Hi - We were hacked today at 9am, the same type of hack for Authorize.net - OpenCart v2
The symptoms: when you go to the checkout 'Authorize.net' appears as a payment option above all others... when the customer chooses it the payment cannot be made as it does not direct to a live account... but it may allow the hacker to obtain customer data... we cannot determine exactly what he was trying to get!
This happened to us previously in January, using Version 1.5.6 - we managed to clean it up quickly, thanks to the details in this post: viewtopic.php?f=179&t=147282
(...it was actually simpler for us than the post suggests)
We are now using a completely new build on version 126.96.36.199... so none of the files are the same as before - yet the hack was identical.
What you need to know about this hack:
1. VERY IMPORTANT: The login page has been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.
2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.
3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.
We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.
Here is how we fixed it:
Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).
We found on both occasions that these were the files that had been changed:
However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.
We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.
We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.
Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.
Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.
Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.
Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.
I hope these details help a few people out - i would really appreciate anyone listing any 'offical' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?