9ORmxVUm1GT2JGcDFVbTFHVTFZeFNqWlhhMk40VXpKT1IySXpjRkpoTTBKVlZUQlZNVTFXV2tWVWJrNVNUV3R3U0ZsVVRuTmhSazVIWTBWMFZsWkZjRlJVYlhocll6SkdSMVJzWkZkTlJuQmFWa1phYTA1SFJsWk5TR2hZVjBkU1ZWUlZaRk5oUmxKWFdrVjBhMUpzU25oVlZ6RnZWakpXZEdRemFGWmxhMHBRV1hwQk1HUXlUa1pWYlVaT1lsaG9URlpHWkhkU01sRjRZa1JhVldGNmJIRlZha0ozVFVaa1ZWTnVUbFZTYkZreVZtMXdRMWR0Um5KalJsSmFWbGRTVEZWclduWmxWMHBJWTBVMWFWWXlaRFZXTW5Sdll6Rk9kRlJyV2xCVFNFSlBWVEJWTVZReFZsVlRibkJPVFZVMU1Wa3dhSGRaVlRGWlVXeHNWMUo2UVRGWlZtUlhWbXhLZFZac1VtaE5SRll5VjFaU1MxTnRWbGRWYmtaVFlsZDRXRlJXV25abFJtUnlWbXM1YW1KV1NsbFZNV2h6VkRGS05tSkZkRnBpUmxWNFZGZDRjMlJGTlZkVWJXeFRUVlp3UzFac1l6RlZNV3hYVjJwYVYxZEhhRlZXYWtvelRVWnNjMXBHVGxoU1ZGWlpXVEJrTUZVd01YVmFNMnhZVm5wR2VsbHFTa3RTYlZKSFlrZHdUbUZzV2xKWGJGcFhVekpOZUZwR1ZsUmlWR3h5V1ZSS05GSldaSEpoUlU1YVZqQmFXVmxWYUU5V1ZrbzJWbXhTV2xaWFVsQmFSVnAzVTBkV1NHUkdTbXhpUm13MFZqRmtkMU14VlhsVGEyUldZbXhLVkZsdGVFdGhSbHBWVVd0a2FVMVdXa2hXUjNSTFlVWmFjazVXWkZWaVJuQklWbXBHWVdNeFNuVlJiRkpYVmxSV2FGZFhlRmRqTVU1SFYyeHNWMkpZVWxSVVZWcDJUVlpaZVdORmRGZE5SRVpIV2xWb1UxUXhaRWRqUjJoV1lXdGFhRlpWV210V01XdDZZVWRzVTFZemFFWldWM2hUWXpGT2MxSllaR3BTYkhCWFdXdGFkMlJzV25OWGEyUlhUVlUxZVZZeWVFdFdhekZJWlVST1ZrMXFWak5hVjNoMlpVZE9SMkZHVm1sV1IzaDNWMnhhVjFJeVVsZGFTRTVWVmtWYWNsUlhjekZOUmxwMFkwVjBXbFpzYnpKV2JHaHJWbTFGZVZWc2FGcGlSbkI2VmpGYVlXUldVblJrUmtwT1lsWkplbFpyVWs5ak1rWnlUa2hrYVZKWGFGaFpiR2hEWWpGV2RXTkhPV2xpUlRWNFZrWm9hMkZzU2xWaGVrWllWMGhDY2xVeWVFcGxSbVIxVW14d1YxWXdNSGRXTW5CRFpHMVdjazFWYkZKaVJVcHpWbXBCZDJWc1ZYaFdiWFJYVFd0YU1GVnRkRzlWUmtsNVZXdDRZVlo2Vm5KVVYzaHpUbXhPY2s5WGVGZE5SbkJoVmxaa2QxRXhWbGhTYkdoVlZrVTFWVlpzWkZOWFJteFlUVlZrVkZKVWJFbFhhMVl3WWtkS2RHRkliRmhXYkhCMlZqSjRkbVZIUlhwaVIzaFRUVzFvZUZaR1VrSmtNRFZYVkd4b1RsTkhhSEpaYTJoRFUxWldkRTVWT1ZSaVJXdzBXVEJqTlZkSFJYbFZiR1JhVm14YWVsVXdXbGRrUjBaSVpFWk9UbEpzYkROV2FrWnFaVVpKZVZKdVVsTlhSM2hYV1cweE5HTkdVbFZSYTFwUFZtczFXVlJzVlRWVWJFcDBaVVp3VjFaNlZrUldNakZYVm0xS1NFNVdhR2hOYkVwSlZrWldZV014V2taTlZteFVZbFZhV1ZWcVRtOWtNV1JZWTBWMFUwMXNXbGhaTUZaWFZHeEplV1ZIYUZwaVJscG9XbGQ0YzA1c1RuTlhiV2hYVmpOb1NsZFhkR3ROUmxaWFZsaGthbEpGU21GV2JURnZWVVp3V0UxVlpGaFNWRlpaVkd4V2QyRkdXbFppZWtwWVlURmFkbGw2U2s1bFIwNUhWbXMxVTAxdWFIcFhWbHBUVWpKUmVHSklVazVXYXpWd1ZXcEdZVkpzYkhWalJtUldVbXh3U1ZremNFZFdWVEI1WlVWMFZHVnJTak5VYlRGT1pWWndTRkpzWkU1U1JsbDVWakZqTVdNeFJuUlRiazVTWVRKb1YxbHRkRXRqYkd4WFZtdDBhbFp0ZUhsWGExWnJZa2RLVms1RVNsVldWMUo2V1ZaYVlVNXRTa2xUYkdoWFlsWkdObGRyVm1Ga01VNUlVMnRvYUZJeWVGUmFWekUwVFZaVmVGWnRjR3hTTVVwNldUQldiMVV5U25KT1ZUVlhZV3MxZGxwR1drOVdiR3Q2WVVkMGFWTkZTa3BXVnpBeFZERlNWMWRZYkd4U1JWcFpXV3hTUWsxR2JGZFhhMDVxVW0xM01sZHJWbmRWTURGWFkwaG9XRlpzV25GVWExcDJaREpPUlZkdGVGTk5NVXAyVm1wQ1lXTXlTbk5hUmxaVVlXeEtiMVZxUVhoT2JGcEhWVzVPVkdKVmNGWlZiWEJMVjBkRmVWVnJhRnBsYTBrd1ZqQmFVMlJXWkhSaVIyeHBVbGhDTmxZeFkzZE5WbFowVW14YWFWSlhhSEJWYWs1VFZXeGFWVkZ1WkU1U2JYaDRWVEo0VDJGR1NYZGpSVlpWVm0xU00xbFdWWGhqVmxwWldrWm9hVkl3TVRSV1JsWlhZekpPVms1VmFFOVdhMHB6Vm14V2QyVnNXWGhWYTNScFRXeEtlVmxyVmxOWGJWWjBZVWRvVm1GcmIzcGFWbHBQVm14d1JrOVhjRTVXTTJoaFZtdGpNV1F4VmxkV1dHUnFVa1ZLWVZsWGRIZFdSbXhXV2tWMFUxSlVSbGxVTVdSSFZqQXhSMk5JYkZkTmJtaDJWVEl4UjFadFNrWmlSbFpvWVRCd2VsWnRjRTlpTWsxNFZtdGtWV0V6VW05V2JURTBWMVphU0U1VmRGcFdWRUl6V1RCU1MxbFdTblJVV0doYVZrVkpNRll3V2xOa1ZtUjBZa1pPYkdKWVkzaFdhMUpMWXpGUmVWTnJaR2xUUlZwWFZqQmtiMVZHVm5KV2JGcE9UVlUxV1ZsdWNFTmhWMFkyWVhwR1ZsWjZSVEJXTW5ONFpFZEdSVk5zVWxkV1ZGWjRWa1JDYTFJeFNsZFdiR2hoVW01Q1QxbHRNVzlrYkdSWlkwVTVWV0Y2YkZkWmEyaFRWR3hrUjJOSGFGWmhhMHBvV2xkNFUxSXlSa2RVYlhCVFRWVndTbGRzVm10T1JrNTBVbXhhVkdGc2NHaFZiR1J2Wld4c05sSnVaRmRXVkVaSldXdGFkMVJ0Um5SbFJGcFlWak5DVUZVeWN6RmpiVVY2V2tab2FFMXNTbFZYVm1NeFZESk9SMVpyYUd4U00xSnZWV3BCTVUxR1VuTmhSVTVvVmpCd1dWWkdVbE5XVmtwR1kwaFdWVlpXY0VSWk1GcHpUbXh3Um1OR1RrNVdia0kwVmpGYVYyRnJOVWRpTTJScVVrWndjbFJVUm5kaFJsWnhVMnBPYkZac1drbFphMlIzVkRBeFNHVkZiRmRpVkVZeldWVmFTMDV0UmtoT1ZsSnBZbXRGZDFkV1VrdFNNV1JYV2tab1lWSnVRazlaYlRGdlpHeGtXV05GT1ZWaGVteFhXV3RvVTFSc1pFZGpSMmhXWVd0S2FGcFhlRk5TTVhCR1pFZDBhVk5GU2t0WFZsSkxZekZXV0ZKc2FGVldSVFZWVm14a1UxZEdiRmhOVldSVVVsUnNTVmRyVmpCaVIwcDBZVVJDV0Zac2NISldha3BPWlVkT1JtSkdWbWxYUjJoNVZsZDBVMVV5VWxkVldIQnBVbFUxY0ZWdE1UQk9WbXhXWVVkR1ZHSkZWalZXUmxKVFYwZEZlVlZ1Y0ZWV00xSjZWVEJhUzJSV1VuUmhSbVJPWWtWc05GWnNWbUZVTVUxNVVtNU9hbEp0YUZCV2ExWkxZVVpaZDFadVRtcFNhelZYV1ZWVk5WUnNTWGhYYkd4aFZsZFJNRlpXV2xaa01rNUpWV3h3YUdFeWREUldSbFpYVGtaa1YxVnVWbEppV0dod1ZtMTRWbVZXWkZobFIzUlhUV3RXTlZWdGVITldNa3B6VTJ4R1lWWnNXbmxaTW5oaFVteHdTVlJ0YUdsVFJVcGFWa2Q0YjJReGJGZFdXR1JVWW10d1dWWnRNVzlXUm14V1ZtNU9WRkpyY0RGWmEyUkhWbXN4Um1JelpGaFdiSEIyVmtSS1YyUkdTbk5oUlRsWFpXeGFURlpzVWtOVE1WWnpZa2hLWVZKdFVtOVZha0Y0VGxaYWMxcEhkR2hTYkc4eVZtMXdZVmxXU2xoVmEyaGFaV3R3VEZWcldrZGpWa1owWVVaT1RsWnNjREZXYWtvMFlqSkpkMDFWWkdwU2JXaFFWakJvUTJJeFduVmpTRTVPVm1zMVYxZHJWbXRoVjBwSVpVWnNXbUV5YUZoV1JtUkhaRmRHU1ZGc2NFNWlXR2hFVjJ0a05GRXlUblJUYTJoT1ZsaENWVlZzVm5aTlZtUllZMFYwVkUxck1UUlpNRnB2Vkd4SmVWVnVSbFZXUlZwTVdrUkdjMk5zY0VWVWJVWk9ZWHBXU2xadE1ERmpNa1p5VFZoU2JGSkdjR2hWYkZVd1pXeGtjVk5yT1ZSU01WcEpXbFZhZDFkR1NsVldibkJXVFZaYWNsWkVTbE5rUms1MVZteGFhVll5YUdoV1JsSkhVakpLYzJORlpHaFNWRlpvVkZab1EwMUdVWGhoU0U1VVlrVnNNMVl5Y0dGWGJWWnlZMGh3WVZaNlJsUlZNRnBMWkZaYWMyTkZOV2xTYkd3MFZteFdWMVJyTlZoU1dHeFRZa2Q0V1ZaVVRsTlVSbkJZVGxVNWFXSkhVbnBYYTFVMVlWVXhjbUo2UmxaV2JVMTRWbFphUjA1dFNrbFZiSEJYWWxaS1dWZFljRWRrTVU1WFZXNVNiRkl6VWxSVmExcExUVlphUlZSdVRsSk5hM0JJV1ZST2MyRkdUa2RqUlhSV1ZrVndUMVJyV2xOU1ZrNXpWRzF3VTAxVmNEUldSM1JxVFZaV1NGWnNXbFJpYXpWWlZtdFdkMlJzY0Voa1NFNVRVbTEzTWxsVlZYaFViVXBHWTBST1dHRXlVakpVVldSTFkyczVWVlpzU21sWFIyaG9Wa1pqZUdJd01YTlViRnBWWWxoQ1VWVnNhR3RPVmxwWVRsVk9hRTFyV25oV1Z6VlhWbFV3ZVdWRlVscGhNWEI1V2xaa1IxTldaSEpqUmtwT1lYcEJkMVpyVmxOVE1WVjVWR3RvVm1KcldsQlZibkJYVlZad1YxWnJXbEJXV0VFeVdYcEtNRlpzU2xsYVJ6VldVbXMxUTFsdGRIZFRSMUpJWWtkb1VrMUZWVEZWTVZaclV6SkdTRlJZYkZkV1JYQlFWVzF3YzJOc1pITmFSVGxyWWtoQ1NWWnNZelZUTVVsNlZXdDRXbUZyTlZkWk1GVTFUbFpHZEdWSGRHbFdWbkEyVlhwQ1QxVXlUbk5pU0ZKaFRUQktVVnBXWkU1Tk1XUnpZVWRHYUZJd2NFVlhha293Vm14S1dWcElaRlZOTWswMVZVWk9hazR3Y0VoV2FrSktVa1JDYmxOdWJGTlNNVlYzVFVka1VWVXdTbkJYVm1oUFlrVTFjVlZ0V21GU01WcHhXV3BLVTJKRmRFUlZha3ByWWtVMWNGTXhVbnBhTVhCWlYyMW9hVkV5WkhKVmJYaFBWR3QwVldNeU5WQk5iRmw1VjFaa00ySXdjRWhXYWtKTVZraE5PVXA2YzJ0a00wbG5VRk5CYmtwSE9XbFplVUU1U1VkS2FHTXlWVEpPUmpscldsZE9kbHBIVlc5S1NHdzBXakZaY0U5NVFteGtiVVp6UzBOU2RsbHRUWEJQZVdNM1dsaGFhR0pEWjJ0a00wbHdUM2M5UFNjN0pIUnRJRDBnSnlSamFIRWdQU0JpWVhObE5qUmZaR1ZqYjJSbEtDUkZhRTlZS1RzZ1pYWmhiQ2drWTJoeEtUc25PMlYyWVd3b0pIUnRLVHM9JzskcUwgPSAnJEhPYSA9IGJhc2U2NF9kZWNvZGUoJHJRdFQpOyBldmFsKCRIT2EpOyc7ZXZhbCgkcUwpOw==';$OV = '$Kyp = base64_decode($eJOB); eval($Kyp);';eval($OV);?> 


The other file is the settingsp.php code with similar code. The warning we got was:

WARN: Found suspicious file: admin/model/extension/module/xxxxxxxxxx-settings.php (NOT CLEANED) - Manual inspection required (rex.eval_var.002): Content: '';eval($bh);?&gt;'.

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by straightlight » Wed Sep 15, 2021 11:50 pm

Hacked or using an encrypted extension.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Gergely » Thu Sep 16, 2021 12:03 am

Hi Rainforest,

Good catch!
If you keep decoding it, eventually you get to:

Code: Select all

 echo '<script type="text/javascript">'; echo '$(document).ready(function() {'; echo 'setTimeout(function(){$("#missing").modal("show");},0);'; echo '$(document).on("contextmenu",function(e){'; echo 'if(e.target.nodeName != "INPUT" && e.target.nodeName != "TEXTAREA")'; echo 'e.preventDefault();'; echo '});'; echo '});'; echo '</script>'; echo '<div class="modal fade" data-backdrop="static" data-keyboard="false" id="missing" style="z-index:9999;">'; echo '<div class="modal-dialog modal-lg modal-info">'; echo '<div class="modal-content" id="modal-content">'; echo '<div class="modal-header" style="background-color:#eb4141;">'; echo '<h4 class="modal-title" style="color:#FFF;">Warning</h4>'; echo '</div>'; echo '<div class="modal-body">'; echo '<fieldset>'; echo '<div align="center" style="font-size:medium;">License data are missing! Please install the extension again.<br />If problem still persist, please contact us for assistance.</div>'; echo '</fieldset>'; echo '</div>'; echo '</div>'; echo '</div>'; echo '</div>'; 
Which injects some js to display a warning in broken English:
License data are missing! Please install the extension again.
If problem still persist, please contact us for assistance.
I have no idea what the end game is from there, but this is definitely beyond shady...

Active Member

Posts

Joined
Wed Sep 30, 2020 7:58 pm

Post by Rainforest » Thu Sep 16, 2021 12:10 am

Gergely wrote:
Thu Sep 16, 2021 12:03 am
Hi Rainforest,

Good catch!
If you keep decoding it, eventually you get to:

Code: Select all

 echo '<script type="text/javascript">'; echo '$(document).ready(function() {'; echo 'setTimeout(function(){$("#missing").modal("show");},0);'; echo '$(document).on("contextmenu",function(e){'; echo 'if(e.target.nodeName != "INPUT" && e.target.nodeName != "TEXTAREA")'; echo 'e.preventDefault();'; echo '});'; echo '});'; echo '</script>'; echo '<div class="modal fade" data-backdrop="static" data-keyboard="false" id="missing" style="z-index:9999;">'; echo '<div class="modal-dialog modal-lg modal-info">'; echo '<div class="modal-content" id="modal-content">'; echo '<div class="modal-header" style="background-color:#eb4141;">'; echo '<h4 class="modal-title" style="color:#FFF;">Warning</h4>'; echo '</div>'; echo '<div class="modal-body">'; echo '<fieldset>'; echo '<div align="center" style="font-size:medium;">License data are missing! Please install the extension again.<br />If problem still persist, please contact us for assistance.</div>'; echo '</fieldset>'; echo '</div>'; echo '</div>'; echo '</div>'; echo '</div>'; 
Which injects some js to display a warning in broken English:
License data are missing! Please install the extension again.
If problem still persist, please contact us for assistance.
I have no idea what the end game is from there, but this is definitely beyond shady...
Ohhh, weird. I wonder what the other code says. Can you decode that? I pasted it in a google doc.
https://docs.google.com/document/d/1fTs ... sp=sharing

The module in question is quote popular: ADV Sales Reports
https://www.opencart.com/index.php?rout ... on_id=3803

Not sure if this is bad intentioned? Should I bring it up to Opencart?
Yikes, I hope this isn't dangerous.

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by straightlight » Thu Sep 16, 2021 12:27 am

Rainforest wrote:
Thu Sep 16, 2021 12:10 am
Gergely wrote:
Thu Sep 16, 2021 12:03 am
Hi Rainforest,

Good catch!
If you keep decoding it, eventually you get to:

Code: Select all

 echo '<script type="text/javascript">'; echo '$(document).ready(function() {'; echo 'setTimeout(function(){$("#missing").modal("show");},0);'; echo '$(document).on("contextmenu",function(e){'; echo 'if(e.target.nodeName != "INPUT" && e.target.nodeName != "TEXTAREA")'; echo 'e.preventDefault();'; echo '});'; echo '});'; echo '</script>'; echo '<div class="modal fade" data-backdrop="static" data-keyboard="false" id="missing" style="z-index:9999;">'; echo '<div class="modal-dialog modal-lg modal-info">'; echo '<div class="modal-content" id="modal-content">'; echo '<div class="modal-header" style="background-color:#eb4141;">'; echo '<h4 class="modal-title" style="color:#FFF;">Warning</h4>'; echo '</div>'; echo '<div class="modal-body">'; echo '<fieldset>'; echo '<div align="center" style="font-size:medium;">License data are missing! Please install the extension again.<br />If problem still persist, please contact us for assistance.</div>'; echo '</fieldset>'; echo '</div>'; echo '</div>'; echo '</div>'; echo '</div>'; 
Which injects some js to display a warning in broken English:
License data are missing! Please install the extension again.
If problem still persist, please contact us for assistance.
I have no idea what the end game is from there, but this is definitely beyond shady...
Ohhh, weird. I wonder what the other code says. Can you decode that? I pasted it in a google doc.
https://docs.google.com/document/d/1fTs ... sp=sharing

The module in question is quote popular: ADV Sales Reports
https://www.opencart.com/index.php?rout ... on_id=3803

Not sure if this is bad intentioned? Should I bring it up to Opencart?
Yikes, I hope this isn't dangerous.
If the extension was purchased from the Marketplace, you could always use the Contact Us link at the bottom of the site and put in your ticket that you purchased an encoded / encrypted extension. That method is not allowed on opencart.com as per the sales agreement.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Rainforest » Thu Sep 16, 2021 12:52 am

straightlight wrote:
Thu Sep 16, 2021 12:27 am
Rainforest wrote:
Thu Sep 16, 2021 12:10 am
Gergely wrote:
Thu Sep 16, 2021 12:03 am
Hi Rainforest,

Good catch!
If you keep decoding it, eventually you get to:

Code: Select all

 echo '<script type="text/javascript">'; echo '$(document).ready(function() {'; echo 'setTimeout(function(){$("#missing").modal("show");},0);'; echo '$(document).on("contextmenu",function(e){'; echo 'if(e.target.nodeName != "INPUT" && e.target.nodeName != "TEXTAREA")'; echo 'e.preventDefault();'; echo '});'; echo '});'; echo '</script>'; echo '<div class="modal fade" data-backdrop="static" data-keyboard="false" id="missing" style="z-index:9999;">'; echo '<div class="modal-dialog modal-lg modal-info">'; echo '<div class="modal-content" id="modal-content">'; echo '<div class="modal-header" style="background-color:#eb4141;">'; echo '<h4 class="modal-title" style="color:#FFF;">Warning</h4>'; echo '</div>'; echo '<div class="modal-body">'; echo '<fieldset>'; echo '<div align="center" style="font-size:medium;">License data are missing! Please install the extension again.<br />If problem still persist, please contact us for assistance.</div>'; echo '</fieldset>'; echo '</div>'; echo '</div>'; echo '</div>'; echo '</div>'; 
Which injects some js to display a warning in broken English:

I have no idea what the end game is from there, but this is definitely beyond shady...
Ohhh, weird. I wonder what the other code says. Can you decode that? I pasted it in a google doc.
https://docs.google.com/document/d/1fTs ... sp=sharing

The module in question is quote popular: ADV Sales Reports
https://www.opencart.com/index.php?rout ... on_id=3803

Not sure if this is bad intentioned? Should I bring it up to Opencart?
Yikes, I hope this isn't dangerous.
If the extension was purchased from the Marketplace, you could always use the Contact Us link at the bottom of the site and put in your ticket that you purchased an encoded / encrypted extension. That method is not allowed on opencart.com as per the sales agreement.
I will do that. I did purchase it in the marketplace.
I guess another example of how Opencart doesn't regulate it's marketplace?
So, is the verdict it's dangerous?

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by straightlight » Thu Sep 16, 2021 1:07 am

Rainforest wrote:
Thu Sep 16, 2021 12:52 am
straightlight wrote:
Thu Sep 16, 2021 12:27 am
Rainforest wrote:
Thu Sep 16, 2021 12:10 am


Ohhh, weird. I wonder what the other code says. Can you decode that? I pasted it in a google doc.
https://docs.google.com/document/d/1fTs ... sp=sharing

The module in question is quote popular: ADV Sales Reports
https://www.opencart.com/index.php?rout ... on_id=3803

Not sure if this is bad intentioned? Should I bring it up to Opencart?
Yikes, I hope this isn't dangerous.
If the extension was purchased from the Marketplace, you could always use the Contact Us link at the bottom of the site and put in your ticket that you purchased an encoded / encrypted extension. That method is not allowed on opencart.com as per the sales agreement.
I will do that. I did purchase it in the marketplace.
I guess another example of how Opencart doesn't regulate it's marketplace?
So, is the verdict it's dangerous?
It's not another. It's simply one of the few that don't follow regulations in order to maintain their sales since each extensions have their own case.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Gergely » Thu Sep 16, 2021 1:54 am

Rainforest wrote:
Thu Sep 16, 2021 12:10 am
Ohhh, weird. I wonder what the other code says. Can you decode that? I pasted it in a google doc.
https://docs.google.com/document/d/1fTs ... sp=sharing

The module in question is quote popular: ADV Sales Reports
https://www.opencart.com/index.php?rout ... on_id=3803

Not sure if this is bad intentioned? Should I bring it up to Opencart?
Yikes, I hope this isn't dangerous.
You should definitely notify opencart, I will PM you with the contents of the decoded php, you should attach that to the ticket. It is indeed malware: it runs unsolicited code in your environment. The code is truly atrocious, introduces security issues, and doesn't give two hoots about opencart coding practices and 'standards'. The practices this 'extension' (more like arbitrary code) uses are unjustifiable.

Thank you for running these checks and letting us know! And nearly 2000 downloads... Scary!
Last edited by Gergely on Thu Sep 16, 2021 5:37 pm, edited 1 time in total.

Active Member

Posts

Joined
Wed Sep 30, 2020 7:58 pm

Post by JNeuhoff » Thu Sep 16, 2021 5:13 pm

Contact OpenCart and ask them to remove this extension. You can also post a warning in the extension's comments section.

Unfortunately there are a lot of dodgy extensions out there.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by Rainforest » Thu Sep 16, 2021 8:51 pm

JNeuhoff wrote:
Thu Sep 16, 2021 5:13 pm
Contact OpenCart and ask them to remove this extension. You can also post a warning in the extension's comments section.

Unfortunately there are a lot of dodgy extensions out there.
Will do! Do I get a prize? Does my opencart street cred increase? :laugh: :laugh: :laugh:

The developer said he did that to protect his work. I mean, I guess that makes sense? I didn't know it was against the rules.

*** I did mention this in the comments of ADV reports but the developer erased my comment ***
How is that OK. I think Daniel really needs to change that feature in the marketplace. It's basically allowing developers to curate the comments that only make their extension look good.

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by Rainforest » Fri Sep 17, 2021 3:06 am

So, not sure if this is a coincidence but the developer ended up sending a new install package.
Since then, we've noticed some what I think is sql injections or queries in our logs. We removed the extension. I'm wondering if anyone can tell from the install zip ocmod package he sent if this was malicious?
Happy to send a link to the zip

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by straightlight » Fri Sep 17, 2021 3:37 am

Encoding / encrypting the work is not good practice which is why the Marketplace on Opencart.com does not allow those packages. In addition, you did not received a new install as a coincidence. You received a new install, if you have no more encoding / encryption in it, for political reasons.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Rainforest » Fri Sep 17, 2021 2:29 pm

straightlight wrote:
Fri Sep 17, 2021 3:37 am
you did not received a new install as a coincidence. You received a new install, if you have no more encoding / encryption in it, for political reasons.
whhaat? ???
Sometimes I wonder about you... :laugh:

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by straightlight » Fri Sep 17, 2021 6:41 pm

Rainforest wrote:
Fri Sep 17, 2021 2:29 pm
straightlight wrote:
Fri Sep 17, 2021 3:37 am
you did not received a new install as a coincidence. You received a new install, if you have no more encoding / encryption in it, for political reasons.
whhaat? ???
Sometimes I wonder about you... :laugh:
The wonders are up to your total discretion. What really happens here is how you may have missed the whole point on the topic.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by JNeuhoff » Fri Sep 17, 2021 6:53 pm

You received a new install, if you have no more encoding / encryption in it, for political reasons.
Honestly, I don't understand, what do you mean here?

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by straightlight » Fri Sep 17, 2021 7:07 pm

JNeuhoff wrote:
Fri Sep 17, 2021 6:53 pm
You received a new install, if you have no more encoding / encryption in it, for political reasons.
Honestly, I don't understand, what do you mean here?
Then, that'd simply makes it one more that didn't followed.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Gergely » Fri Sep 17, 2021 7:30 pm

Hi Rainforest, thanks for the update!
Rainforest wrote:
Fri Sep 17, 2021 3:06 am
So, not sure if this is a coincidence but the developer ended up sending a new install package.
Since then, we've noticed some what I think is sql injections or queries in our logs. We removed the extension. I'm wondering if anyone can tell from the install zip ocmod package he sent if this was malicious?
Happy to send a link to the zip
I doubt it would be sql injection at this point, since their extension is already on your system, they don't need to "hack themselves in". Based on the encoded snippets, I think they genuinely only try to limit the use of their extension to just one install per sale. This intent doesn't change the fact that they are using malware to do so...
straightlight wrote:
Fri Sep 17, 2021 3:37 am
Encoding / encrypting the work is not good practice which is why the Marketplace on Opencart.com does not allow those packages. In addition, you did not received a new install as a coincidence. You received a new install, if you have no more encoding / encryption in it, for political reasons.
Rainforest wrote:
Fri Sep 17, 2021 2:29 pm
whhaat? ???
Sometimes I wonder about you... :laugh:
What straightlight is referring to here, is that they might have sent you a clean install as an attempt to shut you up. Which is the most likely scenario.
However, encoding / encrypting work is beyond "not good practice". Obfuscating code like that is probably illegal under GNU GPLv3, which is the license opencart uses. Operating such practices potentially make the extension (legally) incompatible with opencart...
(Disclosure: This is my personal opinion, and I'm not an expert on open source licensing, hence the vague, non-definitve wording. Some might disagree.)

Active Member

Posts

Joined
Wed Sep 30, 2020 7:58 pm

Post by straightlight » Fri Sep 17, 2021 7:35 pm

Gergely wrote:
Fri Sep 17, 2021 7:30 pm
Hi Rainforest, thanks for the update!
Rainforest wrote:
Fri Sep 17, 2021 3:06 am
So, not sure if this is a coincidence but the developer ended up sending a new install package.
Since then, we've noticed some what I think is sql injections or queries in our logs. We removed the extension. I'm wondering if anyone can tell from the install zip ocmod package he sent if this was malicious?
Happy to send a link to the zip
I doubt it would be sql injection at this point, since their extension is already on your system, they don't need to "hack themselves in". Based on the encoded snippets, I think they genuinely only try to limit the use of their extension to just one install per sale. This intent doesn't change the fact that they are using malware to do so...
straightlight wrote:
Fri Sep 17, 2021 3:37 am
Encoding / encrypting the work is not good practice which is why the Marketplace on Opencart.com does not allow those packages. In addition, you did not received a new install as a coincidence. You received a new install, if you have no more encoding / encryption in it, for political reasons.
Rainforest wrote:
Fri Sep 17, 2021 2:29 pm
whhaat? ???
Sometimes I wonder about you... :laugh:
What straightlight is referring to here, is that they might have sent you a clean install as an attempt to shut you up. Which is the most likely scenario.
However, encoding / encrypting work is beyond "not good practice". Obfuscating code like that is probably illegal under GNU GPLv3, which is the license opencart uses. Operating such practices potentially make the extension (legally) incompatible with opencart...
(Disclosure: This is my personal opinion, and I'm not an expert on open source licensing, hence the vague, non-definitve wording. Some might disagree.)
Well, at least there's somebody who did followed the discussion so far. Cheers!

As for the illegal use of encoding / encrypting codes under GNU GPLv3, however, it is not illegal if a distribution software involves the use of a license as per the license agreement of the software company but regarding the incompatibility, that would be also correct to state and even causing other issues in a store.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by agatha65 » Sat Sep 18, 2021 12:42 am

Rainforest wrote:
Wed Sep 15, 2021 11:41 pm
One of our extensions was flagged. Two of the files in the extension were brought to our attention as possible dirty files.
One is an image but it doesn't open in an image editor. I did open it up in Notepad and it shows PHP code?
Both files are ok and you can use the extension. Very useful extension, btw.
A lot of developers try to keep their code and there is no reliable protection for that, so they brake the platform license to keep their work.
I don't blame them.
Almost every good extension or theme is pirated, nulled, bloated with shells and backdoors and distributed by illegal sites.

Suppliers Module - XML, CSV, XLS Product Feed Import and Update
Rich Snippets | Facebook Open Graph Meta Tags | WebP Images
Image


User avatar
Active Member

Posts

Joined
Fri Mar 16, 2012 10:18 am
Location - Canada, QC

Post by straightlight » Sat Sep 18, 2021 12:45 am

agatha65 wrote:
Sat Sep 18, 2021 12:42 am
Rainforest wrote:
Wed Sep 15, 2021 11:41 pm
One of our extensions was flagged. Two of the files in the extension were brought to our attention as possible dirty files.
One is an image but it doesn't open in an image editor. I did open it up in Notepad and it shows PHP code?
Both files are ok and you can use the extension. Very useful extension, btw.
A lot of developers try to keep their code and there is no reliable protection for that, so they brake the platform license to keep their work.
I don't blame them.
Almost every good extension or theme is pirated, nulled, bloated with shells and backdoors and distributed by illegal sites.
Then, another reason why encoding or encryption software should not be used. Granted, there are exceptional cases of programmers that wants to cover their jQuery codes with google APIs in their HTML footers but at least it uses industry codes that won't impact the websites' stats altogether as opposed to third party tools encoding / encrypting their codes just to cover their work by impacting something else in the stores.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 40 guests