Post by yogesch » Tue May 12, 2020 3:42 pm

Hi guys, so I created a new store just to get a feel for OC. I did not take any steps towards security (other than deleting the install folder), because it was only to test things out.

Unsurprisingly, I seem to have already caught a bug. When I click anywhere on the homepage, a strange link opens in a new tab. This seems to be a familiar mal/ad-ware. Checking the page in developer tools shows a strange script has been inserted/called somehow. It is not always the same script that gets inserted, but the pattern is identical. Of course, when I do a real installation I will need to make it more secure, but for now, how do I go about finding which code is responsible for inserting this?
Image

New member

Posts

Joined
Wed Apr 29, 2020 1:04 am

Post by ADD Creative » Tue May 12, 2020 6:48 pm

What version of OpenCart? What theme and extensions are you using? Do you have anything else installed on that hosting.

If you haven't already, change all your passwords (OpenCart admin, FTP, ect.).
Check your FTP logs to see if anyone have modified footer.twig.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by paulfeakins » Tue May 12, 2020 6:50 pm

yogesch wrote:
Tue May 12, 2020 3:42 pm
how do I go about finding which code is responsible for inserting this?
I would strongly recommend Astra to all online shop owners.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Guru Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by yogesch » Tue May 12, 2020 7:27 pm

ADD Creative wrote:
Tue May 12, 2020 6:48 pm
What version of OpenCart? What theme and extensions are you using? Do you have anything else installed on that hosting.
I'm using version 3.0.3.2. No extensions. I don't know about the theme, just the default I suppose. I'm not using FTP, just installed it via the OS package manager.
Check your FTP logs to see if anyone have modified footer.twig.
Thanks for that, I'll look at this file right away.

Version 3.0.3.2


New member

Posts

Joined
Wed Apr 29, 2020 1:04 am

Post by opencartmart » Tue May 12, 2020 7:34 pm

I recently came across a store where injected code was found in the database. Most probably it was injected via the WYSIWYG editor. So dump the DB and find the inject code if you know what the injected codes are.

XForm - Opencart Form Builder
Xshippingpro - An advanced Shipping Module
Need Professional support? Skype: opencartmart


Active Member

Posts

Joined
Wed Oct 02, 2013 3:59 am

Post by yogesch » Tue May 12, 2020 10:36 pm

Guys, I'm sorry for having bothered you but I believe I figured it out. The server is most likely fine. As is my computer.

I am now almost certain that one of the upstream servers, likely the ISP's is infected. I posted here because I had driven myself nuts over the past few days, having scanned my computer with 4 different antivirus programs, and scoured through my server logs.

As I said in my original post, this setup was just for testing/trying-out, so I hadn't set up ssl. Presumably, something somewhere upstream is able to inject stuff into specific kinds of non-encrypted traffic.

The clues that led me to it was 1) when I access this non-ssl page http://docs.opencart.com/en-gb/administration/security/ , it had the exact same adware. I think it is extremely unlikely the OC docs (with all the eyes they get, being open source) being infected. And 2) a brand new VM I spun up on my computer also shows the same adware. I can't imagine a brand new freshly installed VM being infected. 3) When I open the sites via a VPN, it works just fine, no adware.

I hope I am right about this...
Thanks for the support, sorry for the trouble.

New member

Posts

Joined
Wed Apr 29, 2020 1:04 am

Post by straightlight » Tue May 12, 2020 11:09 pm

so I hadn't set up ssl. Presumably, something somewhere upstream is able to inject stuff into specific kinds of non-encrypted traffic.
Strongly suggest to use SSL in this case since the encryption library in Opencart does rely on that specifically.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 24 guests