Post by pipoy » Tue Jan 25, 2022 1:26 am

I've been using Opencart personally for more than 5 years now I think.
And I only experienced this with a friend today.

I have a server and I let my friend host his Opencart to my server. His is 3.0.3.3
I am using CWP and HestiaCP. He was hosted in CWP this morning and I moved his site to HestiaCP

He contacted this morning saying his website is slow.

I logged on the server (CWP) and saw his user eating 100% of the CPU. 2 core CPU
Image

I logged on to his files and saw some malicious symlinks. Wordpress related and it is symlinking to itself, creating an infinite loop where I cannot even cat the files. So I deleted them all.

Transferred his site and db to HestiaCP. No too long after, its eating the CPU 100% once again.

Here's the thing, I am seeing 2 malicious files once again. And it keeps generating inside the Admin folder.
prm_json_array.txt
sop_json_array.txt

So what I did is reuploaded the core files (3.0.3.8 upgrade) into the server.
Disabled all modification and see if CPU utilization will die down. Nothing.
There are no new extensions installed by the way since November. And extensions are just a few, tried and tested on my own Opencart websites.
The 2 files once again are still being generated.

So I upgraded the VPS to 8 core CPU. Hoping that its trying to do some processes that needs to be finished. So an 8 core CPU might help to finish it.
At 8 core, utilization is at 50%
At this point, I will just wait for the process to finish, hoping it will just fix itself.
Friend does not have any cron jobs BTW

Bandwidth? It's normal. So I guess this isnt a DDOS attack.

But I am creating this thread if anyone is familiar with the 2 malicious files that keeps generating.
prm_json_array.txt
sop_json_array.txt

EDIT:
Confirmed that 2 files above are module related.

I do still have a problem with CPU utilization.

Active Member

Posts

Joined
Fri Mar 04, 2016 12:18 pm

User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by pipoy » Tue Jan 25, 2022 10:14 pm

paulfeakins wrote:
Tue Jan 25, 2022 9:10 pm
Could it be this? viewtopic.php?f=179&t=225771
I think so too.

When I was trying to find what's causing my server load, I noticed that the CPU goes to normal when I remove or rename my admin's config.php
That is where I had a thought that it has something to do with the admin.
When that happened, all traffic from accessing the admin has been redirected to website.com/install since config.php was not found.
So the traffic was redirected to the front end. Saving traffic logs in Online Report.
Different IP addresses are accessing the admin panel. Which I think loaded the PHP process, hence the CPU utilization.

So what I did is install an Admin security module.

And it is a bit stable right now.

Active Member

Posts

Joined
Fri Mar 04, 2016 12:18 pm
Who is online

Users browsing this forum: No registered users and 257 guests