OpenCart Admin Panel Compromised - Symptoms, Vulnerabilities & Fixes

OpenCart is a boon for e-commerce startups looking for a free and open source solution. Its widespread popularity can be attributed to the fact that OpenCart is highly customizable and offers a wide range of extension and modules. However, multiple vulnerabilities have been uncovered in OpenCart, some of which even affect the OpenCart core. Due to this, OpenCart installations around the world have witnessed the OpenCart Admin panel getting hacked. It could be due to a wide variety of reasons which we shall further discuss in this article. According to the book, Hack Proofing Your E-commerce Site,

In the e-commerce world, those who benefit the most from security’s elusive protections are those who started the process with security firmly in mind. While it is possible to apply security to existing sites, the implementation is often more difficult than starting the process anew. The problem is that the online world was built around a system of protocols and rules, but unfortunately, those rules are not always followed.

OpenCart Admin Panel Hacked: Examples

Admin panel is a resource-rich area of the OpenCart store. Everything can be managed from the OpenCart dashboard. Therefore, when OpenCart stores are compromised from the OpenCart Admin panel getting hacked, the users resort to community forums. Multiple examples of such threads asking for help are given below.

Opencart Admin panel Hacked 1
Opencart Admin panel Hacked 2
Opencart Admin panel Hacked 3

OpenCart Admin Panel Hacked: Symptoms

  • Logins to admin panel from unknown IP locations.
  • Multiple admin accounts appear on the OpenCart dashboard which you didn’t create.
  • Users complain regarding compromised credit cards used on the OpenCart store.
  • Multiple free orders confirmed from the store.
  • Rogue files appear on the server creating spammy redirects.
  • OpenCart store blacklisted by search engines.
  • Malicious code injected within files like pp_pro, etc.
  • Index file of OpenCart store has been defaced with a random message.
  • FTP logs show a connection from unknown IPs in other countries.

OpenCart Admin Panel Hacked: Causes

OpenCart Malware and Backdoor

Often, the bad actors write malware with the intent of infecting multiple servers which are then used for DDOS attacks, spam propagation, fake views etc. Multiple such malware infections are monitored by researchers at Astra like the pub2srv Malware which was specifically targeting OpenCart users. Also, another variant which was aimed towards stealing credit cards of OpenCart users was uncovered by the Astra team. This malware had even created a backdoor which used free signups on the site. OpenCart admin panel hack was carried out by this credit card stealing malware by injecting malicious code which siphoned off the login credentials to [email protected].

Is your OpenCart admin panel compromised? Drop us a message on the chat widget and we’d be happy to help you. Fix OpenCart admin panel hack now.

OpenCart Remote Code Execution

OpenCart versions< were found vulnerable to a PHP RCE vulnerability. The JSON decode function made OpenCart stores vulnerable to an RCE attack. However, those who didn’t have PHP JSON installed were not vulnerable. In order to exploit this, the attackers tricked an admin into visiting the admin dashboard and adding a custom field for custom user information like an extra phone number. The exploit for this vulnerability has been released.

OpenCart Cross-Site Request Forgery

A CSRF attack can basically trick an OpenCart admin into committing undesirable actions on the store. This could range anywhere from deleting passwords to dropping the entire database! One such CSRF vulnerability dubbed as CVE-2018-13067 was uncovered in OpenCart. There was a lack of proper token validation while changing the password. The file vulnerable was /upload/catalog/controller/account/password.php. Exploiting this vulnerability, the attackers can change any password including the admin’s., thus carrying out an OpenCart admin panel hack. The exploit for this is publically available!

OpenCart SQL Injection

SQL injection attacks are widely prevalent on web servers much like XSS. Both of these vulnerabilities make up a major share of vulnerabilities and feature in the OWASP top 10 each year. OpenCart 1.3.2 was vulnerable to SQLi which was dubbed as CVE-2010-0956. The component vulnerable was the ‘page‘ parameter and the vulnerable URL looked like index.php?route=product%2Fspecial&path=20&page= . Here, the attacker could execute SQL statements via the page parameter. The exploit for this has been released. Moreover, a blind SQLi vulnerability was discovered in OpenCart

OpenCart Cross-Site Scripting

The OpenCart before was found vulnerable to an XSS attack. This vulnerability was dubbed as CVE-2015-4671. The file index.php was vulnerable to XSS and it was possible to inject a web script or HTML code through zone_id parameter. Successfully exploiting this could allow an attacker to trick the admin into giving away password, thus carrying out an OpenCart admin panel hack.

OpenCart Passwords Compromised

Having a weak password can make the OpenCart admin panel vulnerable to Brute force attacks. There are specially designed software which conducts brute force attacks, that can be either dictionary attacks or a hybrid. OpenCart admin panel hacks are successful due to weak passwords.

OpenCart Admin Panel Hacked: Cleanup

Begin the damage control by changing the OpenCart admin panel password to a strong one. Thereafter proceed on to securing the OpenCart database. Doing this would block out all the attackers who are aware of the admin panel password. Database password can be changed by the SQL statement given below:

update users set pass = concat(‘ZZZ’, sha(concat(pass, md5(rand()))));

It is worth mentioning here that in some type of infections, there may be a malware or a backdoor script installed. This script would be sending the admin password over the internet to the attacker. Therefore, changing password in such a scenario may be futile. To identify if this is the case, use a packet monitoring tool like Wireshark to see outgoing data. If it confirms that a script is sending the password to the attacker, take the site offline and remove the malicious code. Most of the time, the attackers would tend to store malicious code in base64 format. This type of code can be uncovered using this simple command:

find . -name “*.php” -exec grep “base64″‘{}’; -print &> hiddencode.txt

This would save all the instances of base64 encoded code in the hiddencode.txt file which could then be decoded using online tools for manual inspection. Thereafter, all the locations where that particular script or malicious code is hidden could be searched in one go using the phpMyAdmin tool. Refer to the image given below for more help.

opencart admin panel hacked remove using phpmyadmin

Apart from base64 encoding, the attackers may have used other types of encodings or obfuscation techniques like FOPO. All of which may not be possible for an average web admin to decipher. Therefore remember to not delete the code which you are unable to comprehend, simply comment it out using the character ‘#’. Thereafter, contact the experts for OpenCart admin panel hack malware removal.

Need professional help in cleanup after OpenCart admin panel hacked? Drop us a message on the chat widget and we’d be happy to help you. Clean my Opencart store now.

OpenCart Admin Panel Hacked: Mitigation

Update and Backup

In case you wish to modify the core files, use vQmod or OCMOD as per convenience. This would protect the changes from getting deleted in new updates. Ensure that all the extensions and modules are up to date as updates contain crucial security patches. Also, keep a backup of the OpenCart store as it would help in restoring the site from an attack.

Remove the Install Folder

Install folders contain some sensitive core files. If the installation folder is left out on the server, specialized scanners can detect its presence, paving way for attackers. Search engines like Shodan are constantly on the prowl for such files on web servers. Therefore, it would be safer to delete the install folder once OpenCart installation is complete. However, it is important to note here that unlike other install folders, do not delete the vQmod install folder!

Secure the OpenCart Admin Panel

Rename Admin URL

It is a standard security practice to rename the admin URL. This could avoid many of the common attacks on OpenCart admin panel. Change it to a random keyword which you remember in the future. Detailed instructions for OpenCart 1.5 & vQmod can be found here.

Restrict Access

The OpenCart admin panel would be usually accessed by only you so, it would be a wise decision to block all other IPs. This can be accomplished using a .htaccess file which restricts access to the folder and its sub-folders. Simply append the following code to the .htaccess file in the admin folder.

<Files *.*>
Order Deny,Allow
Deny from all
Allow from "your ip address"

Manage Admin Panel Files Permission

The important files like admin/index.php, admin/config.php need not be modified over and over. Therefore set the following file permissions to 644 or 44 to avoid file modification. This can be managed by visiting Users>User Groups, for more info please refer to the image given below.

Opencart Admin panel Hacked securing files

Use a Security Solution

OpenCart stores deal with sensitive transactions on an everyday basis. Therefore, the store’s security must be rock solid. The first line of defense when an attacker tries to compromise an OpenCart store is a firewall. Using a Firewall can significantly cut down the risk of a cyber attack on OpenCart admin panel. However, choosing the right one for your store is crucial. The firewall should be economical, resource friendly and flexible. The Astra firewall seems to meet all the criteria for an OpenCart store. Even OpenCart recommends Astra. Astra is an all in one security solution which works out of the box. Which means no installation hassle! No processing power of your server is needed! All these features come at a nominal price starting from $9 per month.

Take an Astra Demo today!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.