Solved: Re: Payment methods hacked?

MiWo · ‎10-21-2019

Hello @ all,
since yesterday the onepage checkout in a magento 1.6 shop shows a form for credit card information in the payment tab, although in backend only check money order is activated and everything else is deactivated. I tried to activate and deactivate different paymentmethods, but only that credit card form is shown in frontend. So I guess a hacker tries to fish that information, although it is a small shop with just very few orders a month. There is nothing to catch.

The Shop is now in maintenance mode while I am trying to find the file with the code, which overrides the configuration of the backend. Any hints which file could be responsible? Thanks in advance, cause I am stabbing around in the dark.

Mukesh Tiwari · ‎10-22-2019

Hi @MiWo

Did you try to scan your site with Magento security scanner? It may report any suspicious java script file in your site.

You can also try to scan your site on https://sitecheck.sucuri.net/ . If there is any known suspicious thing it may show in the results.

Also check in the Magento admin under miscellaneous scripts section for any suspicious java script files added to your site.

Is your site fully patched with latest security patches released by Magento?

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

View solution in original post

Mukesh Tiwari · ‎10-23-2019

Hi @MiWo

You should try to search for

var _0xa2b4=["x69x6Dx77x62x5Fx63x61x62x31x5Fx73x68x6Fx77","x4E","x69x6Dx77x62x5Fx63x61x62x31x5Fx72x65x73x68x6Fx77", ...

pattern in your Magento database and in Magento code files including java script files.
It can help you identify the source of the suspicious code.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

View solution in original post

MiWo · ‎10-25-2019

Thank you very much! Problem solved.

I bought the basic security package at sucuri and they found and cleaned several files via ftp. But because that did not solve the problem, I checked the backend once again. But this time I recognized the scroll bar at the empty footer textfield in System -> Configuration -> Design.

The script was hidden at the end of a lot of blank lines. How embarrassing that I did not recognized it at once. Maybe that info helps others to look closer.

View solution in original post

MiWo · ‎10-22-2019

Update:

For a split second the original paymentoptions can be seen in the checkout, till the creditcard form is loaded. Maybe that info helps.

The files like "onepage.phtml", "payment.phtml" and "methods.phtml" are clean. Any hints which additional files are involved in the checkout payment process?

Mukesh Tiwari · ‎10-22-2019

Hi @MiWo

Did you try to scan your site with Magento security scanner? It may report any suspicious java script file in your site.

You can also try to scan your site on https://sitecheck.sucuri.net/ . If there is any known suspicious thing it may show in the results.

Also check in the Magento admin under miscellaneous scripts section for any suspicious java script files added to your site.

Is your site fully patched with latest security patches released by Magento?

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

MiWo · ‎10-23-2019

Hi Mukesh Tiwari,

thank you for your reply. In admin there are no miscellaneous scripts. It is clean.
I tried your suggestion with your mentioned sucuri scanner and some other security scanners.They say that the site is infected:

Sucuri: Known javascript malware: malware.generic_jsobfuscator?1.2

Magento Security Scan:
Your site is compromised with injected JavaScript malware. (37)
Malicious code signature(s) have been found on your site.and some patches are missing.

The problem: They do not say which files are infected. Do you know a scanner that says what is infected?

Mukesh Tiwari · ‎10-23-2019

Hi @MiWo

You should try to search for

var _0xa2b4=["x69x6Dx77x62x5Fx63x61x62x31x5Fx73x68x6Fx77","x4E","x69x6Dx77x62x5Fx63x61x62x31x5Fx72x65x73x68x6Fx77", ...

pattern in your Magento database and in Magento code files including java script files.
It can help you identify the source of the suspicious code.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

MiWo · ‎10-25-2019

Thank you very much! Problem solved.

I bought the basic security package at sucuri and they found and cleaned several files via ftp. But because that did not solve the problem, I checked the backend once again. But this time I recognized the scroll bar at the empty footer textfield in System -> Configuration -> Design.

The script was hidden at the end of a lot of blank lines. How embarrassing that I did not recognized it at once. Maybe that info helps others to look closer.

Mukesh Tiwari · ‎10-25-2019

Hi @MiWo

Glad to hear that issue is resolved for you.
To prevent it in future please follow Magento security best practices

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

sallescamargo · ‎06-09-2021

Olá Amigos,

Estou com um problema grave, os métodos de pagamento ficaram ocultos, ficando somente o

Credit/Debit Card Secure Payment

Alguém poderia me ajudar, visitando o site:

espacodoacabamento.com.br adicionado um item no carrinho, ele altera a forma de pagamento.

Como solucionar, já troquei os arquivos:

app/code/core/Mage/XmlConnect/Block/Checkout/Payment/Method/Ccsave.php
app/code/core/Mage/Customer/controllers/AccountController.php
app/code/core/Mage/Payment/Model/Method/Cc.php
app/code/core/Mage/Checkout/Model/Type/Onepage.php

Mas nada, dentro do sistema/formas de pagamento, somente duas formas estão habilitadas.

Aguardo um apoio.