FTP into your site and take a look at shopping/checkout/act_save_order.cfm. Scroll down until you see the query that INSERTS into Order_no. The line number will depend on your version.
INSERT INTO #Request.DB_Prefix#Order_No
Now look for:
<cfqueryparam cfsqltype="cf_sql_varchar" value="#attributes.cvv2##attributes.cardnumber#">,
This line should be:
<cfqueryparam cfsqltype="cf_sql_varchar" value="#PO_Number#" null="#YesNoFormat(NOT len(PO_Number))#”>,
We've seen a hack that changed that line. They injected a PHP script so check your site and server. There's no error for online, CC orders just offline because the payment form doesn't submit a CVV number.