911 Hack Removal

OpenCart Hacked? Step By Step OpenCart Malware Removal Guide

Updated on: February 10, 2022

OpenCart Hacked? Step By Step OpenCart  Malware Removal Guide

If I am not wrong you are facing an OpenCart hacked situation or struggling to remove the hack. Am I close? If you have landed on this page with an intention to clean your hacked OpenCart store, you are at the right place.

In this article, we are going to drill down OpenCart hacked cases, talk about the common hacked symptoms, their causes, and will go through a working Opencart hack removal plan.

Disclaimer: The process discussed in this article is better suited to someone who is familiar with the basic tech know-how. This process will take time and may seem tedious. So if you have no prior experience of handling your store’s sensitive backend, we suggest you better get a professional help. In fact, even if you are moderately tech-savvy, carrying out a complete malware cleanup, with success, is a task easier said than done.

A professional malware cleanup not only saves you time and effort but also reduces your incident response time hugely. Controlling the damage and reversing it in time is a big factor for a hacked website, more so for e-commerce.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Website Protection before it is too late.

OpenCart Hacked Symptoms

Your OpenCart store shows multiple signs when hacked. A few common symptoms of OpenCart hacked are:

1. Multiple logins from unauthorized locations

With multiple logins to the Admin portal from different locations, it is a clear sign of OpenCart Hacked. You can check the login history and the access time along with the IP address of the last access.

2. Multiple Admin accounts

The dashboard is supposed to have only one Admin account unless you are having another contributor, But, once you open the dashboard you see multiple Admin accounts, which are not created by you. It is a tell-tale sign.

3. Leaked Payment Details

This could be the biggest red flag. Once you start to receive complaints from users of your website that the plastic money details have been leaked, you should resort to a solution. This means that your website has been used to create fraudulent transactions.

4. Free Orders

OpenCart when hacked by malicious codes, can make orders which are unpaid for. In this way, you could see that your deliveries are being delivered, but there is no revenue generated out of it.

5. Spam mail

Receiving spam emails from your server to the users must be a sign to be aware of.

6. Blacklisted by Google

Though this symptom can be for many other reasons too, if you are seeing this message for a long time, it means your website has been compromised.

7. Dubious IP in the FTP log

During the login session, the FTP log saves the activities during the session along with the IP address. When the FTP log shows any doubtful IP address, it is important that you take some serious action against the issue.

8. Credit Card Abuse

Hackers injecting card skimmers, fake payment forms, fake payment method also make for one of the most common hacked OpenCart symptoms. In most credit card hack cases, store owners come to know of the hack from customers. So pay heed to your customers credit card abuse complaints.

Various examples of OpenCart Hacked attack

Most OpenCart hacked cases involve malware insertion into the core and its subsidiary files – including plugin & theme files. However, the hacker can also target the database, the admin panel, existing user, the admin, or any other means to get into the store and plant malware.

This is to say, OpenCart hacked cases vary extensively. Yet there are some identified patterns to these hacker attacks which we have tried to list here:

  1. Getting a backdoor entry – through the download vulnerability – to send the details of the user credit cards to yopmail account.
  2. Injection of the malicious code in the Admin panel to trigger outbound messages to malicious IDs from the victim website.
  3. Logging in to the Admin panel and
    1. steal the payment information,
    2. manipulate order details,
    3. modify website content (defacement),
    4. meddle with product listings,
    5. insert malicious links, and so on.
  4. Replacement of the credit card module by a malicious module or card skimmer is also performed.

With such activities in the Admin panel creating ruckus in your entire website, it gets important to find out the root cause of such attacks.

Get the ultimate Opencart security checklist with 300+ test parameters

OpenCart Hacked Causes

1. Malware generation on the website

Scripting of the malware on the website and infecting the servers is the major cause. Through this method, other websites present on the same servers are also affected. Astra Team has previously handled such issues of a malware attack on OpenCart. Moreover, even the attack stealing credit card details have been rectified by Astra which makes them the best in the cybersecurity business in 2020.

2. Vulnerability to remote access by attackers

OpenCart is vulnerable to RCE. Certain versions of OpenCart could be easily hacked and malicious codes could be injected into them, remotely. The presence of the JSON function in OpenCart is responsible for OpenCart Hacked.

3. CSRF vulnerability

The Cross-Site Request Forgery vulnerability lets a hacker make forge requests to the server on behalf of a user. One can exploit this vulnerability to make changes to the website, add a fake admin, insert backdoor, or even delete the website. Lack of proper validation & sanitization, missing nonce check, no escaping are some ways your store becomes vulnerable to CSRF vulnerability.

SQL injection

Not quite long ago, the page section of the OpenCart had an SQL injection vulnerability. With this vulnerability, the attacker could easily execute malicious statements, thus compromising the website.

These are the major causes behind an OpenCart store hack. Adding to the above, it has been also recorded that weak passwords are an integral part of OpenCart hacked complaints.

OpenCart Malware Removal Process

1. Alter the passwords to stronger ones

Firstly, change the password of the Admin panel into a stronger password. Proceed to change the password of the database to prevent any alterations in the database. The database password can be changed using the following script:

update users set pass = concat(‘ZZZ’, sha(concat(pass, md5(rand()))));

2. Create a backup

Next, create a backup of your store. Backups can save your life when you accidentally delete your website. A nice and functional backup should include all files that are crucial for the working of your store smoothl. It should also include files that defines your store’s looks and funtionalities.

Long story short, a backup should include: Core files, plugin & theme files, database, etc.

3. Turn on the maintenance mode

Now that you have created a backup, it’s time to let your customers know that you’re fixing things up on the store. The best way to do this is by turning the maintenance mode on. The maintenance mode feature in your OpenCart store lets you add a ‘Coming Soon’ screen on the store. You can also customize this screen with your store’s logo, a countdown timer, a customized message or picture.

4. Scan your store with a OpenCart Malware Scanner

The next step is to detect the malware. OpenCart Malware scanners are powerful security tools that can tell what’s wrong with your website in a few minutes.

Astra’s intelligent and machine-learning powered malware scanner flags all malicious links, files, or code on your OpenCart store. It also gives you a quick review utility to see the code modifications and an option to remove malicious files with just a click.

5. Check for the open backdoors in the website

The backdoors present in the website are the entry gates for the attackers. With the backdoors present, no matter how many times you change the password, you might be, unknowingly, sharing the password with the attacker.

Therefore, look for the backdoors present in the website. Using tools that monitor the flow of the data packet, like Wireshark is helpful. You can trace the outgoing data and seal the backdoors to prevent any leak of the data. Once you are confirmed that the website is having the backdoor, we suggest you to go offline. After taking the website offline, you need to remove the malicious code from the website, before making it live again.

5. Review the base64 format

In technical terms, the base64 represents the transformation of the binary to text form of encoding the data. You might have to look for the base64 format of the code present in your website. Such a method of encoding can be better understood by professionals.

Uncovering the code can be tried using the following command line:

find . -name “*.php” -exec grep “base64″‘{}’; -print &> hiddencode.txt

The command line will save the various encoded codes in a file named hiddencode.txt which could be further decoded using online tools. You can follow it up by looking for the location where the particular code is present and then rectify the same.

6. Compare checksum

Download fresh core copies (also referred to as checksum) from the OpenCart library and compare them with your current version of files. Repeat this same process for plugin and theme files. For the database, if you have a good & old backup, compare your database with that. However, that might not be the most optimum way to find database infection.

Note: Do take care of the checksum version you are downloading. It should match your OpenCart’s version.

7. Delete all infections

By now, you might have already located the hack. So the next step is to remove it.

Ways to prevent further OpenCart hacked attacks

It is important to prevent any further attacks as OpenCart hacked. Not only are such attacks time consuming, but they lead to loss of customers due to poor reputation. To prevent any such further attacks the follow this checklist:

Regular Backup Of The Website

Always update and backup your website on a regular basis. The updates help in protecting your website from the vulnerabilities. A new patch in the updates enhances the protection against any loopholes in the extensions.

Handling the installation folder

The installation folder can be a cause of your headache. There are many applications that screen for the installation folder on the server. Mostly, the installation folders are left open on the servers. It is always suggested to remove the installation folder. They contain numerous information of high confidentiality. Make sure that the vQMod install folder is not deleted!

Regulating access to the Admin Panel

The security of the OpenCart Admin panel must be improved. It is important to note that once the attack has been made, it is your responsibility to maintain the high security of the Admin panel.

  • Admin URL must be renamed, such that the hackers cannot trace the URL again. Multiple attacks can be prevented if the URL is changed to some random mnemonic that is easy for you to remember.
  • It is always a wise decision to restrict access to the Admin panel only to you. Use the .htaccess file and add the following code to the file:
<Files *.*> 
Order Deny, Allow 
Deny from all 
Allow from "IP" 

Where IP = your IP address.

Using this code restricts access to the various folders and sub-folders.

  • Use the following location to access the important files in the admin panel like admin.php or index.php:

Users>User GroupsThese files need not be modified every time there is a security attack on your website. You can set the permission of the file to 644 or 44 and prevent further file changes.

Having a Firewall on your E-Commerce Website

Every e-commerce website has monetary transactions over its platform. With the monetary transactions, it becomes important that that security is given high importance. But, OpenCart hacked issues can lead to the stealing of the user’s payment information. To prevent any such activity, we recommend using proper security solutions. A firewall is the first line of attack by an attacker. Astra’s OpenCart Security Suite provides a robust firewall to protect your website from any malicious attacks. Being recommended b OpenCart, the all in one security solution for your website is Astra.

It is one small security loophole v/s your entire website or web application

Get your web app audited with Astra’s Continuous Pentest Solution

Tags: , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany