PayPal module attacks - Malware?

NHWS · September 20, 2016, 9:17am

Hi Forum especially those members that have members for a few years,

My OXID CE 4.6 which had been operating for around 6 years without problems all of a sudden experienced a problem with it’s PayPal module “de-activating”.

This meant that whilst the customer could place an order through to me, they by passed the PayPal section where credit cards or a PayPal account was used to pay for the order.

If you re-activate the module, it appears to be activated (green). If you go to check if it is working and find out it isn’t, when you return to the Modules section in the CMS, the module is “de-activated” again.

I have tried to repair the problem a variety of different ways without success. I have asked for help here, without success. Then it finally occurred to me that there might be another problem.

A clever ‘Hacker’ that knows code and wanted to cause me or PayPal pain, might be able to write code to create the above circumstances. Call it malware, call it a virus, call it what you like, but it might be an attack.

I can almost see the eyes rolling among the regulars thinking that I am paranoid, but think about it. Is it possible?

I was reading through past posts and saw the post about Poodle attacks and changes PayPal were to bring in a few years ago. The idea is not new.

The software developer, Shaun Purvis or Spurvis as he known by many, is no longer contactable and is in another industry enjoying himself. If he was still here, he would be my first point of call. As he is not I am throwing it to the forum.

The problem might be that the malicious code, if there is any, may not be written into the 6vC PayPal Module, but rather the OXID CE website code. That said, frankly I have no idea.

Thanks in advance for any help. Even small bits might help once collated with other ideas.

Don

marco.steinhaeuser · September 20, 2016, 12:02pm

Hey Don,

if it certainly was a hacker, he would do other harm than to de-activate the PayPal module, wouldn’t he?

My suspicion is that - as I understand, you didn’t change anything at the system - some environmental changes were made. May it be an update at the server of your web hosting provider or even at the PayPal API. Cannie say what exactly happened from my remote position but I reckon this has to be debugged, starting with analysing the server’s error logs.

Regards

NHWS · September 20, 2016, 5:23pm

Great suggestion and I will ask tomorrow. Just checking - are the Server logs something that I can check through cPanel? Or will I need to ask my ISP to see them. Also with PayPal, is there a specific department you check with when you ask these sorts of questions in Europe. In Au it seems most of our questions go to Manila or India, not that there is a problem with that, other than they may not have the answers.

marco.steinhaeuser · September 21, 2016, 12:09pm

If you have shell access to your server, depending on the OS running, the error logs might be found in /var/logs/apache2/error.log. Some web hosting providers also allow to see these logs somewhere in your FTP or in cPanel. Best request your web hosting provider (not your ISP) where they can be found exactly if you don’t know.

PayPal has a German support department closed to Berlin. But I guess they are doing their own germanized stuff over there and cannot say much about other locations…

Regards

NHWS · September 26, 2016, 1:51pm

I have had discussions with PayPal and whilst my problem is not solved, I agree that Malware was probably not the issue but I am chasing down a few possible cures which I would like to share because there is some valuable information on PayPal’s security changes.

PayPal insists (in AU anyway) that your website be secure with SSL protection so that you see the padlock in the URL bar. They now mandate that you must have SHA-256 and that they are upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 in mid-2016.

Security-Related Changes Required to Avoid Service Disruption:

Merchants and developers may have to update their integrations in order to be in compliance and ensure that their applications continue to function as expected.

For PayPal customers, these updates include:
•TLS 1.2 upgrade (support for TLS 1.0 will be retired)
•IP Address Update for PayPal SFTP
•IPN Verification Postback to HTTPS (HTTP will no longer be supported)
•Merchant API Credential Upgrade (to SHA-256 2048-bit credentials)
•SSL Certificate Upgrade
•PayPal SDK Updates

This means that to avoid you PayPal module ceasing to work, you need to make sure your website is compliant.

PayPal

To avoid any disruption of service, you must verify that your systems are ready for this change now.
• Testing will occur between June 17 and September 30, 2016.
• Full deployment will happen after September 30, 2016.

There is a good webpage for information and instructions in PDF format available in most languages available at the SSL Certificate Upgrade Microsite

In my case I found I had a link to another website and they did not have SHA-256 compliance which meant that I lost my SSL accreditation until I removed that link. This has been done and I am 256 again and off to fix the PayPal thing.

Cheers

Shan · May 12, 2017, 3:13pm

Today, many cyber scammers. Recently I read an article in which it was said that ransomware attacked the hospital in Germany. Then they demanded a very big ransom. Here is an article about ransomware work http://myspybot.com/jaff-file-virus/

Nahuta · May 14, 2017, 6:14pm

If you take into account the latest news http://www.bbc.com/news/technology-39901382, I would in your place be worried