OpenCart Community

Help! I believe my site has been hacked, and I am unable to remove the fraudulent payment method they installed.

The ONLY payment option that should display at checkout should be PayPal. Currently, there is also an option showing for Authorize.net which I did NOT install.

(My site is onlineshop.yarniapdx.com)

Bizarrely, when I go to payment modules, PayPal is the only module installed and enabled, so I don't know how or where this other payment module is happening.

Where and how can I manually edit the code to remove this fraudulent payment option??!

Thank you,

On your Server, as Site Admin, you have the possibillity to delete every file.
You may first need to 'chmode' the whole sub, where the files are placed,
related to the function, to CHMODE '775' or '777', to be able to delete it.
Good Luck
Ernie
bigmax.ch/os/

Could you elaborate a little more on what that means, or how to do it? I'm not sure what 'chmode' means, or what it means to 'chmode' the whole sub (or even where the files are placed). I was hoping someone might know where the file resides that pulls up this payment option within the checkout process, so that I could edit it directly, and just delete that payment option.

Is that possible?

Thanks,

Authorize.net is not installed, it just displays as payment option, due to some activated routine, displaying the payment option. So, don't worry, just remove it from the payment options in the admin sectin correctly.
It's not a Hack, anyway!
Ernie

Whew, that's a relief, thanks. Can you please help direct me to where I can remove it from payment options? It is not installed, nor is it enabled, in the regular back office-->Extensions-->Payments section. What is the code you cited above? Is that a line of code that I can delete to make this payment option go away? If so, what directory/file would I find that line of code in?

Thank you!

Make sure again, you have really DISABLED the Function! If it still exists, the easiest way would be, to kill 'em, all files related! I do it, usually, with never ever used 'things', especially with all those never used Payment and Shipping Options!
But, if it still exists, after, then, you should check your Mod's, calling the outside, if Pages are called..., you then really would have a problem, somewhere. But, honestly, I don't think so, after checking your Checkout source a little.

This File Listing, shown, is OpenCart v.1.5.6.4, just to make sure!
Good Luck!
Ernie

Damn, now I'm really stuck

I deleted all of the authorize.net files you listed above, and now I get the following error message when I try to check out as a test:

Notice: Error: Could not load model payment/authorizenet_aim! in /home4/lindsey/public_html/onlineshop/vqmod/vqcache/vq2-system_engine_loader.php on line 51

Does that mean I have a VQmod installed that is calling this function? I don't see any XML files that look like they relate to Authorize.net, nor have any of the XML files been installed or modified recently.

I feel really stuck -- now nobody is able to check out via any method at all, and I have no idea how to make this error message go away. Please help!!

Just delete all cached files in system/cache/ and vqmod/vqcache/
and check again.
Ernie

Well, that unfortunately didn't work but I was able to find a recently backed up version of all my files (I try to back up the entire site about 1x/month or so), and after replacing the /admin and /catalog folders with the older versions, I was able to get the Authorize.net extension to appear in the payment extensions page, and uninstalled it from there. Whew!

This has happened to one of my clients as well.

The source of the updated "authorizenet_aim.php" sends any information received to a disposable email address at yopmail.

Does that mean they are able to surreptitiously collect credit card information from my customers, if they happen to enter their CC info into these fields before I am able to catch that this module has been installed? (This is the second time this has happened to me and I don't know how to catch this, without a customer informing me about it while trying to place an order.)

What measures can I take to ensure this won't happen again?

First off all clean entire hosting and make sure before you undelete any file its switched off in admin or entry removed from database.

next make sure your hosting is secure, so change password to hosting panel and make sure its a strong password, change password from ftp same rule.

change email paswords, basicly anything with a password.

if anything like this happens again, your host might be compromised, they ever will admit so in that case change hosting.

Best thing to do as above says is clear hosting and install the latest version of Opencart.

If you or your host has SSH you can use locate/find in addition to grep and search for various "Authorize.net" strings. Or you can download the entire public_html directory via FTP then use "Fileseek" winders app to locate the string.

In both cases, it will return alot of "official" script, but it should also show you where the malware is. This is assuming they didnt encode it, in which case a base64 scanner such as https://github.com/mikestowe/Malicious- ... canner.php might help.

Okay, this problem has happened again, and even though the Authorize.net payment module doesn't even exist in my payment options in the back office, it is showing up as an option for my customers to select, and I suspect their credit card information is going to a malicious site/email address/etc.

In the meantime while I try to figure out how to fix this, can anyone please tell me what file I need to edit in order to edit the text shown in this screenshot, that says "Please select the preferred payment method..."?

I need to amend it to let customers know to ONLY use the PayPal option.

Thanks,

Are you still having this problem?

I am having the same problems now, I have found the PHP element containing the forward email and deleted, but I would like to remove the option from the checkout process but cannot find where to delete it from, can anyone please help!!

Thanks.

I had a similar problem the other week. It corrupts the payment files and the best way I found to resolve was, to reload just the payment files from the original source download file, this then should give you the ability to administer Authorize in your extension>payment area and disable it completely.

Thanks BobDH.

Can I ask what files spacificaly you re-uploaded?

Thanks

Just the the 'payment files' in catalog and admin.