VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 javascript hack
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

rvaga
VP-ASP Super User

USA
254 Posts

Posted - August 18 2008 :  18:12:22  Show Profile  Reply with Quote
Hello All! Haven't posted for quite a while, but that's because everything with VPASP has run so smoothly!

One of our computers is an old Mac G3, running system 9.1. I noticed it would hang on pages, and at the bottom of the screen was repeated flashing of a javascript the G3 could not render. The PC's found it, at least the PC's did not hang (so I never would have noticed).

On shopcategories page, I looked at the source. In the title meta tag (I have dynamic titles on), there was a javascript inserted, some sort of adware link with a .cn at the end. In looking around, I found that every one of my 178 categories had the bogus script inserted in catdescription. The script started with a closed title tag, then the javascript. This was invisible to the customer, as well as to me. The script was trying to access a script in folder E (which does exist), but I checked folder E and there was no .js file. It would seem this was an incomplete hack, they couldn't figure out how to actually place the linked script into the folder (I'm guessing this is correct, I'm no expert by any means...).

I exported my categories, removed the script with excel, and uploaded back to SQL2000. All is well, for now.

As to how this script was inserted, beats me. Could have been through the customer contact input, or somewhere else?

If the above is old news, sorry for the repeat. But, thought I'd let everyone know of this hack, and suggest to all to check the source code on shopdisplaycategores as well as any other pages, to make sure you do not have this bogus javascript inserted as part of your title metatag.

support
Administrator

4266 Posts

Posted - August 18 2008 :  19:44:52  Show Profile  Visit support's Homepage  Reply with Quote
Hi Rein,

This is a known problem. You need to download the latest security patches and also run the cleanser routines.

To ensure the security of your site, we recommend the following:

1. Ensure you have all fixes applied to your site.
These are available from -
http://www.vpasp.com/sales/securitypatches.asp

2. Use the BYZ Hack Check Tool
Download this tool from http://bigyellowzone.com/shopexd.asp?id=146 and run it on your site. It will detail if any potential injections exist in your database.

3. Use the VPASP Data Scrubber Tool
Download this tool from our site at https://www.vpasp.com/sales/securitypatches.asp

Using the results from the BYZ Hack Check Tool, you can remove the reported hacks from your database.

For example if the BYZ tool reports a hack in products.cdescription you would enter "products" into the table name field, and "cdescription" into the field name field of the Data Scrubber Tool (both without quotes).

4. Again run the BYZ Hack Check Tool to check whether all instances of the hack script have been removed from your database.

5. Run a virus scan over your computer

The latest patches block this issue.

If you need assistance then you can post in our helpdesk at:

https://helpdesk.vpasp.com

Thanks
Cam

VP-ASP Support
Go to Top of Page

rvaga
VP-ASP Super User

USA
254 Posts

Posted - August 19 2008 :  00:11:36  Show Profile  Reply with Quote
Hi Cam,

Thanks very much for the detailed response. I do realize that security is (or should be) an ongoing concern. I'm a bit lazy, much like getting my car fixed after something blows, instead of preventative maintenance!

Not sure you would want to answer this, but I'm curious. What is it this particular script/hack was trying to accomplish? It seemed like it was trying to link to something to do with adware, so perhaps looking for email addresses?

I will be sure to go through the links and process you outlined above. Thanks again for the quick feedback.

RV
Go to Top of Page

support
Administrator

4266 Posts

Posted - August 19 2008 :  04:44:13  Show Profile  Visit support's Homepage  Reply with Quote
Hi Rein

It looks like the script tries to get your customers to download a trojan. Any PC that is unprotected by anti virus will be affected.

This is a very serious issue and you should get onto the patches straight away.

If you use Winmerge it is not so daunting a task. You can download for free from www.winmerge.org

Thanks
Cam

VP-ASP Support
Go to Top of Page

SDCPieter
VP-ASP New User

United Arab Emirates
57 Posts

Posted - August 19 2008 :  05:05:38  Show Profile  Reply with Quote
SQL Injection attacks injects the rogue javascript element. Depending on what they want to achieve I've found that they either install a tracking cookie on the users machine, try and redirect them to a Flash vulnerable website (which will then install a trojan) etc.

The way SQL Injection attacks work is simple. If the user account used (You're using SQL Server) has access to the master table (which I assume you're just using the sa password for right?) then the attacker could then (when they find the hole) query the database directly to figure out your table/column structure.

Once they have that they can then run update statements to their liking. The ></title><!-- hack is new one I found the other day.

To prevent this, create a new user and grant it owner rights of ONLY the database concerned (not the master database) thus preventing the guys from querying the database to figure out its table/column structure to be able to infect you.

Because of the nature of descriptive tables used in VPASP it would be fairly easy to just guess tablename's and go from there. This is why you need to make sure where these guys come in from so that you can plug the hole.

By preventing access to the master database and using a seperate user account (not sa!) you will prevent these types of attacks most of the time.

Another thing you might want to enable on your IIS (assuming you have access to it) is Friendly ASP error messages. Detailed ASP error messages gives the hacker a lot of information to be able to do his job. If they are met with a generic "Please contact the system administrator" message, they can do squat. (This does make it a bit more difficult for you to debug code in case you need to, but its not the end of the world and I will always recommend having a mirror copy of your site on a development machine somewhere if you need to make changes or customizations)

-
Go to Top of Page

SDCPieter
VP-ASP New User

United Arab Emirates
57 Posts

Posted - August 19 2008 :  05:17:30  Show Profile  Reply with Quote
I will post a FREE search and replace query that I wrote for SQL Server.

However, I would recommend upgrading to SQL 2005 as it has a much more powerful replacement query for ntext/text columns

-
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000