Jump to content

Customer payment information is stolen in chose payment methods


Recommended Posts

My site has a problem when new customer checks out a product.

It doesn't happen with the registered account so I can't know until a customer reports this.
Luckily in my country filling in credit card information is not common.

the hacker use href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" to collect Customer payment information.

I tried to search that code in public_html but not have any clue.

 

Screenshot 2024-08-22 13.40.20.png

Screenshot 2024-08-22 14.00.04.png

Edited by nvd1210 (see edit history)
Link to comment
Share on other sites

Hello,

This file is just a CSS file, which is used for styling the page. It cannot add elements to your page.

I encountered a similar issue with a customer, and I used a script to clean the website.

You can refer to this post for more details: 

Have a nice day,

Julien

 

  • Like 1
Link to comment
Share on other sites

4 hours ago, alex.br said:

Like magic, it can return. You should identify the hacking entrance and fix it to protect your customers data.

you are right, i changed the admin password, removed some 3rd party modules that i suspect. it includes seachreplace module, protectcontent module, HTMLbox and a module that i don't know and don't remember installing.
But i am still not sure if i did enough

Link to comment
Share on other sites

Look into your http logs before the first hack reporting, you should find dozen of suspicious http requests those failed with 4xx until some request success on exploitation (this is the entrance that you need to fix, much probably a module), then you should see many successfull requests to suspicious endpoint (/b2b.php for example), from here you were hacked and everything is possible.

 

  • Like 1
Link to comment
Share on other sites

Hi,

Cleaning up a hacked store quickly is a good thing, but identifying and correcting the flaw that allowed the hacking is better, because if your store was hacked once, it will be hacked again and again, either by the same flaw or by another one, so it is necessary to analyze and correct all this, some articles to help: https://www.mediacom87.fr/en/post/security/

  • Like 1
Link to comment
Share on other sites

45 minutes ago, imjulien.dev said:

Usually this kind of hack use a base64 encoded script to inject elements. You should look for base64_decode function in your PHP files

Do you mean I can search "base64_decode" keyword in all code files at root directory /public_html?

Link to comment
Share on other sites

6 hours ago, alex.br said:

Look into your http logs before the first hack reporting, you should find dozen of suspicious http requests those failed with 4xx until some request success on exploitation (this is the entrance that you need to fix, much probably a module), then you should see many successfull requests to suspicious endpoint (/b2b.php for example), from here you were hacked and everything is possible.

 

Unfortunately the first time it was reported was in May, and my account could not see the form. Now a customer took a screenshot, so I used incognito mode and saw it.
The access log and error log can only be viewed back to July

Link to comment
Share on other sites

il y a une heure, imjulien.dev a dit :

Usually this kind of hack use a base64 encoded script to inject elements. You should look for base64_decode function in your PHP files

Cleaner already does this job and is more complete.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...