Post by sterikal » Tue Mar 16, 2021 8:47 pm

Hi - I have noticed a handful of orders come through that appeared to be kosher but on further inspection they have no PayPal payment attached to them. (I only use PayPal as a payment processor for PayPal and credit cards.)
PayPal have suggested that my backend could have been compromised.
My question is, how can I check whether this is the case and if it, what can I do to prevent this happening again?

Thank you.

New member

Posts

Joined
Sat Nov 12, 2016 5:33 pm

Post by khnaz35 » Tue Mar 16, 2021 11:27 pm

First thing first change the user name and password for the admin.

Change the password for your ftp login.

Change the username and password for your database.

Then start digging into orders details and see when this behaviour start happening on the website.

Check your server access log to see for clues.
Then also look for the code which may be injected via some script or some tag way etc.

You can always ask your host to take a look too or hire a professional support to take care the matter.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by sterikal » Wed Mar 17, 2021 12:42 am

Many thanks :)

New member

Posts

Joined
Sat Nov 12, 2016 5:33 pm

Post by johnp » Wed Mar 17, 2021 3:26 am

It's also worth sticking a firewall and bad trafic blocker on. :)

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by khnaz35 » Wed Mar 17, 2021 9:05 am

Btw what is a common thing between all the order without payment attach to it?

Is the shipping address same?


Have you check if free checkout is enable on your site without your knowing?

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by sterikal » Wed Mar 17, 2021 2:54 pm

The name and address are the same.

New member

Posts

Joined
Sat Nov 12, 2016 5:33 pm

Post by khnaz35 » Wed Mar 17, 2021 2:57 pm

How about the free checkout is its enabled?

Have you track down since when it start happening? Also compare the access log.
Run the malware scanner on your site.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by sterikal » Wed Mar 17, 2021 4:15 pm

khnaz35 wrote:
Wed Mar 17, 2021 2:57 pm
How about the free checkout is its enabled?

Have you track down since when it start happening? Also compare the access log.
Run the malware scanner on your site.
Free checkout is disabled. It started on the 10th March.
A scan didn't show anything.
I can't see anything untoward in the access log.
I've changed all logins and passwords just in case.

New member

Posts

Joined
Sat Nov 12, 2016 5:33 pm

Post by paulfeakins » Wed Mar 17, 2021 5:44 pm

sterikal wrote:
Tue Mar 16, 2021 8:47 pm
Hi - I have noticed a handful of orders come through that appeared to be kosher but on further inspection they have no PayPal payment attached to them. (I only use PayPal as a payment processor for PayPal and credit cards.)
PayPal have suggested that my backend could have been compromised.
My question is, how can I check whether this is the case and if it, what can I do to prevent this happening again?
Have you got your order statuses set up so that they're only marked as paid once PayPal calls back the website with the IPN?

If so, it's possible they're somehow faking that callback.

This isn't something you can be told how to fix on a forum, you need to hire an experienced developer to find out what's gone wrong.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by ADD Creative » Wed Mar 17, 2021 6:00 pm

Which version of OpenCart? Which of the PayPal modules are you using? Some of them it's possible to change the value of the payment and if the status are not set correctly you might not notice. So did you have any payments for these orders at all, even for the wrong value?

Have you checked both the PHP and OpenCart error logs for the time the orders were made?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by sterikal » Wed Mar 17, 2021 6:08 pm

ADD Creative wrote:
Wed Mar 17, 2021 6:00 pm
Which version of OpenCart? Which of the PayPal modules are you using? Some of them it's possible to change the value of the payment and if the status are not set correctly you might not notice. So did you have any payments for these orders at all, even for the wrong value?

Have you checked both the PHP and OpenCart error logs for the time the orders were made?
I'm using 2.3.0.2 and PayPal Commerce Platform & PayPal Express Checkout.
I have no payments at all for the orders in question. We have contacted PayPal and they have nothing logged either.
I've not checked the PHP logs but will do now.

New member

Posts

Joined
Sat Nov 12, 2016 5:33 pm

Post by ADD Creative » Wed Mar 17, 2021 7:03 pm

sterikal wrote:
Wed Mar 17, 2021 6:08 pm
I'm using 2.3.0.2 and PayPal Commerce Platform & PayPal Express Checkout.
I have no payments at all for the orders in question. We have contacted PayPal and they have nothing logged either.
I've not checked the PHP logs but will do now.
I've just checked and there in no validation on the webhook for the PayPal Commerce Platform module. It's easy to fake the callback and change the order status.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by johnp » Wed Mar 17, 2021 9:05 pm

Check some of the order IP addresses to see if they're from known bad sources.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by sterikal » Thu Mar 18, 2021 2:28 am

ADD Creative wrote:
Wed Mar 17, 2021 7:03 pm
sterikal wrote:
Wed Mar 17, 2021 6:08 pm
I'm using 2.3.0.2 and PayPal Commerce Platform & PayPal Express Checkout.
I have no payments at all for the orders in question. We have contacted PayPal and they have nothing logged either.
I've not checked the PHP logs but will do now.
I've just checked and there in no validation on the webhook for the PayPal Commerce Platform module. It's easy to fake the callback and change the order status.
I'm presuming that for them to do that, they would have to gain access to the admin panel or am I being naive?

New member

Posts

Joined
Sat Nov 12, 2016 5:33 pm

Post by sterikal » Thu Mar 18, 2021 2:28 am

johnp wrote:
Wed Mar 17, 2021 9:05 pm
Check some of the order IP addresses to see if they're from known bad sources.
Thanks. Will do.

New member

Posts

Joined
Sat Nov 12, 2016 5:33 pm

Post by johnp » Thu Mar 18, 2021 2:34 am

I use Cidram. It blocks bad traffic.

https://github.com/CIDRAM/CIDRAM

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by ADD Creative » Thu Mar 18, 2021 5:16 am

sterikal wrote:
Thu Mar 18, 2021 2:28 am
I'm presuming that for them to do that, they would have to gain access to the admin panel or am I being naive?
No admin access needed. There is a flaw in the payment module. I've reported it and they said they will investigate.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 163 guests