Medworks Posted September 29, 2010 Posted September 29, 2010 Thursday Sept. 16 my website www.medexamtools.com was hacked and little by little I have been trying to restore it, but I think there is at least one big problem. I haven't gotten a single credit card order since then. For a while I thought it was simply that google had thrown me out of their search results, but early Sunday morning someone called to try to place an order by phone since he could not submit a credit card order, and he confirmed that actually Medworks was number 1 in the search results for what he searched for. Apparently (and this is using the authorize.net AIM module), he would put in his card information and click the confirm order button, but the page would just refresh and everything he typed in would be gone. Well I figured that after I removed a certain line of malicious code from all my php files, that some of them had been changed in some other way as well and corrupted. I could not find where my backup from 2 months ago was, somehow it disappeared, so I found the official oscommerce credit card module for the autorize.net AIM, and I replaced the files I had with the official release - the languages/english file and the one that is just in modules/payment - and that was Sunday, and here it is, Wednesday, and still there have been no credit card orders, and THREE people have registered accounts with Medworks since the call on Sunday, but no new orders have come in. While it is possible that all three of them registered as customers but didn't actually place orders, I find it more likely and even if not considerably more likely a very strong possibility, that the problem persists. I just get error messages when I try setting the module's parameters to "test", and I don't actually want to place an order with myself - but does anyone know what besides the authorize.net AIM modules themselves being corrupted could cause that problem, where it just refreshes the page when they click confirm order when they try to pay by credit card. One person actually paid by check since that was the only method that was functional (so it submits the order successfully if they select check/money order, just not credit card).
Guest Posted September 29, 2010 Posted September 29, 2010 Sandor, You should read the Security Thread. Your site is not secure and open to hackers. I would check that out and secure it before doing any other work on it. Chris
Medworks Posted September 29, 2010 Author Posted September 29, 2010 Sandor, You should read the Security Thread. Your site is not secure and open to hackers. I would check that out and secure it before doing any other work on it. Chris Ok, I have deleted admin/file_manager.php and admin/define_language.php and removed the following: '<a href="' . tep_href_link(FILENAME_DEFINE_LANGUAGE) . '" class="menuBoxContentLink">' . BOX_TOOLS_DEFINE_LANGUAGE . '</a><br>' . '<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' . from oscommerce1/admin/includes/boxes and installed FWR security pro. Medworks's website is possibly harder to destroy now. So then, now that distraction is out of the way, now it's time to answer my question. What's wrong with the credit card module?
Medworks Posted October 2, 2010 Author Posted October 2, 2010 Here is a DETAILED description of what happens. On the FINAL page of checkout using the Authorize.net CC AIM module, when you hit submit, it goes back to the "payment information" page where it asks to select between credit card and check/money order again, and right under payment information, it says "There has been an error processing your credit card" in bold, and then below that highlighted in a pink box it says "Please try again and if problems persist, please try another payment method." I modified the .php code to show me the error produced by authorize.net after looking through the forums and finding this is one of many possible problems. The error was "credit card number is required". In other words, when the credit card number is entered into the credit card field, the data stored in the variable for that field is not being submitted to authorize.net. And possibly the data in all the other fields if all that data is in the same class, it could be just that if the name, cvv2, expiration date, billing address and credit card number are null, then the error is the first thing it sees to be missing. For some reason, the data entered into the program is not being submitted to authorize.net. But I do not know how to check the variable names in the authorize.net module because I don't know where what I want to check them against is. For instance, in the code I see in the function "confirmation": $expires_month[] = array('id' => sprintf('%02d', $i), 'text' => strftime('%B',mktime(0,0,0,$i,1,2000))); } $today = getdate(); for ($i=$today['year']; $i < $today['year']+10; $i++) { $expires_year[] = array('id' => strftime('%y',mktime(0,0,0,1,1,$i)), 'text' => strftime('%Y',mktime(0,0,0,1,1,$i))); } $confirmation = array('fields' => array(array('title' => MODULE_PAYMENT_AUTHORIZENET_CC_AIM_CREDIT_CARD_OWNER, 'field' => tep_draw_input_field('cc_owner', $order->billing['firstname'] . ' ' . $order->billing['lastname'])), array('title' => MODULE_PAYMENT_AUTHORIZENET_CC_AIM_CREDIT_CARD_NUMBER, 'field' => tep_draw_input_field('cc_number_nh-dns')), array('title' => MODULE_PAYMENT_AUTHORIZENET_CC_AIM_CREDIT_CARD_EXPIRES, 'field' => tep_draw_pull_down_menu('cc_expires_month', $expires_month) . ' ' . tep_draw_pull_down_menu('cc_expires_year', $expires_year)), array('title' => MODULE_PAYMENT_AUTHORIZENET_CC_AIM_CREDIT_CARD_CVC, 'field' => tep_draw_input_field('cc_cvc_nh-dns', '', 'size="5" maxlength="4"')))); Now this looks weird to me. Is "cc_number_nh-dns" the variable name for the credit card number in the field? I don't know. It looks suspicious to me, like maybe it should just be cc_number or something. But I don't know what it is referring to.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.