PayPal glitch or Hack? Payments went to a random address

Question

I'm either looking at a hacking attempt or a temporary PayPal glitch here. We're with PayPal Australia using PayPal Express. We're on Magento CE 1.7.0.2.

Luckily I had the PayPal Express module on debug all the way through. What I've managed to find after a good 4 hours is that the Magento admin wasn't compromised or the 'wrong email' wasn't hardcoded in the file system (according to the timestamp and server logs - who knows if it's a hacker that tidies these things up). A database compromise is looking unlikely too. We're running RDS on EC2.

This issue affected 3 payments. In the logs, first I can see:

[url] => https://api-3t.paypal.com/nvp
[SetExpressCheckout] => Array
    (
        [PAYMENTACTION] => Sale
        [AMT] => 999.00
        [CURRENCYCODE] => AUD
        [RETURNURL] => https://foobar/paypal/express/return/
        [CANCELURL] => https://foobar/paypal/express/cancel/
        [INVNUM] => 9999999
        [SOLUTIONTYPE] => Mark
        [GIROPAYCANCELURL] => https://foobar/paypal/express/cancel/
        [GIROPAYSUCCESSURL] => https://foobar/checkout/onepage/success/
        [BANKTXNPENDINGURL] => https://foobar/checkout/onepage/success/
        [LOCALECODE] => en_AU
        [SUBJECT] => wrong@email.com
        [ITEMAMT] => 999.00

Obviously the wrong part is the [SUBJECT] where the 'possible hacker' put his/her email in somehow, I don't know how. But strangely enough, if this was the work of a hacker, then he/she kindly put everything back for us and erased all traces, reset the timestamps, and removed entries from the server logs.

After 3 payments going to the wrong email address, this shows up in the log:

[exception] => Requested wrong@email.com and configured right@email.com merchant emails do not match.

Then the order after that, the payments resume going to the right address.

Now, that's a lot of background information but my question is - when is the exact time that the PayPal module logs the array [SetExpressCheckout]? Is it possible that Magento has already gotten a response back from PayPal at this stage - or is that email definitely originating from our server?

We're using the Magento one page checkout.

EDIT: I do notice that the single log entry contains the PayPal response as well - so at the time of Magento logging this information, it's already heard back from PayPal. Very puzzling stuff but nevertheless interesting.

Answer 1

I've written the following bash script as a way to be notified if this issue happens again. It does seem likely to be a PayPal glitch as it wasn't hard to find other people that's had the same issue in the past:

http://www.magentocommerce.com/boards/viewthread/323726/ http://www.magentocommerce.com/boards/viewthread/333281/

Anyway, here's the script if it helps anyone. I have it in my crontab to run every 5 minutes.

#/bin/bash
if fgrep -e '[SUBJECT]' -e '[PAYMENTREQUEST_0_SELLERPAYPALACCOUNTID]' -e '[business]' -e '[receiver_email]' /var/www/var/log/payment_paypal_express.log | fgrep -v 'paypal@foobar'; 
then 
    fgrep -e '[SUBJECT]' -e '[PAYMENTREQUEST_0_SELLERPAYPALACCOUNTID]' -e '[business]' -e '[receiver_email]' /var/www/var/log/payment_paypal_express.log | fgrep -v 'paypal@foobar' | mail -s 'PayPal Express Alert' me@foobar
    mv /var/www/var/log/payment_paypal_express.log /var/www/var/log/payment_paypal_express_$(date -d "today" +"%Y%m%d%H%M").log
else 
    echo 'All good.' | mail -s 'PayPal Express OK' me@foobar
fi

Cron set to run every 5 minutes:

*/5 * * * * /bin/sh /home/ubuntu/paypal-express-check.sh

Obviously you would need to change paypal@foobar to the store's PayPal address, me@foobar to your own, and change the directories to fit your file system.