| Author |
 Topic  |
|
|
kevinmcm1
Starting Member
2 Posts |
 Posted - June 14 2004 : 12:59:52
|
My clients site was hacked recently and I would like to avoid the same mistakes in future. We are not sure how they gained access or when exactly, it appears that it occurred some time in early May. We have 2 suspicious IPs (Romania & Pakistan) logged in as ADMIN.
My clients shop runs on a SSL server seperate from their own website. Admin page was changed at tim eof installation, passwords changed, DB name changed. I did not remove all files as detailed in the security fixes.
Questions -
1)Is running the DB in the same folder, even if it is on a SSL server a definite no?
2)How did they find the admin page?
3)How did they figure out how to logon and change the admin passwords?
4)how much damage can be done by leaving files like convert...asp in the same folder as the installation
5)what security issues have been dealt with in v5.0 that can help minimise security breaches?
I am at a loss right now to figure out exactly what has happened. With hindsight there were additional steps that could have been taken and as well as folowing every step detailed on the security pages. I thought the combination of SSL server (DB cant be downloaded by browsing), non-default admin page and passwords would have gone a long way to secureing the site but obviously not.
Kevin.
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - June 14 2004 : 14:36:26
|
if the database is in the same folder as all the other files, then all other security options will be pretty much useless because they'll simply be able to download the entire database and find out whatever they need to know from that (apart from secondary passwords, which are kind of like the last line of defence).
they might have found/downloaded the database before (or after) some security measures were put in place, and hence found a back-door for later. I wouldn't want to go into details here about how something like that can be done because it'd be giving hackers advice, which I most definitely don't want to do!
I wasn't aware that ssl would stop the database from being downloaded, but I guess that might be true; I simply don't know.
If all the security advice from vpasp is followed, then you'll be secure, but after a hack's been made while you were vulnerable, you obviously need to move things around again to make sure they can't get back in again.
Check your database records for any spurious data that hackers might have entered.
Hackers are constantly trying to check the vulnerability of sites; it happens to everyone even if they're not aware of it.
My advice is to make sure all the latest vpasp-advised fixes/changes are in place, and then go through the security process again (re-naming, changing id/pwds etc), and then to continue that process on a regular basis.
And always go through that process after a contractor's finished working on your site, even if you trust them completely; most reputable developers will advise you to do that after they've finished.
My attitude when working on clients' sites is certainly along the lines of "after I've finished, I don't want to be able to get in there again without your say-so!"
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
 |
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - June 14 2004 : 21:22:37
|
One of the ways to test your database is safe if using Access is to try and download it using a web browser. Type in the address of your database and if it downloads contact your web host immediately and ask them to do the following:
Remove read permissions in IIS to the database folder.
Add read/write permissions to the database folder in NTFS.
If they cannot do this or do not know how to do this i would suggest changing hosts as this is an integral part of the security of your site.
SSL does NOT stop the db from being able to be downloaded. Only the protections above do. Ideally the database should be stored in an "off-web" location but many hosts do not offer this so the above is required to protect the databse.
Ensure you have the admin page renamed and use the 2nd password. Do not have xshowadmin set to Yes. This will onyl enable hackers to locate your site.
While not a requirement we do recommend you use our admin security add-on that sends an email to the site owner whenever the admin is accessed or a hacker attempts to enter.
http://www.yourvirtualstore.net/rocksalt_v.5/shopexd.asp?id=132
Remove all files starting with "c" and the "diag_" files.
Always keep your passwords secret.
Hope this helps.
Thanks,
Cam
*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net
Build you own YourVirtualStore!!!
www.yourvirtualstore.net
************************************* |
|
|
|
kevinmcm1
Starting Member
2 Posts |
Posted - June 14 2004 : 23:40:43
|
Thanks for the replies.
The database is not downloadable via browsing. xshowadmin was set yo NO. Not all all files starting with "c" and the "diag_" files had been removed at the time we first became suspicious of hacker activity. It was a customer who was sure that the only place his card had been used was on the site. At the time nothing looked out of place, database seemed in order, passwords had not been altered etc. That was over a month ago, security was tightened and the fraudulent activity happened last week, Wed and then on Friday when the passwords were changed.
A few things need to be changed, like getting the DB into a hidden folder, implement password changes on regular basis and the 2nd password option is something I was not aware of, so another step to implement. All other steps are in place.
Thanks again, it's been a hard lesson to learn.
Kevin.
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - June 15 2004 : 01:12:50
|
Another tool we use is Live Support from www.xigla.com.
You don't have to use it as a Live Support system if you don't want to. One of the great features with this is that it allows you to view the IP addresses of visitors to your site and what page they are on. Also if they are trying to do anything clever by hacking using the web address it will show up as well.
Of course it is also a great support tool.
Thanks,
Cam
*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net
Build you own YourVirtualStore!!!
www.yourvirtualstore.net
************************************* |
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - July 03 2004 : 12:37:06
|
A key vulnerability that keeps getting overlooked in the advice I have seen here and on the VP-ASP security recommendations is insecure tranfer of files to and from your server. Please take a look at another post I made:
http://www.vpasp.com/virtprog/vpaspforum/topic.asp?TOPIC_ID=2725
If you aren't using a secure technique to transfer your files, then you are vulnerable. This is not well understood by some ISPs. If would like specific advice on options for secure transfers to your ISP's server, I can give some more details.
|
|
|
| |
Topic |
|
All Forums
Hacked site
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
