Jump to content

[Help] Someone added backdoor and stealing Credit cards


Recommended Posts

Hello, 

Someone complain me that i charged that is unauthorized. 

Well i have started searching what the hell is going on huh!!

 

then i noticed 

 

When my Checkout page loaded, a custom payment gateway Which is coded in html displayed on checkout page. 

 

Class name : <div class="custom-card-form">

 

I have tried to figure out by searching in plugins but no such good result.

 

I am using PS 1.7.6.8. 

 

<div class="custom-card-form">
  <div class="custom-form-group">
    <label class="custom-label">Numero di carta</label>
    <div class="custom-card-number">
      <input type="text" id="cardnumccc" name="ccnum" class="custom-input card-number-input" placeholder="0000 1111 0000 1111 000">
      <div class="custom-card-icons">
        <img src="https://js.stripe.com/v3/fingerprinted/img/visa-729c05c240c4bdb47b03ac81d9945bfe.svg" alt="visa">
        <img src="https://js.stripe.com/v3/fingerprinted/img/mastercard-4d8844094130711885b5e41b28c9848f.svg" alt="mastercard">
      </div>
    </div>
  </div>
  
  <div class="custom-form-group">
    <label class="custom-label">Titolare della carta</label>
    <input type="text" id="nameccholder" name="holdernamecc" class="custom-input cardholder-input" placeholder="Mario Rossi">
  </div>

  <div class="custom-form-row">
    <div class="custom-form-group">
      <label class="custom-label">Data di scadenza</label>
      <input type="text" id="ccexp" name="ccexpp" class="custom-input expiry-input" placeholder="MM/AA">
    </div>
    <div class="custom-form-group">
      <label class="custom-label">Codice della carta</label>
      <input type="text" id="cvvcv" name="cvvvc" class="custom-input cvv-input" placeholder="CVV/CVC">
    </div>
  </div>
</div>

This is the full code which i can see using Chrome inspect. 

 

and my checkout page give a look, (see attachment file) 

 

Surprise is when we complete this forum, this frame goes and my real payment methods shows. 

 

Can someone please help me to identify it?

I wanna remove this backdoor. to avoid for more complains. 

 

Thanks in Advance:

 

stealer.jpg

Edited by Pharma1234 (see edit history)
Link to comment
Share on other sites

Well sorry for bumpy msgs

I have tried to 1-click upgrade and got the following error. 

 

[INTERNAL] /var/www/vhosts/sitehttp/httpdocs/vendor/composer/autoload_real.php line 64 - require(): Failed opening required '/var/www/vhosts/sitehttp/httpdocs/vendor/composer/../symfony/polyfill-php70/bootstrap.php' (include_path='/var/www/vhosts/sitehttp/httpdocs/vendor/pear/pear_exception:/var/www/vhosts/sitehttp/httpdocs/vendor/pear/console_getopt:/var/www/vhosts/sitehttp/httpdocs/vendor/pear/pear-core-minimal/src:/var/www/vhosts/sitehttp/httpdocs/vendor/pear/archive_tar:.:/opt/plesk/php/7.3/share/pear') 

 

And all sidebar gone. 

 

Need urgent help to restore my site since i don have backup huh!!

Link to comment
Share on other sites

Hi,

This sounds like a job you should hire a developer for.
If i where you i would ask your hosting company to set back a backup. I see you are using Plesk, so usually there is some form of automatic backups.

Then i would first disable your shop and find and fix the mallware that is stealing payment info. Then make a legal statement that there has been a data breach and payment info stolen. 

Then i would strongly advice to hire someone to update your Prestashop.

Edited by Inform-All (see edit history)
Link to comment
Share on other sites

3 hours ago, Pharma1234 said:

Anyone can help me direct the exact place where i can remove this backdoor? 

That won't help you long. You need to close the entrance.
Only thorough procedure is do a new shop and also here you need to be careful to use just client data and not also the attacker's.

Link to comment
Share on other sites

In my case there was jpeg file that was loaded which had php code inside it. Someone uploaded it using backdoor from template module. Check img directory for large files and edit them using notepad.

Link to comment
Share on other sites

 

1 hour ago, WisQQ said:

In my case there was jpeg file that was loaded which had php code inside it. Someone uploaded it using backdoor from template module. Check img directory for large files and edit them using notepad.

I have checked all images which are only mine.

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...