Magento Forum

   
Our PayPal settings got hacked, how to restore them? 
 
viktorbergman
Jr. Member
 
Total Posts:  5
Joined:  2012-09-30
 

Yesterday I tried to login as usual to our adminsite but denied access. I triple verified the password yet I still was denied. Later I tried to access our Cpanel which also did not work.

As it turned out some guy from Pakistan had hacked our store and changed the passwords. Luckily we do not store any cardnumbers so nothing like that was leaked (we have a hosted gateway).

After looking trough the entire store I did find that they had messed with the PayPal settings. Basically redirecting customers to their account.

The field “Email Associated with PayPal Merchant Account” had a totally different email than ours, under “Website Payments Standard”. However we only use Express Checkout. So I replaced the email back to ours and thought that everything was OK.  I did however miss to check the Express Settings. Here’s where it gets freaky. The part where you enter the API credentials etc was totally missing (see attached screendump).

Since the fields about credentials and all were missing I did not react. I regret this now. Today I received an order payed with PayPal and voilá… no transaction in our account. I had a look in the database and saw that indeed they had entered their own API keys.

Replacing the keys (which I get from PayPal) in the database using phpmyadmin does not help… that only results in server timeout at checkout.

I want to have my admin section back so I can go through the entire API wizard. How can I get it back? I have uploaded the Mage_Paypal folder into the App folder with no success. Also my host says no activity has been logged on the FTP so no files has been touched?

Does any one more have experience from this?

Image Attachments
ExpressCheckout.png
 
Magento Community Magento Community
Magento Community
Magento Community
 
elspood
Magento Team
 
Total Posts:  22
Joined:  2012-05-01
Magento
 

Sorry to hear about your store being compromised - it can be a very frustrating experience.

If you aren’t 100% sure about how your store was hacked and what settings were changed, the best solution is probably to rebuild your store with a fresh install on a new operating system/web server in order to clear out any changes the hackers might have made. This may take a long time, but it is the only way to be sure you have removed any back doors the hackers may have installed to maintain their control over your store.

You will need to start with a fresh database, as well. You should save a copy of your existing database, but be careful about copying any of the data over to the new system so you don’t copy the attacker’s back doors onto the new system. If you can avoid it, it’s best not to copy any data to the new system at all.

Good luck!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top