The article outlines a step-by-step algorithm for removing viruses from an OpenCart website. This guide is best suited for technically proficient users who have a deep understanding of coding and can effectively utilize various software tools to troubleshoot issues. Even if you are using a different CMS or framework, it’s still worth reading as the information provided may be beneficial to you.
From the author
If you require a website or server cleanup, please contact me via telegram (halfhope) or callback form on this site. I will provide you with information regarding the cost and terms. The cleaning service comes with a 1-year warranty.
Brief algorithm
- We make a backup of the site,
- download this backup,
- clean it on the local machine,
- change all possible passwords,
- delete files and the database from the server,
- and upload the cleaned copies of files and the database back.
If we overlooked anything, we should set up surveillance.
- We’ve implemented file change monitoring and enabled logs.
- Any incidents will be recorded in the logs for you to address.
The recommended observation period is 3 to 4 weeks.
Detailed description
Preparing for work
To download the site files and the database to your local computer, the fastest way is to create a single zip archive. You can omit the “image” folder as it’s large and doesn’t contain any executable files. However, you should check this later before downloading the clean copy of the site.
Using OpenServer/WAMP/LAMP or a similar hosting solution, create a new database and import your site’s database dump.
Please extract the files into a folder that is easy to access for your work.
Working with the database
Find the oc_user table and delete all users except for the administrator. It’s advisable to change the administrator’s username to protect the account from potential password guessing attempts. Additionally, the administrator’s password should be updated. In the oc_user table, replace the current password with the MD5 hash of the new password and clear the salt field. These steps will ensure that the password has been successfully changed.
Go to the oc_modification table. It stores module modifiers. Check the modifier code for vulnerabilities. Since 2020, some botnets have been using a tailored modifier for OpenCart, known as reverse shell.
Working with files
As part of the preparation, I suggest removing unnecessary items such as phpinfo, cache, and logs. For OpenCart, these may include unused themes (excluding default), languages, and modified files (system/storage/modification).
Please make sure to examine the files for any malicious code. To do this, you can utilize tools such as ai-bolit (revisium), ShellDetector, LMD, PC antivirus software, and any other relevant tools. Specifically for single entry point applications like OpenCart, it’s important to search for additional entry points into the application (locations where instructions are passed to the script, through $_POST, $_GET, $_COOKIE, etc.) and also watch out for attempts to obfuscate (hide) them.
If you review all your code, using GIT or Beyond Compare can speed up the process. They will display new and changed files, comparing your site to the original version of the engine.
Sure, here you go: When analyzing server access logs, you can identify infected files. The engine operates on the MVC paradigm, so it doesn’t make direct file calls. All requests are routed through the entry point in index.php. Be sure to check for any direct file calls.
After cleaning the site, please create a zip archive with the cleaned files.
Work on the server
Please remember the following instructions: Add a stub with the HTTP status code 503 Service Unavailable and restrict access to only your IP address to prevent external access to the site. By using this stub, search engine bots will revisit the site later, and you won’t lose your search result rankings.
Please make the following changes:
- Change all possible passwords, including those for the Control Panel, Database, FTP users, and mail accounts.
- Delete the old database and import the cleaned copy.
- Remove all site files from the hosting, excluding the “image” folder and the stub. Within the image folder, delete all non-image files, such as executable files.
- Upload cleaned copies of files to the server and update passwords in config files. Proceed to the store admin section and update modifiers.
- Safeguard the admin panel from brute force attacks and excessive curiosity by implementing additional HTTP authorization.
- Enable query logging if it was previously disabled. Configure monitoring for file changes using a provided PHP script, which can be downloaded from this article.
- If any cleaning steps were missed, the errors should be reflected in the logs or in file changes. By checking the logs, you can identify the source of re-infection and close the vulnerability.
- It’s important to note that modern botnets can detect the deletion of their files and may remain inactive for some time before becoming active again. Adjust the observation period to the maximum to better detect any re-infections.
General recommendations
- Do not use pirated software;
- Use complex passwords. Do not create them yourself;
- use password generators;
- Avoid using default usernames such as “admin”, change them;
- Create separate accounts (FTP/admin) for contractors (freelancers) and disable them after they finish their work;
- Keep track of file changes;
- Make regular backups;
For OpenCart
“And for OpenCart, I have the FSMonitor module. It allows you to track new, changed, and deleted files. You can use a cron scheduler for automation and receive notifications when changes occur. Additionally, you can manually scan to see which files have been altered by the contractor. You can view and purchase the module here: [link]”
I also offer server and website cleaning services with a 1-year guarantee against viruses.
