PayPal glitch or Hack? Payments went to a random address
-
16-10-2019 - |
Question
I'm either looking at a hacking attempt or a temporary PayPal glitch here. We're with PayPal Australia using PayPal Express. We're on Magento CE 1.7.0.2.
Luckily I had the PayPal Express module on debug all the way through. What I've managed to find after a good 4 hours is that the Magento admin wasn't compromised or the 'wrong email' wasn't hardcoded in the file system (according to the timestamp and server logs - who knows if it's a hacker that tidies these things up). A database compromise is looking unlikely too. We're running RDS on EC2.
This issue affected 3 payments. In the logs, first I can see:
[url] => https://api-3t.paypal.com/nvp
[SetExpressCheckout] => Array
(
[PAYMENTACTION] => Sale
[AMT] => 999.00
[CURRENCYCODE] => AUD
[RETURNURL] => https://foobar/paypal/express/return/
[CANCELURL] => https://foobar/paypal/express/cancel/
[INVNUM] => 9999999
[SOLUTIONTYPE] => Mark
[GIROPAYCANCELURL] => https://foobar/paypal/express/cancel/
[GIROPAYSUCCESSURL] => https://foobar/checkout/onepage/success/
[BANKTXNPENDINGURL] => https://foobar/checkout/onepage/success/
[LOCALECODE] => en_AU
[SUBJECT] => wrong@email.com
[ITEMAMT] => 999.00
Obviously the wrong part is the [SUBJECT]
where the 'possible hacker' put his/her email in somehow, I don't know how. But strangely enough, if this was the work of a hacker, then he/she kindly put everything back for us and erased all traces, reset the timestamps, and removed entries from the server logs.
After 3 payments going to the wrong email address, this shows up in the log:
[exception] => Requested wrong@email.com and configured right@email.com merchant emails do not match.
Then the order after that, the payments resume going to the right address.
Now, that's a lot of background information but my question is - when is the exact time that the PayPal module logs the array [SetExpressCheckout]
? Is it possible that Magento has already gotten a response back from PayPal at this stage - or is that email definitely originating from our server?
We're using the Magento one page checkout.
EDIT: I do notice that the single log entry contains the PayPal response as well - so at the time of Magento logging this information, it's already heard back from PayPal. Very puzzling stuff but nevertheless interesting.
Solution
I've written the following bash script as a way to be notified if this issue happens again. It does seem likely to be a PayPal glitch as it wasn't hard to find other people that's had the same issue in the past:
http://www.magentocommerce.com/boards/viewthread/323726/ http://www.magentocommerce.com/boards/viewthread/333281/
Anyway, here's the script if it helps anyone. I have it in my crontab to run every 5 minutes.
#/bin/bash
if fgrep -e '[SUBJECT]' -e '[PAYMENTREQUEST_0_SELLERPAYPALACCOUNTID]' -e '[business]' -e '[receiver_email]' /var/www/var/log/payment_paypal_express.log | fgrep -v 'paypal@foobar';
then
fgrep -e '[SUBJECT]' -e '[PAYMENTREQUEST_0_SELLERPAYPALACCOUNTID]' -e '[business]' -e '[receiver_email]' /var/www/var/log/payment_paypal_express.log | fgrep -v 'paypal@foobar' | mail -s 'PayPal Express Alert' me@foobar
mv /var/www/var/log/payment_paypal_express.log /var/www/var/log/payment_paypal_express_$(date -d "today" +"%Y%m%d%H%M").log
else
echo 'All good.' | mail -s 'PayPal Express OK' me@foobar
fi
Cron set to run every 5 minutes:
*/5 * * * * /bin/sh /home/ubuntu/paypal-express-check.sh
Obviously you would need to change paypal@foobar
to the store's PayPal address, me@foobar
to your own, and change the directories to fit your file system.