I think that one of our clients website has been hacked. Unfortunately they refuse to update to the latest patches "due to cost".
Today we saw a form (for credit cards) appearing when users choose the Redirect option, which also validates against an external link (brazil domain). From the looks of it, I think this was injected to copy cards.
My question is, which files should I check to find out if they were modified, or what other measures we should take? We already disabled the payment method.
