FluxCP icon indicating copy to clipboard operation
FluxCP copied to clipboard

Published 20 hours ago verified publisher icon rathena

Paypal Hack detect php 7.4

Open Badarosk0 opened this issue 4 years ago • 21 comments

After updating my php to 7.4 my paypal system stopped confirming donations. I receive in the paypal log the messages:

[2020-10-27 00:42:52] Received notification from unknown ()
[2020-10-27 00:42:52] Transaction invalid, aborting.
[2020-10-27 00:42:52] Hack detected!
[2020-11-01 06:01:18] Received notification from unknown ()
[2020-11-01 06:01:18] Transaction invalid, aborting.
[2020-11-01 06:01:18] Hack detected!

Badarosk0 avatar Nov 01 '20 14:11 Badarosk0

Probably your webserver(nginx/apache) doesn't provide correct IP address to php.

Received notification from unknown ()

This should not be unknown in any real case. You can check it with this small script https://gist.github.com/sanasol/c7cce1fe27b581301ffb048b284787d3 Upload to your server and run via browser.

sanasol avatar Nov 02 '20 05:11 sanasol

When using the script it showed my IP address number. One detail is that I received 2 donations in a single day. One of the donates released automatically and the other generated the hacker log: [2020-11-09 18:55:38] Received notification from unknown () [2020-11-09 18:55:38] Transaction invalid, aborting. [2020-11-09 18:55:38] Hack detected! @sanasol

Badarosk0 avatar Nov 09 '20 22:11 Badarosk0

Try check nginx access.log. Rows with access to notify page.

Maybe some paypal's IP that doesnt resolved correctly by gethostbyaddr().

sanasol avatar Nov 09 '20 23:11 sanasol

Try check nginx access.log. Rows with access to notify page.

Maybe some paypal's IP that doesnt resolved correctly by gethostbyaddr().

I understand, and if I don't have nginx installed, is there any other alternative?

Badarosk0 avatar Nov 09 '20 23:11 Badarosk0

apache access log then

default paths /var/log/apache/access.log /var/log/apache2/access.log /etc/httpd/logs/access_log

sanasol avatar Nov 09 '20 23:11 sanasol

/var/log/apache2/access.log

I found, what needs to be identified?

Badarosk0 avatar Nov 09 '20 23:11 Badarosk0

cat /var/log/apache2/access.log | grep 'notify'

Check this, should show paypal requests.

sanasol avatar Nov 09 '20 23:11 sanasol

| grep 'notify'

/var/log/apache2/access_log /var/log/apache2/error_log

I see these 2 files, the .log is not available

Badarosk0 avatar Nov 10 '20 00:11 Badarosk0

cat /var/log/apache2/access_log | grep 'notify'

sanasol avatar Nov 10 '20 00:11 sanasol

cat /var/log/apache2/access_log | grep 'notify'

Just old information, nothing recent. No logs for this year appeared

Badarosk0 avatar Nov 10 '20 00:11 Badarosk0

https://github.com/rathena/FluxCP/blob/master/lib/Flux/PaymentNotifyRequest.php#L139

You can replace this line if (in_array($received_from, $allowed_hosts) && $this->verify()) {

with

if ($this->verify()) {

To disable IP check, it will be verified anyway and known hacks fixed. So it shouldn't affect anything but accept your "unknown" donates if it actually made.

No more ideas what to check without logs)

sanasol avatar Nov 10 '20 00:11 sanasol

Maybe there is some configuration in php that I need to activate to solve this problem? Module? This started to happen when I installed php 7.4. When I used php 7.1 this did not happen.

Badarosk0 avatar Nov 10 '20 00:11 Badarosk0

I dont see any changes related to IP addr between 7.1-7.4

sanasol avatar Nov 10 '20 00:11 sanasol

https://github.com/rathena/FluxCP/blob/master/lib/Flux/PaymentNotifyRequest.php#L139

You can replace this line if (in_array($received_from, $allowed_hosts) && $this->verify()) {

with

if ($this->verify()) {

To disable IP check, it will be verified anyway and known hacks fixed. So it shouldn't affect anything but accept your "unknown" donates if it actually made.

No more ideas what to check without logs)

I will make this change and test.

I dont see any changes related to IP addr between 7.1-7.4

I figured it could be something that I installed or failed to install that would generate this conflict. But the problem should occur with all donates, not just a few. Can SiteLock affect this?

Badarosk0 avatar Nov 10 '20 00:11 Badarosk0

Can SiteLock affect this?

if it something like CloudFlare - yes.

sanasol avatar Nov 10 '20 12:11 sanasol

Can SiteLock affect this?

if it something like CloudFlare - yes.

So that must be it, most likely. Thanks

Badarosk0 avatar Nov 10 '20 13:11 Badarosk0

https://github.com/rathena/FluxCP/blob/master/lib/Flux/PaymentNotifyRequest.php#L139

You can replace this line if (in_array($received_from, $allowed_hosts) && $this->verify()) {

with

if ($this->verify()) {

To disable IP check, it will be verified anyway and known hacks fixed. So it shouldn't affect anything but accept your "unknown" donates if it actually made.

No more ideas what to check without logs)

It was working fine with this change until I added SSL on my domain. From now on, some transactions are released automatically, and others are set to Hack Detect.

[2021-11-13 03:56:55] Received notification from 10.213.97.102, unknown ()
[2021-11-13 03:56:55] Query string: cmd=_notify-validate&mc_gross=20.00&settle_amount=95.85&protection_eligibility=Ineligible&payer_id=WQJJ0FGKM33VQ&payment_date=22%3A56%3A48+Nov+12%2C+2021+PST&payment_status=Completed&charset=windows-1252&first_name=Axels&mc_fee=1.58&exchange_rate=5.20376&notify_version=3.9&custom=YToyO3tzOjEx5iJzZXJ2ZXJfbmFtZSI7czo6NToiUmFnbm7Sb2NrIFJhZ25hcm9rIE9ubGl2ZSI7czoxMDoiYWNjb3VudF9pZCI7czo3OiIyMzE0NzMxIjt9&settle_currency=BRL&payer_status=unverified&business=bad4r0sk1%40yahoo.com.br&quantity=1&verify_sign=A42cNQlW3oS2NAfmek26WsgAfA-6Ai32YkBgxAqfuAGtxKqZ6790QiH4&payer_email=axelesxoblivione%40gmail.com&txn_id=16V45178BK741523G&payment_type=instant&last_name=Ocampo+Hernandez&receiver_email=badarosko1%40yahoo.com.br&payment_fee=1.58&shipping_discount=0.00&insurance_amount=0.00&receiver_id=HXMR55S9XBD3A&txn_type=web_accept&item_name=Donation+Credits%3A+20+CREDIT%28s%29&discount=0.00&mc_currency=USD&item_number=&residence_country=MX&shipping_method=Default&transaction_subject=YToyOntzOjExOJzxXJ2ZXJfbmFiZSI7czoyNToiUmFnbmFSb2NrIFJhZ25hcm9rIE9ubGluZSI7czoxMDoiYWNjb3VudF9pZCI7czo3OiIMzE0NzMxIjt9&payment_gross=20.00&ipn_track_id=f87519791d240
[2021-11-13 03:56:55] Establishing connection to PayPal server at www.paypal.com:443...
[2021-11-13 03:56:55] Connected. Sending request back to PayPal...
[2021-11-13 03:56:55] Sent 1144 bytes of transaction data. Request size: 1289 bytes.
[2021-11-13 03:56:55] Reading back response from PayPal...
[2021-11-13 03:56:56] Notification failed to verify. (recv: <HTML><BODY>FATAL FAILURE <BR></BODY></HTML>)
[2021-11-13 03:56:56] Transaction invalid, aborting.
[2021-11-13 03:56:56] Hack detected!

Any idea what I can do to resolve the hack detect? @sanasol

Badarosk0 avatar Nov 13 '21 16:11 Badarosk0

@Badarosk0 https://www.paypal-community.com/t5/PayPal-Reporting/IPN-Failing-with-Fatal-Failure/td-p/2840623/page/2 looks like paypal problem, but no information about fixes

sanasol avatar Nov 13 '21 20:11 sanasol

@Badarosk0 https://www.paypal-community.com/t5/PayPal-Reporting/IPN-Failing-with-Fatal-Failure/td-p/2840623/page/2 looks like paypal problem, but no information about fixes

So this seems to be recent. A new problem perhaps. But there are some donates that work well, but others experience this problem.

Would it be possible to bypass hack detect? If yes, would this be safe?

Badarosk0 avatar Nov 13 '21 22:11 Badarosk0

@Badarosk0 this is not hack detect problem anyway, it wont verify transaction since paypal returns fatal error instead of "ok" status.

sanasol avatar Nov 14 '21 09:11 sanasol

@Badarosk0 this is not hack detect problem anyway, it wont verify transaction since paypal returns fatal error instead of "ok" status.

This was a misconfiguration on SSL. Everything is working fine now. This paypal error has now disappeared.

Badarosk0 avatar Nov 15 '21 07:11 Badarosk0