Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

AuthorizeNet Merchant Account is hacked. AuthorizeNet SIM payment form, login ID is visible in source code

minipassat

By minipassat
in General Support

Recommended Posts

minipassat

minipassat

Posted
Posted

Hello,

 

I searched the forum and couldn't find the related solution. I helped my friend built the online store using OSC MS2.2 and Authorize.net Simple Integration Method V1.0 by Harald Ponce de Leon. The original contribution is http://addons.oscommerce.com/info/5663.

 

Last week, my friend's AuthorizeNet Merchant Account was hacked and there were many crazy activities like the unauthorized charges...) ANet tech support guy told me that the hacker was from the OSC website. (He has two site and only this one uses OSC shopping cart). I check for him and notice that the login ID is visible from the payment form's source code without any encryption. I read some post and saying "When using SIM, the API Login ID value is going to be visible in the source code of the payment form.

 

My question is, is the login id in the source code enough for the hacker to hack into my friend's ANet Merchant account? Or it's truth that it safe to leave it there without the transaction? Or would it be bigger chance that it was because my admin was hacked and the login id and transaction key was stolen so the hacker is able to use that information to hack into the ANet's merchant account?

 

I have IP Trap, Site Monitor and Security Pro installed after this attack. I am still fighting with using the .htaccess to protect public folders (always gives internal server error). Any other suggestions can help this urgent issue please?

 

Sorry i am still new to PHP and database, please excuse me if my question is odd.. and thanks for anyone's sharing so i can keep learning. Thanks!!

FIMBLE

FIMBLE

Posted
Posted

I feel it is more than likely that if your admin was hacked the information was taken there.

HTACCESS 500 errors are normally permissions related though could also be it does not some conditions

if you have anythign like

Options +SymLinksIfOwnerMatch

Options +FollowSymLinks

Options All -Indexes

in your htaccess try commenting them out by adding # at the start of the line

#Options +SymLinksIfOwnerMatch

#Options +FollowSymLinks

#Options All -Indexes

 

Of course it could also be a good ole syntax error

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Taipo

Taipo

Posted
Posted

minipassat: Check out the addon in my signature called osC_Sec. It is designed to directly address the security issue that allows attackers to bypass the admin login process in out of date versions of osCommerce.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...