Site hacked- fake payment method added

Hello- I just got a call from an angry customer who said their credit card info was stolen. Long story short- I am finding another payment method on my store simply called "Credit Card" but I can't figure out what file it is in to eliminate it. I don't find it in the admin stuff so I'm guessing it is in one of my payment pages but not sure where. Please any help appreciated. Thanks!

-Jeff

Are you saying in the Extension->Payments list.. there are no other payment modules enabled but you still see a credit card option during checkout?

Thanks for the reply Q- Actually, I was mistaken. I have the addition of a fake "Authorize.net" payment option and with a little research I've found out it is a hacker that is using it to collect credit card numbers. I've replace a bunch of files but can't figure out where so disable this Authorize.net option on my payments. It does NOT showup in admin->payments. Help!

Can anyone help me with finding the source of a payment type in the checkout page? I have a fake "Authorize.net credit card" choice that I can't find where to kill. I'm using 1.5.6

Sure, it does not show up, they never do!
I recall such incidents, a few months ago, there where some topics on this.
Unfortunately, you probably have only one way to go, by removing the source completely,
in FULL, by deleting the Shop Sub, on the Server, and afterwards re-install a guaranteed still 'virgin'
Backup Copy. And make sure, you have NOTHING in your DB, eventually repeating the whole thing again.
It's a Virus ok, so, just act accordingly.
Good Luck !
Ernie

PS. For others: Such 'Content' would likely be placed also with/in highly popular Paid Themes, such as Journal, and others, as well, and is usually coded in unreadable Base64 Format. And possibly downloaded, by plain accident, from some shady Freeware-Servers. For them, it's a just free way to sell Themes! Buy Now, we get paid LATER !

There should be a controller and model file for the extension if it's coded in a standard way, and removing those should remove the extension. Those would be in these locations:

/catalog/controller/payment/
/catalog/model/payment/

The standard Authorize.net files are authorizenet_aim.php and authorizenet_sim.php, so it should be named something differently. If those are the only ones you should open them up and see if there is hard-coded information in there (to send it to the hacker's account).

this one is a complicated hack, affecting shop, admin and database.
investigated and cleaned out a friend his site some time ago,

Thanks all. I got it back up after replacing the mentioned payment files with "clean" files. Wish I could figure out how the little shitbird got to my stuff. I've changed all my ftp passwords as well as the main user password.

Glad to hear it. Don't forget to change your cPanel or web hosting password, as well. If they have that one, they could create an FTP account for their use.

For anyone reading this who has this problem... please note the following:

1. VERY IMPORTANT: The login page has probably been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.

2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.

3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.

4. You do not need to replace ALL your files to fix this... that is a last resort!

We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.

Here is how we fixed it:

Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).

We found on both occasions that these were the files that had been changed:

/admin/controller/extension/payment.php
/admin/controller/common/login.php
/catalog/controller/payment/authorizenet_aim.php

However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.

We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.

We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.

Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.

Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.

Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.

Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.

Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.

I hope these details help a few people out - i would really appreciate anyone listing any 'official' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?

Related posts:
viewtopic.php?f=179&t=147282
http://forum.opencart.com/viewtopic.php?f=20&t=144753

Thank you so much Tofuman! Your details are GREATLY appreciated. I thought I was the only one that this asshat had done this to.

You CANNOT enable/disable Authorize.net via OpenCart admin.

But one could fully remove all those payment (and/or shipping) related files, one does not use,
from all the template/ model/ controller/ language/ - sections, in the Admin and Root Section.
Then, at least, one can be sure, that, if something like this shows up, that it has nothing to do
with the OC Shop Source and/or Settings themselfs.
Just to mention this!
Ernie

BTW. There is another interesting Topic on this here:
http://forum.opencart.com/viewtopic.php?f=179&t=147282

There is this thread as well: http://forum.opencart.com/viewtopic.php?f=20&t=144753

If you're using shared hosting and trying to save money by having one account for multiple domains, I'd suggest not doing that. More than likely the hacker got in through one of your other sites and once they are in, they have access to everything on your hosting account.

Thanks to Tofuman for the instructions. Had the same hack on my site. Replaced all altered files, and changed all passwords. This resolved the issue, but got hacked again within a week. Second time they added a Paypal link to the cart instead of the Authorizenet link. No idea how they are gaining access, and hosting company (Nativespace) have been no help so far.

Hello,
We too are seeing lots of payment gateway hacks in Opencart in which the Opencart Admin password and other info are compromised. In some cases, even the default payment method is changed and a new payment channel is added like a phishing form that collects credit card details and other confidential info of customers.
Recently, our engineers also discovered that hackers have planted a backdoor in Opencart. Generally, in e-commerce stores, the site allows free account creation. The attackers modified the code in such a way that by entering a particular phone no a file 'info.php' gets created which gives the hacker an option yo upload a file.
Researchers at Astra have uncovered the step by step process.
Step1: The attackers used free signups to create multiple new users. Multiple accounts meant minimum detection possibility.
Step2: Then, the attackers entered a particular Phone No. in the input field. The attackers have obfuscated real Phone No. by encrypting in md5 format. The encrypted string is66b6d63b9634e1159e53e29858de2c2d. This No. acts as a master key to upload backdoors.
Step3: As soon the phone no is added, a file with a nameinfo.php is created. So the final URL looks something like thisexample.com/info.php.
Step4: When the fileinfo.php is accessed by the attackers, it gives them the ability to upload files.
Step5: This upload option allows attackers to upload infected PHP files. These files open a reverse TCP, ICMP etc connection to the attackers. When the files are uploaded in the root directory the results could be more disastrous!

We recommend you to have a regular code audit of your website to protect it from such attacks.

Have you ever seen how the attackers get access in the first place? Has it ever been anything other the weak or compromised admin or FTP passwords?

Also try installing Crawlprotect. I use it on all my sites. It's not a perfect solution but does block hack attempts and SQL injections and records useful IP data.

ASTRA is hijacking an old thread and pointing to outdated sources which are all fixed a long time ago!
They post only to advertise an unneccessary service!
If they can show me one hacked shop with the current version (with no modifications!), I will be the first who book them.

Have you ever seen how the attackers get access in the first place?

Well, as long as even some Super-Smarties around here propagated CHMOD 775/777
to be a valid Numbers for OC files, it's no wonder, that some get hurt ...

Ernie
PS. A very old one ...
http://www.opencart.org/opencart/cgi-bin/

OSWorX wrote: ↑

Thu Dec 20, 2018 12:19 am

ASTRA is hijacking an old thread and pointing to outdated sources which are all fixed a long time ago!
They post only to advertise an unneccessary service!
If they can show me one hacked shop with the current version (with no modifications!), I will be the first who book them.

Hi OSworX

Just for interest sake, what current version are you refering too?

Regards
Rich3ard