my paypal email address in commerce 2.2 wad hacked!

[Guest]

Help!

I got a trouble, we have a online store, use Oscommerce V2.2, we accpte paypal payment,yesterday, we found someone changed the paypal email adress in the system(PayPal Website Payments Standard) to a hacked email address .And $457.5 was sent to the Hacker' account. We reported the case to paypal. changed back paypal email address in oscomerce system and login passward ,but we found just now the paypal email address was hacked again ! Please help me! Any one know how to stop it! thank you in advance!

[Mark Evans]

When you say changed the login password do you mean the login to osCommerce or the login to paypal?

 

If you changed the password to login to paypal and it was hacked again then I would suspect your computer has a virus which is allowing the hacker to see the password you are using.

 

There is no need for osCommerce to know what your paypal password is so this isn't an osCommerce problem IMO

[D3MO]

When you say changed the login password do you mean the login to osCommerce or the login to paypal?

 

If you changed the password to login to paypal and it was hacked again then I would suspect your computer has a virus which is allowing the hacker to see the password you are using.

 

There is no need for osCommerce to know what your paypal password is so this isn't an osCommerce problem IMO

 

 

i have the same issue problem is not with passwords changing problem is that somehow hackers inject and change paypal emails in oscommerce database imagine you enable paypal module and entered you paypal email like [email protected] and you acepting all payments trough paypal, and these hackers changes our paypal email to accept payments and enters thier email instead of ours.

it is oscommerce bug somwhere left as it is happening also with other payment modules so it is something related not just only to paypal module.

[D3MO]

Help!

I got a trouble, we have a online store, use Oscommerce V2.2, we accpte paypal payment,yesterday, we found someone changed the paypal email adress in the system(PayPal Website Payments Standard) to a hacked email address .And $457.5 was sent to the Hacker' account. We reported the case to paypal. changed back paypal email address in oscomerce system and login passward ,but we found just now the paypal email address was hacked again ! Please help me! Any one know how to stop it! thank you in advance!

 

 

here is quick solution i made to myself as i got tired of this injections myself:)

 

 

IN includes/modules/payment/paypal.php find:

 

 

tep_draw_hidden_field('business', MODULE_PAYMENT_PAYPAL_ID) .

 

 

replace with:

 

tep_draw_hidden_field('business', 'your_paypal_email') .

 

you simply hardcode real paypal email and no matter if hacker injects the other email , your buyers will pay to you as it will be hardcoded email addres and not taken from database

[Mark Evans]

Ah okay, I misunderstood what the original post was saying.

 

The easy fix is to put a .htaccess password on your admin folder that will kill the issue dead.

 

The other fix is to look at securing your admin as per a popular thread in these forums.

[D3MO]

Ah okay, I misunderstood what the original post was saying.

 

The easy fix is to put a .htaccess password on your admin folder that will kill the issue dead.

 

The other fix is to look at securing your admin as per a popular thread in these forums.

 

 

you dont understand, they dont have acces to admin section as the email of payment gateways is changed not trough admin panel , but somehow looking like sql injection or something as i am changine password every day. so dont it is not related with stolen usernames or passwords the hacker can use.

 

PS: oscommerce also has checkout bug, when you go to http://www.yourdomain.com/checkout_confirmation.php and later simply write in address bar the address:

 

http://www.mods4u.com/checkout_process.php

 

 

the order confirms as paid. so if you have enabled digital downloads hackers can easily download all your stuff that you are selling.

[Mark Evans]

you dont understand, they dont have acces to admin section as the email of payment gateways is changed not trough admin panel , but somehow looking like sql injection or something as i am changine password every day. so dont it is not related with stolen usernames or passwords the hacker can use.

 

Since the only way to update the email address is via the admin control panel then I don't see how the email address can be changed anywhere else. SQL injection would also change it for the admin panel so would love to know how your so sure its not using that attack vector. If your admin isn't secured then even changing the password every day won't help as the login can be bypassed, hence using a .htaccess password protection fixes that.

[D3MO]

Since the only way to update the email address is via the admin control panel then I don't see how the email address can be changed anywhere else. SQL injection would also change it for the admin panel so would love to know how your so sure its not using that attack vector. If your admin isn't secured then even changing the password every day won't help as the login can be bypassed, hence using a .htaccess password protection fixes that.

 

 

ok i added .htaccess password protection and will test.

[Guest]

good news!

Problem was solved. :)

thank you very much----all of you! :)

It is very helpful!

Another good news, my customer took back the moeny after reported it to Paypal. :)

[Guest]

To: D3MO

I think you need to make a change to your login website: http://www.mods4u.com./login.php?

It is very easy to be hacked.

You can refer mine, www.ddoffer.com . www.ddoffer.com/admin--

I hiddened the login website, do not use admin/login.php, not safe

[Guest]

To: Mark

:)

G'DAY!

Thank you very much for your time and help!

You are really a great person!

[Jack_mcs]

Since the only way to update the email address is via the admin control panel then I don't see how the email address can be changed anywhere else. SQL injection would also change it for the admin panel so would love to know how your so sure its not using that attack vector. If your admin isn't secured then even changing the password every day won't help as the login can be bypassed, hence using a .htaccess password protection fixes that.

I was contacted by a couple of my clients with this same problem just today. The first thing I did was check their admin, the version of paypal and whether the paypal address had been changed in admin. I talked to Paypal today about it and they said it is happening quite often. The person I spoke with said the biggest number of problems they've seen is with Zen Cart but they are starting to see them with oscommerce too. He said paypal thinks the problem is with the carts, of course. I asked him to check paypals logs to see if the second email is coming in with order or not and he said it was, which would mean the problem is in the shop or the hacker is intercepting it somehow. Both of these sites are using Paypal Standard by Harold. Everyone needs to be watchful of this.

[acounamatataa]

I have the same problem at the same period : the admin acompte was changed to ones of the hacker and all order were sent to his paypal acompte.

also There are a big number of spam which are sending from our web site mail adress' to all of the custumer in which the hacker request their paypal ID number.

 

I think that is a vulnerability in oscommerce paypal module , which allow sql injection to obtain administrator access to the site. Does anyone have a solution or an update for oscommerce!

 

Thanks to all.