Post by YarniaPDX » Thu May 14, 2015 3:47 am

Help! I believe my site has been hacked, and I am unable to remove the fraudulent payment method they installed.

The ONLY payment option that should display at checkout should be PayPal. Currently, there is also an option showing for Authorize.net which I did NOT install.

(My site is onlineshop.yarniapdx.com)

Bizarrely, when I go to payment modules, PayPal is the only module installed and enabled, so I don't know how or where this other payment module is happening.

Where and how can I manually edit the code to remove this fraudulent payment option??!

Thank you,
Last edited by YarniaPDX on Thu Jul 16, 2015 7:41 am, edited 2 times in total.

Active Member

Posts

Joined
Sat Sep 04, 2010 7:10 am

Post by IP_CAM » Thu May 14, 2015 4:16 am

On your Server, as Site Admin, you have the possibillity to delete every file.
You may first need to 'chmode' the whole sub, where the files are placed,
related to the function, to CHMODE '775' or '777', to be able to delete it.
Good Luck
Ernie
bigmax.ch/os/

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by YarniaPDX » Thu May 14, 2015 5:35 am

Could you elaborate a little more on what that means, or how to do it? I'm not sure what 'chmode' means, or what it means to 'chmode' the whole sub (or even where the files are placed). I was hoping someone might know where the file resides that pulls up this payment option within the checkout process, so that I could edit it directly, and just delete that payment option.

Is that possible?

Thanks,

Active Member

Posts

Joined
Sat Sep 04, 2010 7:10 am

Post by IP_CAM » Thu May 14, 2015 8:19 pm

Authorize.net is not installed, it just displays as payment option, due to some activated routine, displaying the payment option. So, don't worry, just remove it from the payment options in the admin sectin correctly.

Code: Select all

admin/index.php?route=extension/payment
It's not a Hack, anyway!
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by YarniaPDX » Fri May 15, 2015 3:30 am

Whew, that's a relief, thanks. Can you please help direct me to where I can remove it from payment options? It is not installed, nor is it enabled, in the regular back office-->Extensions-->Payments section. What is the code you cited above? Is that a line of code that I can delete to make this payment option go away? If so, what directory/file would I find that line of code in?

Thank you!

Active Member

Posts

Joined
Sat Sep 04, 2010 7:10 am

Post by IP_CAM » Sat May 16, 2015 3:33 am

Make sure again, you have really DISABLED the Function! If it still exists, the easiest way would be, to kill 'em, all files related! I do it, usually, with never ever used 'things', especially with all those never used Payment and Shipping Options! :D
But, if it still exists, after, then, you should check your Mod's, calling the outside, if Pages are called..., you then really would have a problem, somewhere. But, honestly, I don't think so, after checking your Checkout source a little. 8)

This File Listing, shown, is OpenCart v.1.5.6.4, just to make sure!
Good Luck!
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by YarniaPDX » Sat May 16, 2015 7:14 am

Damn, now I'm really stuck :(

I deleted all of the authorize.net files you listed above, and now I get the following error message when I try to check out as a test:

Notice: Error: Could not load model payment/authorizenet_aim! in /home4/lindsey/public_html/onlineshop/vqmod/vqcache/vq2-system_engine_loader.php on line 51

Does that mean I have a VQmod installed that is calling this function? I don't see any XML files that look like they relate to Authorize.net, nor have any of the XML files been installed or modified recently.

I feel really stuck -- now nobody is able to check out via any method at all, and I have no idea how to make this error message go away. Please help!!

Active Member

Posts

Joined
Sat Sep 04, 2010 7:10 am

Post by IP_CAM » Sat May 16, 2015 8:24 am

Just delete all cached files in system/cache/ and vqmod/vqcache/
and check again.
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by YarniaPDX » Wed May 20, 2015 2:16 pm

Well, that unfortunately didn't work but I was able to find a recently backed up version of all my files (I try to back up the entire site about 1x/month or so), and after replacing the /admin and /catalog folders with the older versions, I was able to get the Authorize.net extension to appear in the payment extensions page, and uninstalled it from there. Whew!

Active Member

Posts

Joined
Sat Sep 04, 2010 7:10 am

Post by CommanderKeen » Tue May 26, 2015 4:26 pm

This has happened to one of my clients as well.

The source of the updated "authorizenet_aim.php" sends any information received to a disposable email address at yopmail.

Newbie

Posts

Joined
Wed May 22, 2013 10:01 pm

Post by YarniaPDX » Tue May 26, 2015 10:50 pm

Does that mean they are able to surreptitiously collect credit card information from my customers, if they happen to enter their CC info into these fields before I am able to catch that this module has been installed? (This is the second time this has happened to me and I don't know how to catch this, without a customer informing me about it while trying to place an order.)

What measures can I take to ensure this won't happen again?

Active Member

Posts

Joined
Sat Sep 04, 2010 7:10 am

Post by victorj » Wed May 27, 2015 5:40 am

First off all clean entire hosting and make sure before you undelete any file its switched off in admin or entry removed from database.

next make sure your hosting is secure, so change password to hosting panel and make sure its a strong password, change password from ftp same rule.

change email paswords, basicly anything with a password.

if anything like this happens again, your host might be compromised, they ever will admit so in that case change hosting.

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com


User avatar
Expert Member

Posts

Joined
Sat Jun 25, 2011 4:09 am
Location - Alkmaar Holland

Post by CommanderKeen » Wed May 27, 2015 3:25 pm

Best thing to do as above says is clear hosting and install the latest version of Opencart.

Newbie

Posts

Joined
Wed May 22, 2013 10:01 pm

Post by Dhaupin » Thu May 28, 2015 6:43 am

If you or your host has SSH you can use locate/find in addition to grep and search for various "Authorize.net" strings. Or you can download the entire public_html directory via FTP then use "Fileseek" winders app to locate the string.

In both cases, it will return alot of "official" script, but it should also show you where the malware is. This is assuming they didnt encode it, in which case a base64 scanner such as https://github.com/mikestowe/Malicious- ... canner.php might help.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by YarniaPDX » Thu Jul 16, 2015 7:44 am

Okay, this problem has happened again, and even though the Authorize.net payment module doesn't even exist in my payment options in the back office, it is showing up as an option for my customers to select, and I suspect their credit card information is going to a malicious site/email address/etc.

In the meantime while I try to figure out how to fix this, can anyone please tell me what file I need to edit in order to edit the text shown in this screenshot, that says "Please select the preferred payment method..."?

I need to amend it to let customers know to ONLY use the PayPal option.

Thanks,

Attachments

authorize.jpg

authorize.jpg (29.1 KiB) Viewed 7072 times


Active Member

Posts

Joined
Sat Sep 04, 2010 7:10 am

Post by BobDH » Thu Jul 30, 2015 6:29 pm

Are you still having this problem?

Tough products for an outdoor lifestyle
http://www.dhustone.com


User avatar
New member

Posts

Joined
Fri Dec 06, 2013 5:18 am
Location - Shropshire

Post by scottmac2255 » Fri Aug 28, 2015 3:49 am

I am having the same problems now, I have found the PHP element containing the forward email and deleted, but I would like to remove the option from the checkout process but cannot find where to delete it from, can anyone please help!!

Thanks.

New member

Posts

Joined
Mon May 10, 2010 3:26 am

Post by BobDH » Fri Aug 28, 2015 6:49 am

I had a similar problem the other week. It corrupts the payment files and the best way I found to resolve was, to reload just the payment files from the original source download file, this then should give you the ability to administer Authorize in your extension>payment area and disable it completely.

Tough products for an outdoor lifestyle
http://www.dhustone.com


User avatar
New member

Posts

Joined
Fri Dec 06, 2013 5:18 am
Location - Shropshire

Post by scottmac2255 » Fri Aug 28, 2015 7:58 pm

Thanks BobDH.

Can I ask what files spacificaly you re-uploaded?

Thanks

New member

Posts

Joined
Mon May 10, 2010 3:26 am

Post by BobDH » Tue Sep 01, 2015 6:13 am

Just the the 'payment files' in catalog and admin.

Tough products for an outdoor lifestyle
http://www.dhustone.com


User avatar
New member

Posts

Joined
Fri Dec 06, 2013 5:18 am
Location - Shropshire
Who is online

Users browsing this forum: No registered users and 20 guests