OpenCart Community

Thanks very much this has done the trick.

I have also got this issue? I have not uploaded nor have I paid for Authorize.net to install on my opencart platform. There is no way of deleting through my admin section. I was worried my customers credit card details would be comprimised so I delted everything out of desperation that I could find with authorize.net on the server.......now I have major issues mainly the following in the payment area of the site:

Notice: Error: Could not load model payment/authorizenet_aim! in /home/justbinb/public_html/vqmod/vqcache/vq2-system_engine_loader.php on line 48

Is there anyone on here who knows what they are doing who could upload the files suggested above to help me out? I am not computer literate and willing to pay for the service...

Paul

come'on please....someone must be able to help me out here......struggling like f....

ok, then just tell us, what you have downloaded, on themes, and/or Mod's, and from where, so possibly, I will be able to tell you, where you got your unwanted Payment. It's part of certain THINGS, usually paid, but offered for free, on certain Sites. And some of them, downloading such paid/free Goodie's, have been hit, you may belong to them, as well. Who knows ??
Good Luck
Ernie

Thanks for reply Ernie.....

The last paid for extensions I purchased were:

Abandoned Cart Reminder Pro
and
PDF Invoice with AutoSend

Both purchased through the same opencart site.

Before these were installed, there was never an issue....

Does this help?

ok....

so I have managed to find all of the original files that contain the authorize.net in them from your list earlier Ernie and have uploaded them back to the server. The site is back up and ready to accept payments once again.

However,

The option to pay by debit/credit card (Authorize.net) is still showing in my Payment method. Uploading my original theme payment files for the catalog and admin has not cleared it. There is no option for Authorize in my Payment area in the admin area either?

Following your advice to another person earlier I could try and delete the files in the cache folders to Vqmod etc, however it didn't work for him and I am honestly a touch worried about being trigger happy with deleting files again!?

I am desperate to sort this out and protect clients information.

Any feedback gratefully received....

Paul

Fixed.....

I reinstalled the original iframe files through Paypal and the payment files again and then found the Authorize option had appeared in my payment area in the back end. I simply disabled it!

Genius, who has learnt a lot in a day.

good for you!
Ernie

Just an FYI...

On this thread

viewtopic.php?f=179&t=147282

It was shown he had changed a bunch of files. If you experience this, you're best bet is going to be to clear your server and re-install.

Hi - We were hacked today at 9am, the same type of hack for Authorize.net - OpenCart v2

The symptoms: when you go to the checkout 'Authorize.net' appears as a payment option above all others... when the customer chooses it the payment cannot be made as it does not direct to a live account... but it may allow the hacker to obtain customer data... we cannot determine exactly what he was trying to get!

This happened to us previously in January, using Version 1.5.6 - we managed to clean it up quickly, thanks to the details in this post: viewtopic.php?f=179&t=147282 by 'tonybarnes'
(...it was actually simpler for us than the post suggests)

We are now using a completely new build on version 2.1.0.2... so none of the files are the same as before - yet the hack was identical.

What you need to know about this hack:

1. VERY IMPORTANT: The login page has been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.

2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.

3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.

We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.

Here is how we fixed it:

Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).

We found on both occasions that these were the files that had been changed:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/catalog/controller/payment/authorizenet_aim.php

However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.

We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.

We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.

Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.

Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.

Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.

Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.

Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.

I hope these details help a few people out - i would really appreciate anyone listing any 'offical' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?

I want to point out that we've seen plenty of shared hosting sites hacked where you have Opencart and Wordpress installed under the same account and Wordpress is not updated to keep out the hackers. Opencart on its own is very secure but nothing is secure as soon as a hacker gains access to your hosting account.

If you're hosting with these two software on the same account, I would suggest spending a little bit of extra money and moving the wordpress sites away to a hosting account by themselves. I always say that Wordpress is like Microsoft. A huge target with a lot of opportunity to exploit it. You don't want to have your money making site crashed / hacked (Opencart).

I have been using opencart for 4 years and after upgrading to v2 I also fell victim to this hack. I am on a dedicated server and I don't have wordpress. Coincidentally I was hacked at the same time TofuMan too.

hi gents,

i have a client with this same issue but slightly more complex, whats happening is even though ive removed all the payment methods not used and followed the tips in this forum post, but we're only using paypal standard and Qphorias Ogone/Barclays extension, but when we re-enable the Barclays extension, as soon as the checkout page refreshes (after adding your address in journal one page checkout) the barclays payment extension is automatically disabled again from the back end.
We have cloned this site onto a development server and changed host files to point to this IP but strangely the Authorize.net option is not there, it only appears on the live URL but it still auto disables the barclays extension and i presume would try to re-enable its own fake authorize version!!

please help

Payment extensions are loaded from the "extension" table, so my guess is that the hacker is enabling Authorize.net, then deleting the back-end Authorize.net files so you can't access the admin panel. To disable the extension on the front-end, all you should need to do is delete the relevant Authorize.net code from the "extension" table, and it should then not appear as an option during checkout.

If that doesn't work, something more sophisticated is going on, and you probably need to restore your payment files as suggested by others. You should also work on getting your server secure, since something like this can keep happening until it is.

This has happened to my site 3 times now in the last 4 months. Has there been any updates on if this is vulnerability with Opencart 2.3.0.2?

croggero wrote: ↑

Fri Aug 11, 2017 4:57 am

This has happened to my site 3 times now in the last 4 months. Has there been any updates on if this is vulnerability with Opencart 2.3.0.2?

It's not a 2.3.0.2 vulnerability.