Post by desertdogdecals » Wed May 18, 2016 12:33 am

Hello- I just got a call from an angry customer who said their credit card info was stolen. Long story short- I am finding another payment method on my store simply called "Credit Card" but I can't figure out what file it is in to eliminate it. I don't find it in the admin stuff so I'm guessing it is in one of my payment pages but not sure where. Please any help appreciated. Thanks!

-Jeff

http://www.desertdogdecals.com


New member

Posts

Joined
Sat Oct 24, 2009 4:11 am


Post by Qphoria » Wed May 18, 2016 1:06 am

Are you saying in the Extension->Payments list.. there are no other payment modules enabled but you still see a credit card option during checkout?

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by desertdogdecals » Wed May 18, 2016 5:58 am

Thanks for the reply Q- Actually, I was mistaken. I have the addition of a fake "Authorize.net" payment option and with a little research I've found out it is a hacker that is using it to collect credit card numbers. I've replace a bunch of files but can't figure out where so disable this Authorize.net option on my payments. It does NOT showup in admin->payments. Help!

http://www.desertdogdecals.com


New member

Posts

Joined
Sat Oct 24, 2009 4:11 am


Post by desertdogdecals » Wed May 18, 2016 6:26 am

Can anyone help me with finding the source of a payment type in the checkout page? I have a fake "Authorize.net credit card" choice that I can't find where to kill. I'm using 1.5.6

http://www.desertdogdecals.com


New member

Posts

Joined
Sat Oct 24, 2009 4:11 am


Post by IP_CAM » Wed May 18, 2016 8:53 am

Sure, it does not show up, they never do! :D
I recall such incidents, a few months ago, there where some topics on this.
Unfortunately, you probably have only one way to go, by removing the source completely,
in FULL, by deleting the Shop Sub, on the Server, and afterwards re-install a guaranteed still 'virgin'
Backup Copy. And make sure, you have NOTHING in your DB, eventually repeating the whole thing again.
It's a Virus ok, so, just act accordingly.
Good Luck !
Ernie

PS. For others: Such 'Content' would likely be placed also with/in highly popular Paid Themes, such as Journal, and others, as well, and is usually coded in unreadable Base64 Format. And possibly downloaded, by plain accident, from some shady Freeware-Servers. For them, it's a just free way to sell Themes! Buy Now, we get paid LATER ! ;D

I'm rarely active at the OC Forum lately. To reach me, contact: jti@jacob.ch
A Demoversion of my free OpenCart LIGHT v.1.5.6.5 Software Edition
can be seen in real Action here: http://www.jti.li/shop/
---
1'300+ FREE OC Extension-Repositories - from OC v.1.5.x up,
on the world's largest OC-related Github Site: https://github.com/IP-CAM
---
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Johnathan » Wed May 18, 2016 10:11 pm

There should be a controller and model file for the extension if it's coded in a standard way, and removing those should remove the extension. Those would be in these locations:

/catalog/controller/payment/
/catalog/model/payment/

The standard Authorize.net files are authorizenet_aim.php and authorizenet_sim.php, so it should be named something differently. If those are the only ones you should open them up and see if there is hard-coded information in there (to send it to the hacker's account).

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by victorj » Thu May 19, 2016 5:39 am

this one is a complicated hack, affecting shop, admin and database.
investigated and cleaned out a friend his site some time ago,

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Eigen productie en snelle levering.
https://123-deurrubbers.com


User avatar
Expert Member

Posts

Joined
Sat Jun 25, 2011 4:09 am
Location - Alkmaar Holland

Post by desertdogdecals » Thu May 19, 2016 11:31 am

Thanks all. I got it back up after replacing the mentioned payment files with "clean" files. Wish I could figure out how the little shitbird got to my stuff. I've changed all my ftp passwords as well as the main user password.

http://www.desertdogdecals.com


New member

Posts

Joined
Sat Oct 24, 2009 4:11 am


Post by Johnathan » Thu May 19, 2016 11:55 pm

Glad to hear it. Don't forget to change your cPanel or web hosting password, as well. If they have that one, they could create an FTP account for their use.

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by TofuMan » Fri Jun 03, 2016 11:02 pm

For anyone reading this who has this problem... please note the following:

1. VERY IMPORTANT: The login page has probably been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.

2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.

3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.

4. You do not need to replace ALL your files to fix this... that is a last resort!

We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.

Here is how we fixed it:

Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).

We found on both occasions that these were the files that had been changed:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/catalog/controller/payment/authorizenet_aim.php

However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.

We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.

We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.

Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.

Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.

Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.

Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.

Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.

I hope these details help a few people out - i would really appreciate anyone listing any 'official' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?

Related posts:
viewtopic.php?f=179&t=147282
http://forum.opencart.com/viewtopic.php?f=20&t=144753

User avatar
Newbie

Posts

Joined
Mon Jun 28, 2010 3:15 am
Location - Hampshire, UK

Post by desertdogdecals » Fri Jun 03, 2016 11:12 pm

Thank you so much Tofuman! Your details are GREATLY appreciated. I thought I was the only one that this asshat had done this to.

http://www.desertdogdecals.com


New member

Posts

Joined
Sat Oct 24, 2009 4:11 am


Post by IP_CAM » Fri Jun 03, 2016 11:14 pm

You CANNOT enable/disable Authorize.net via OpenCart admin.
But one could fully remove all those payment (and/or shipping) related files, one does not use,
from all the template/ model/ controller/ language/ - sections, in the Admin and Root Section.
Then, at least, one can be sure, that, if something like this shows up, that it has nothing to do
with the OC Shop Source and/or Settings themselfs.
Just to mention this!
Ernie

BTW. There is another interesting Topic on this here:
http://forum.opencart.com/viewtopic.php?f=179&t=147282

I'm rarely active at the OC Forum lately. To reach me, contact: jti@jacob.ch
A Demoversion of my free OpenCart LIGHT v.1.5.6.5 Software Edition
can be seen in real Action here: http://www.jti.li/shop/
---
1'300+ FREE OC Extension-Repositories - from OC v.1.5.x up,
on the world's largest OC-related Github Site: https://github.com/IP-CAM
---
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by EvolveWebHosting » Sat Jun 04, 2016 3:01 am

There is this thread as well: http://forum.opencart.com/viewtopic.php?f=20&t=144753

If you're using shared hosting and trying to save money by having one account for multiple domains, I'd suggest not doing that. More than likely the hacker got in through one of your other sites and once they are in, they have access to everything on your hosting account.

Image
https://www.evolvewebhost.com
$10.49 .com Registration and $9.99 .com Transfers in now
Guaranteed top level opencart performance and support. Risk free 30 day money back guarantee & free transfers.
Image


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by Narcolepzzzzzz » Tue Jul 12, 2016 7:27 pm

Thanks to Tofuman for the instructions. Had the same hack on my site. Replaced all altered files, and changed all passwords. This resolved the issue, but got hacked again within a week. Second time they added a Paypal link to the cart instead of the Authorizenet link. No idea how they are gaining access, and hosting company (Nativespace) have been no help so far.


Posts

Joined
Sun Jan 03, 2016 10:54 pm

Post by ASTRA Security Suite » Tue Dec 18, 2018 7:23 pm

Hello,
We too are seeing lots of payment gateway hacks in Opencart in which the Opencart Admin password and other info are compromised. In some cases, even the default payment method is changed and a new payment channel is added like a phishing form that collects credit card details and other confidential info of customers.
Recently, our engineers also discovered that hackers have planted a backdoor in Opencart. Generally, in e-commerce stores, the site allows free account creation. The attackers modified the code in such a way that by entering a particular phone no a file 'info.php' gets created which gives the hacker an option yo upload a file.
Researchers at Astra have uncovered the step by step process.
Step1: The attackers used free signups to create multiple new users. Multiple accounts meant minimum detection possibility.
Step2: Then, the attackers entered a particular Phone No. in the input field. The attackers have obfuscated real Phone No. by encrypting in md5 format. The encrypted string is66b6d63b9634e1159e53e29858de2c2d. This No. acts as a master key to upload backdoors.
Step3: As soon the phone no is added, a file with a nameinfo.php is created. So the final URL looks something like thisexample.com/info.php.
Step4: When the fileinfo.php is accessed by the attackers, it gives them the ability to upload files.
Step5: This upload option allows attackers to upload infected PHP files. These files open a reverse TCP, ICMP etc connection to the attackers. When the files are uploaded in the root directory the results could be more disastrous!

We recommend you to have a regular code audit of your website to protect it from such attacks.

User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm

Post by ADD Creative » Tue Dec 18, 2018 9:12 pm

Have you ever seen how the attackers get access in the first place? Has it ever been anything other the weak or compromised admin or FTP passwords?

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by johnp » Wed Dec 19, 2018 11:49 pm

Also try installing Crawlprotect. I use it on all my sites. It's not a perfect solution but does block hack attempts and SQL injections and records useful IP data.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD 2.6.1 lover, user and geek.
Fast Service for Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
https://www.asandwhenbusinessservices.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by OSWorX » Thu Dec 20, 2018 12:19 am

ASTRA is hijacking an old thread and pointing to outdated sources which are all fixed a long time ago!
They post only to advertise an unneccessary service!
If they can show me one hacked shop with the current version (with no modifications!), I will be the first who book them.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by IP_CAM » Thu Dec 20, 2018 3:54 am

Have you ever seen how the attackers get access in the first place?
Well, as long as even some Super-Smarties around here propagated CHMOD 775/777
to be a valid Numbers for OC files, it's no wonder, that some get hurt ...

Ernie
PS. A very old one ...
http://www.opencart.org/opencart/cgi-bin/
Image

Attachments

index_of_samples.jpg

index_of_samples.jpg (91.32 KiB) Viewed 2652 times


I'm rarely active at the OC Forum lately. To reach me, contact: jti@jacob.ch
A Demoversion of my free OpenCart LIGHT v.1.5.6.5 Software Edition
can be seen in real Action here: http://www.jti.li/shop/
---
1'300+ FREE OC Extension-Repositories - from OC v.1.5.x up,
on the world's largest OC-related Github Site: https://github.com/IP-CAM
---
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by rich3art » Sat Apr 06, 2019 2:53 am

OSWorX wrote:
Thu Dec 20, 2018 12:19 am
ASTRA is hijacking an old thread and pointing to outdated sources which are all fixed a long time ago!
They post only to advertise an unneccessary service!
If they can show me one hacked shop with the current version (with no modifications!), I will be the first who book them.
Hi OSworX

Just for interest sake, what current version are you refering too?

Regards
Rich3ard

New member

Posts

Joined
Sun Feb 24, 2019 1:40 am
Who is online

Users browsing this forum: No registered users and 49 guests