Hacker Paypal direct code in checkout

I was just checking out my payment pages on my website when this form appears as you get to Payment Method Stage 5. It wants the customer to enter payment details, then it'll go to the correct payment choices page. I've attached screenshots. I don't think the form submits anything as the rest of the malware has been deleted I believe.
I need to delete this form but having gone through checkout.php, templates, stylesheets etc. I can't find it's location.
Can anyone advise from the screenshots?
Many thanks.

Lilwood wrote: ↑

Thu Nov 28, 2024 6:28 pm

I was just checking out my payment pages on my website when this form appears as you get to Payment Method Stage 5. It wants the customer to enter payment details, then it'll go to the correct payment choices page. I've attached screenshots. I don't think the form submits anything as the rest of the malware has been deleted I believe.
I need to delete this form but having gone through checkout.php, templates, stylesheets etc. I can't find it's location.
Can anyone advise from the screenshots?
Many thanks.

Does your hosting provide backups or do you do any backups? If yes, the easiest would be to restore to an earlier backup.

I've encountered a couple of these before. From the looks of it, it's probably a malicious script injecting the payment fields in the page. The malicious code can be trickily placed in a file, therefore when opening your files in a code editor, check if there is a horizontal scroll bar - I've encountered malicious code being placed at the far end of the line so that when you first open up the file, you don't actually see the malicious code but if you scroll to the far-right, you will see it.

Other than that, malicious scripts can also be placed in random directories like in your image directory, stylesheet directories, javascript library directories, etc.

If you have access to the terminal, you can try running a search to search for keywords like "eval".

Otherwise, you'd probably be better off hiring a third-party to get rid of the malicious code/script(s). Even so, the attackers might have placed a backdoor somewhere so sometimes it can be really difficult to get rid of persistent malware. Good luck!

So this isn't an extension in the "extension" -> "payment"?

But if you have been hacked and you can't find it, might be better to hire someone.

Otherwise to try and help you find it, if on an flavor of unix for a webserver, you could try sshing over and use something like this:
find . -type f -name "*" -exec grep -H -i "paypal_direct_cc_number" {} \;
And see if it gives you a file that is in.
Mike

And - not to forget! > is OpenCart the only instance on this server .. or do you have also other systems (like WordPress) installed?
Beside this, when you are using third party extensions, are all these from official sources (another door for hackers)!
And finally, use no obfuscated extensions - no one knows what they are really doing in the background.

It's important to mention here (guess some are reading this discussion), because OpenCart itself is one of the most secure systems.

One usecase:
One of website had similar JS injected through custom theme field where you can enter the JS emebed code.
I started by scanning the website URL using free website malware and security checker https://sitecheck.sucuri.net and find out the js that had been injected and then I search that file in the database in the PHPmyadmin and find out where those files were and removed them.
Then, asked to change all username and password both for the opencart admin and hosting providers etc after that we have not seen those custom injection.


https://webocreation.com/25-opencart-se ... rce-users/

webocreation.com wrote: ↑

Fri Nov 29, 2024 11:04 am

One of website had similar JS injected through custom theme field where you can enter the JS emebed code.
...

And, who added that code into the "custom theme field"?
An admin user or visitor ? ?

Thanks to everyone who has replied. I downloaded my whole website to my PC and searched with Notepad ++ but it couldn't find any of the paypal direct wording. I moved my website from TSOhost a few months ago as they were so useless (neverending hacking and other problems)and couldn't migrate it to their new sytem. I migrated it to Hostinger and they have been great at scanning for malware every day. They found lots to start with. I think this is left over rubbish from a previous infection (before Hostinger) it doesn't go anywhere, just makes customers fill it in before completing their payment choices, even if they choose BACS. I do have other websites on my server in Wordpress but they are protected by Wordfence, which has been very successful.
I will try all your suggestions, especially the online search suggested.
Fingers crossed.
Thank You

Lilwood wrote: ↑

Fri Nov 29, 2024 6:14 pm

Thanks to everyone who has replied. I downloaded my whole website to my PC and searched with Notepad ++ but it couldn't find any of the paypal direct wording.

Probably in the database then?

paulfeakins wrote: ↑

Fri Nov 29, 2024 7:08 pm

Lilwood wrote: ↑

Fri Nov 29, 2024 6:14 pm

Thanks to everyone who has replied. I downloaded my whole website to my PC and searched with Notepad ++ but it couldn't find any of the paypal direct wording.

Probably in the database then?

The word "paypal" must not be written as "paypal"!
It couild be also a javscript (or even a php-script) which "constructs" something in the background.
Means also: a simple scan for the word "paypal" (inside the files, scripts and database entries) maybe fine .. but at the end useless.

@Lilwood: you are playing with the security of shour shop visitors!
Better you hire a professional, or build the shop from the ground up new.

Beside this: you wrote that you have Wordpress also on this account.
Are you sure that WP is safe?

OSWorX wrote: ↑

Fri Nov 29, 2024 8:18 pm

Wordpress also on this account.
Are you sure that WP is safe?

To be honest, there are countless scans and attacks targeting WordPress-based websites. I've dealt with hacked WordPress sites before, and it's likely that the OP may have inadvertently left a backdoor, making it easier for hackers or attackers to exploit.

khnaz35 wrote: ↑

Fri Nov 29, 2024 9:02 pm

OSWorX wrote: ↑

Fri Nov 29, 2024 8:18 pm

Wordpress also on this account.
Are you sure that WP is safe?

To be honest, there are countless scans and attacks targeting WordPress-based websites. I've dealt with hacked WordPress sites before, and it's likely that the OP may have inadvertently left a backdoor, making it easier for hackers or attackers to exploit.

On our servers we see hundred of thousand attacks each day.
Wouldn't we have e.g. Fortigate as one measure (beside many others), our clients (and our servers) would have been troubles over troubles.

It's a shame since "developing" websites with such tools made by noobs and after then no updates a long time can be made.
It's so easy, you will find anything on the "web" .. and too many are using those scripts (e.g. to save a few Cents).

That's why we scan each day each instance of each customer to avoid such practice!

Never forget: BUIFOS are everwhere!

Hello!

If you are interested in site cleaning with a 1-year guarantee, you can read the description of this service here.

Upon completion, a detailed report with recommendations. + I will install a free module to track changes in files (FSMonitor).

Regards,
Talgat

OSWorX wrote: ↑

Fri Nov 29, 2024 8:18 pm

@Lilwood: you are playing with the security of shour shop visitors!
Better you hire a professional, or build the shop from the ground up new.

100% agree.