Jump to content

Archived

This topic is now archived and is closed to further replies.

qwertyjjj

orders submitted from PayPal without payment

Recommended Posts

I had 2 orders submitted from PayPal lastnight, which came through as Preparing [PayPal Standard] but witout payment.

How could these have been entered with that status without payment?

Is there anyway for me to check the history of what happened because this seems like a hack but I am not sure whether it is on OSC or on the PayPal site.

 

A normal PayPal payment comes through as:

PayPal IPN Verified [Completed (Unverified; £x.xx)]

 

These payments do not have that entry in their history but they would not have Preparing [PayPal Standard] without going to PayPal and would not come back with Pending unless PayPal had processed a payment also, it would not have been entered in the history unless the PayPal IPN sent something back.

 

Screenshots: http://forums.oscommerce.com/topic/388757-orders-submitted-from-paypal-without-payment/

 

How can I stop it?

It is almost like the checkoutsuccess script has been hacked or something but I have nothing in my AV and OSC should prevent any hacks.

 

All these look normal don't they?

 

 

File could be a potentional threat: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/cookie_usage.php (Known filename threat)

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/osc_sec.php (Traversal Exploit <=> wget%20 ) on line: 198

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/osc_sec.php (Traversal Exploit <=> union%20 ) on line: 193

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/osc_sec.php (Traversal Exploit <=> %20union ) on line: 193

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/osc_sec.php (Known automated hack <=> edoced_46esab ) on line: 132

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/osc_sec.php (Known automated hack <=> eval( ) on line: 133

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/osc_sec.php (Known automated hack <=> passthru ) on line: 139

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/general.php (Known automated hack <=> eval( ) on line: 482

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/recaptchalib.php (Known automated hack <=> iframe) on line: 125

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/functions/compatibility.php (Known automated hack <=> eval( ) on line: 84

File could be a potentional threat: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/includes/languages/english/cookie_usage.php (Known filename threat)

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/configuration.php (Known automated hack <=> eval( ) on line: 125

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/sitemonitor_configure_0.php (Known Hacker <=> Assel ) on line: 21

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/sitemonitor_configure_0.php (Known automated hack <=> eval( ) on line: 21

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/sitemonitor_configure_0.php (Known automated hack <=> gzdecode ) on line: 21

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/sitemonitor_configure_0.php (Known automated hack <=> iframe) on line: 21

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/sitemonitor_configure_0.php (Known automated hack <=> error_reporting(0) ) on line: 21

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/sitemonitor_configure_0.php (Known automated hack <=> shell_exec ) on line: 21

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/modules.php (Known automated hack <=> eval( ) on line: 218

File could be a potentional threat: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/mail.php (Known filename threat)

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/AV/grep.php (Known automated hack <=> error_reporting(0) ) on line: 44

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/AV/index.php (Known automated hack <=> error_reporting(0) ) on line: 11

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/osc_sec.php (Traversal Exploit <=> wget%20 ) on line: 198

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/osc_sec.php (Traversal Exploit <=> union%20 ) on line: 193

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/osc_sec.php (Traversal Exploit <=> %20union ) on line: 193

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/osc_sec.php (Known automated hack <=> edoced_46esab ) on line: 132

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/osc_sec.php (Known automated hack <=> eval( ) on line: 133

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/osc_sec.php (Known automated hack <=> passthru ) on line: 139

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/general.php (Known automated hack <=> eval( ) on line: 405

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/sitemonitor_functions.php (Known Hacker <=> Assel ) on line: 381

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> eval( ) on line: 381

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> gzdecode ) on line: 381

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> iframe) on line: 381

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> error_reporting(0) ) on line: 381

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/sitemonitor_functions.php (Known automated hack <=> shell_exec ) on line: 381

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/functions/header_tags.php (Known automated hack <=> eval( ) on line: 876

File could be a potentional threat: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/languages/english/mail.php (Known filename threat)

 

Possible Infection: /home153/sub002/sc11883-LGVN/mysite.co.uk/cart/j_8285_admin/includes/modules/newsletters/product_notification.php (Known automated hack <=> eval( ) on line: 61

[/code]

Share this post


Link to post
Share on other sites

That is normal behaviour - pending and preparing Paypal means that the payment process has not been completed successfully.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

That is normal behaviour - pending and preparing Paypal means that the payment process has not been completed successfully.

 

Not on my site...

if someone orders, goes to Paypal but doesn#t pay it stays as: Preparing [PayPal Standard}

If they pay successfully it comes back as Pending with Comments PayPal IPN Verified [Completed (Unverified; £xx.xx)]

 

These hacked orders are coming back as:

Preparing [PayPal Standard] with empty comments, which is not possible for PayPal.

And then swithcing to Pending.

There is no payment.

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

Payments confirmed received by PayPal should have a default status as 'processing'. Orders where the payment was not confirmed by PayPal should NOT appear in your order history at all. The are failed and there is NO record kept of failed orders in osCommerce.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

Payments confirmed received by PayPal should have a default status as 'processing'. Orders where the payment was not confirmed by PayPal should NOT appear in your order history at all. The are failed and there is NO record kept of failed orders in osCommerce.

 

 

 

Chris

a failed order has no order history but it still has an order created and that has status Preparing [Paypal |Standard]

exactly so how did these orders get here?

where is the hack?

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

A failed order should NOT have an order created in osCommerce.

 

Are you using PayPal Standard ? If so, are you using a PEM Certificate to control two way communication between the PayPal server and your website ? Have you considered using PayPal express, which is more secure and does allow for full two way communication ?

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

A failed order should NOT have an order created in osCommerce.

 

Are you using PayPal Standard ? If so, are you using a PEM Certificate to control two way communication between the PayPal server and your website ? Have you considered using PayPal express, which is more secure and does allow for full two way communication ?

 

 

Chris

 

It does have an order created because the item is added to the cart and on checkout the order is created before everything gets sent to PayPal, that's how PayPal knows the orderID, InvoiceID, etc.

Yes, PayPal standard but it shouldn't be possible to hack that. I would have thought the PayPal code was more secure than the OSC code.

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

Ok, that means you have altered the original PayPal payment module to prevent lost orders, which means you are using PayPal Standard. I suggest that you update to the PayPal Express and utilize the API. This will prevent lost orders and orders without payment.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

Ok, that means you have altered the original PayPal payment module to prevent lost orders, which means you are using PayPal Standard. I suggest that you update to the PayPal Express and utilize the API. This will prevent lost orders and orders without payment.

 

 

 

Chris

 

I can try that, thanks.

Even so, somehow someone is still hacking the order process to get it into the status of Pending without getting Payment from PayPal. I don't know how...

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

There are some known exploits with PayPal standard if not set up correctly.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

@@qwertyjjj

 

There are some known exploits with PayPal standard if not set up correctly.

 

 

 

Chris

 

such as?

pm me if you don't want them on a public forum but if there was a known exploit, shouldn't it be plugged?

Share this post


Link to post
Share on other sites

Have a read of this threas on how to secure paypal standard payments http://forums.oscommerce.com/topic/387748-closing-the-paypal-checkout-confirmation-exploit/


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Responsive osCommerce CE (community edition) here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

a failed order has no order history but it still has an order created and that has status Preparing [Paypal |Standard]

exactly so how did these orders get here?

where is the hack?

 

This is not necessarily a hack, it can happen when someone reaches the paypal payment page but doesn't complete payment and browses away. On the paypal page there is a link at the bottom that says "cancel and return to merchant", if you click that link the order will get deleted and you will see no traces of it, but if you just browse away you will see an order has been created but not paid.

Always a good idea to check if you really received payment in your paypal account before shipping an order, otherwise try Paypal Express.

 

 

For extra info on Paypal have a look at this thread, especially the last few posts by Harald: http://forums.oscommerce.com/topic/388544-security-issue-possible-to-purchase-without-payment/


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites
This is not necessarily a hack, it can happen when someone reaches the paypal payment page but doesn't complete payment and browses away. On the paypal page there is a link at the bottom that says "cancel and return to merchant", if you click that link the order will get deleted and you will see no traces of it, but if you just browse away you will see an order has been created but not paid.

 

Yes, but then it stays with a different status in my site, it stays as Preparing [PayPal Standard] which is not happening with these orders.

Share this post


Link to post
Share on other sites

×