Text only | Text with Images

VirtueMart Forum

VirtueMart 2 + 3 + 4 => General Questions => Topic started by: Kuubs on September 07, 2020, 15:35:44 PM

Title: 100% discount, no payment method selected, free product
Post by: Kuubs on September 07, 2020, 15:35:44 PM
Hello,

I got a major problem with one of my websites. Running the latest Joomla version 3.9.21 and running the latest Virtuemart 3.8.4 with PHP version 7.4.9.

There is an order with 100% discount. And the coupon code is used, it's the last name of the customer, but I don't have that coupon code.

https://imgur.com/a/ChgadIm

Also there is no payment method selected, while I only have 1 payment method. And when the order was placed, it automatically went to the confirmed status, without being paid, see the screenshot. Is this a known bug? Very major leak I think.

Any idea what the issue might be?
Title: Re: 100% discount, no payment method selected, free product
Post by: jenkinhill on September 07, 2020, 16:19:36 PM
Any possibility the sie has been hacked? Any out of date 3rd party extensions?
Title: Re: 100% discount, no payment method selected, free product
Post by: Kuubs on September 08, 2020, 10:52:56 AM
Quote from: jenkinhill on September 07, 2020, 16:19:36 PM
Any possibility the sie has been hacked? Any out of date 3rd party extensions?

No that is not a possibility, I don't see anything weird in the logs. Also every 3rd party plugin I use is up to date, that is why I found it extremely weird. I haven't seen this ever, and I am using Virtuemart for quite some time now.

That is why I thought it's some kind of leak?
Title: Re: 100% discount, no payment method selected, free product
Post by: jenkinhill on September 08, 2020, 11:12:21 AM
Sounds fishy to me. Do you actually have a 100% discount coupon? Have you checked the raw access logs?
Title: Re: 100% discount, no payment method selected, free product
Post by: Kuubs on September 08, 2020, 23:26:51 PM
Quote from: jenkinhill on September 08, 2020, 11:12:21 AM
Sounds fishy to me. Do you actually have a 100% discount coupon? Have you checked the raw access logs?

No I don't have a 100% coupon code. I checked the access logs but I cannot seem to see anything. Around that time there aren't even lines... :S
Title: Re: 100% discount, no payment method selected, free product
Post by: StefanSTS on September 09, 2020, 12:02:39 PM
Quote from: Huubs on September 08, 2020, 10:52:56 AM
No that is not a possibility, I don't see anything weird in the logs.
....
I checked the access logs but I cannot seem to see anything. Around that time there aren't even lines... :S
Thank god, then it might have been just a glitch in the matrix.
Or a difference between local time and server time.


Quote from: Huubs on September 08, 2020, 10:52:56 AM
That is why I thought it's some kind of leak?

How do you define leak?
Probably a security leak, like a weak password, or a person with access to the backend.
But thank god, hacked is not a possibility. Or maybe?

Personally if there is no possibility for a hack, I run a check with mysites.guru.
Devastating what that tells me about how hacked sites are sometimes.

Stefan
Title: Re: 100% discount, no payment method selected, free product
Post by: Studio 42 on September 10, 2020, 23:37:49 PM
I think that someone :
- found the admin credentials(or used a hack)
- added product to basket
- generated a coupon.
- used the coupon
- confirmed the order
- removed the coupon.
You can check if the coupons IDs have a hole in the sequence, if this is the case then my theory is certainly right.
Text only | Text with Images