Post by scottmac2255 » Tue Sep 01, 2015 6:23 pm

Thanks very much this has done the trick. ;D

New member

Posts

Joined
Mon May 10, 2010 3:26 am

Post by psh2580 » Tue Sep 01, 2015 9:22 pm

I have also got this issue? I have not uploaded nor have I paid for Authorize.net to install on my opencart platform. There is no way of deleting through my admin section. I was worried my customers credit card details would be comprimised so I delted everything out of desperation that I could find with authorize.net on the server.......now I have major issues mainly the following in the payment area of the site:

Notice: Error: Could not load model payment/authorizenet_aim! in /home/justbinb/public_html/vqmod/vqcache/vq2-system_engine_loader.php on line 48

Is there anyone on here who knows what they are doing who could upload the files suggested above to help me out? I am not computer literate and willing to pay for the service...

Paul

Newbie

Posts

Joined
Sat Nov 30, 2013 1:41 am

Post by psh2580 » Tue Sep 01, 2015 10:05 pm

come'on please....someone must be able to help me out here......struggling like f....

Newbie

Posts

Joined
Sat Nov 30, 2013 1:41 am

Post by IP_CAM » Tue Sep 01, 2015 11:14 pm

ok, then just tell us, what you have downloaded, on themes, and/or Mod's, and from where, so possibly, I will be able to tell you, where you got your unwanted Payment. It's part of certain THINGS, usually paid, but offered for free, on certain Sites. And some of them, downloading such paid/free Goodie's, have been hit, you may belong to them, as well. Who knows ?? ???
Good Luck
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by psh2580 » Tue Sep 01, 2015 11:20 pm

Thanks for reply Ernie.....

The last paid for extensions I purchased were:

Abandoned Cart Reminder Pro
and
PDF Invoice with AutoSend

Both purchased through the same opencart site.

Before these were installed, there was never an issue....

Does this help?

Newbie

Posts

Joined
Sat Nov 30, 2013 1:41 am

Post by psh2580 » Wed Sep 02, 2015 3:04 am

ok....

so I have managed to find all of the original files that contain the authorize.net in them from your list earlier Ernie and have uploaded them back to the server. The site is back up and ready to accept payments once again.

However,

The option to pay by debit/credit card (Authorize.net) is still showing in my Payment method. Uploading my original theme payment files for the catalog and admin has not cleared it. There is no option for Authorize in my Payment area in the admin area either?

Following your advice to another person earlier I could try and delete the files in the cache folders to Vqmod etc, however it didn't work for him and I am honestly a touch worried about being trigger happy with deleting files again!?

I am desperate to sort this out and protect clients information.

Any feedback gratefully received....

Paul

Newbie

Posts

Joined
Sat Nov 30, 2013 1:41 am

Post by psh2580 » Wed Sep 02, 2015 3:22 am

Fixed.....

I reinstalled the original iframe files through Paypal and the payment files again and then found the Authorize option had appeared in my payment area in the back end. I simply disabled it!

Genius, who has learnt a lot in a day.

Newbie

Posts

Joined
Sat Nov 30, 2013 1:41 am

Post by IP_CAM » Wed Sep 02, 2015 6:30 am

good for you!
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by GraemeH » Wed Oct 28, 2015 4:20 am

Just an FYI...

On this thread

viewtopic.php?f=179&t=147282

It was shown he had changed a bunch of files. If you experience this, you're best bet is going to be to clear your server and re-install.

New member

Posts

Joined
Fri Apr 20, 2012 4:56 pm

Post by TofuMan » Fri Jun 03, 2016 10:49 pm

Hi - We were hacked today at 9am, the same type of hack for Authorize.net - OpenCart v2

The symptoms: when you go to the checkout 'Authorize.net' appears as a payment option above all others... when the customer chooses it the payment cannot be made as it does not direct to a live account... but it may allow the hacker to obtain customer data... we cannot determine exactly what he was trying to get!

This happened to us previously in January, using Version 1.5.6 - we managed to clean it up quickly, thanks to the details in this post: viewtopic.php?f=179&t=147282 by 'tonybarnes'
(...it was actually simpler for us than the post suggests)

We are now using a completely new build on version 2.1.0.2... so none of the files are the same as before - yet the hack was identical.

What you need to know about this hack:

1. VERY IMPORTANT: The login page has been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.

2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.

3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.

We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.

Here is how we fixed it:

Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).

We found on both occasions that these were the files that had been changed:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/catalog/controller/payment/authorizenet_aim.php

However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.

We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.

We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.

Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.

Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.

Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.

Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.

Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.

I hope these details help a few people out - i would really appreciate anyone listing any 'offical' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?

User avatar
Newbie

Posts

Joined
Mon Jun 28, 2010 3:15 am
Location - Hampshire, UK

Post by EvolveWebHosting » Sat Jun 04, 2016 2:57 am

I want to point out that we've seen plenty of shared hosting sites hacked where you have Opencart and Wordpress installed under the same account and Wordpress is not updated to keep out the hackers. Opencart on its own is very secure but nothing is secure as soon as a hacker gains access to your hosting account.

If you're hosting with these two software on the same account, I would suggest spending a little bit of extra money and moving the wordpress sites away to a hosting account by themselves. I always say that Wordpress is like Microsoft. A huge target with a lot of opportunity to exploit it. You don't want to have your money making site crashed / hacked (Opencart).

2 Week FREE Trial of our Shared Hosting plans (DIrectAdmin or cPanel) for new customers
2 Week FREE Trial of Astra Firewall and Malware Scanner
Visit our website for full details and to start your trial today - www.evolvewebhost.com


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by beeman » Fri Jun 17, 2016 12:32 am

I have been using opencart for 4 years and after upgrading to v2 I also fell victim to this hack. I am on a dedicated server and I don't have wordpress. Coincidentally I was hacked at the same time TofuMan too.

Newbie

Posts

Joined
Tue Nov 13, 2012 11:12 pm

Post by jayba » Fri Jul 28, 2017 8:50 pm

hi gents,

i have a client with this same issue but slightly more complex, whats happening is even though ive removed all the payment methods not used and followed the tips in this forum post, but we're only using paypal standard and Qphorias Ogone/Barclays extension, but when we re-enable the Barclays extension, as soon as the checkout page refreshes (after adding your address in journal one page checkout) the barclays payment extension is automatically disabled again from the back end.
We have cloned this site onto a development server and changed host files to point to this IP but strangely the Authorize.net option is not there, it only appears on the live URL but it still auto disables the barclays extension and i presume would try to re-enable its own fake authorize version!!

please help

Newbie

Posts

Joined
Sat Dec 19, 2015 6:45 pm

Post by Johnathan » Fri Jul 28, 2017 11:12 pm

Payment extensions are loaded from the "extension" table, so my guess is that the hacker is enabling Authorize.net, then deleting the back-end Authorize.net files so you can't access the admin panel. To disable the extension on the front-end, all you should need to do is delete the relevant Authorize.net code from the "extension" table, and it should then not appear as an option during checkout.

If that doesn't work, something more sophisticated is going on, and you probably need to restore your payment files as suggested by others. You should also work on getting your server secure, since something like this can keep happening until it is.

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by croggero » Fri Aug 11, 2017 4:57 am

This has happened to my site 3 times now in the last 4 months. Has there been any updates on if this is vulnerability with Opencart 2.3.0.2?

Newbie

Posts

Joined
Fri Aug 11, 2017 4:55 am

Post by EvolveWebHosting » Fri Aug 11, 2017 7:59 am

croggero wrote:
Fri Aug 11, 2017 4:57 am
This has happened to my site 3 times now in the last 4 months. Has there been any updates on if this is vulnerability with Opencart 2.3.0.2?
It's not a 2.3.0.2 vulnerability.

2 Week FREE Trial of our Shared Hosting plans (DIrectAdmin or cPanel) for new customers
2 Week FREE Trial of Astra Firewall and Malware Scanner
Visit our website for full details and to start your trial today - www.evolvewebhost.com


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA
Who is online

Users browsing this forum: No registered users and 24 guests