| Author |
 Topic  |
|
|
apswater
VP-CART Super User
444 Posts |
 Posted - August 11 2004 : 17:38:23
|
I have a pretty good stats counter on our VP-ASP system.
Part of that counter is a trace back feature that shows me what people were looking for when found me.
Here are two :
1:01:52 PM Network 216.126.204.22 mstar-pf1.mstar.net MSIE 6.0 www.google.com
1:01:51 PM Network 65.160.238.180 sprint-65-160-238-180.smf.ragingwire.net Cerberian Drtrs Version-3.1-Build-16 www.google.com
When I back search the google (the link is hot on my system) you find that these two little hackers were searching for any websites that have shopadmin.asp. I am sure they are looking for suckers who didnt change the main passwords.
Here is whatthey both searched on Google. com :
usa shopcustadminlogin.asp
I'll post more IP#'s as I find them but beware, there are many looking for holes in the VP-ASP system.
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
|
|
Dulrr
VP-CART New User
57 Posts |
Posted - August 12 2004 : 08:18:58
|
A lot of people also search for shopdisplaycategories.asp or shopdisplayproducts.asp, and then proceed to try to open the admin or database test file. A few rather persistant ones even try to brute force the database as well, and it makes me laugh to look at the logs and see the ones who attempt to grab the shop300.mdb, shop350.mdb, etc. etc.
For a while I'd been putting the IP's of those unsuccessful hackers into the Hackers table, but I couldn't find a way to automatically check if the IP was dynamically assigned or not (Blocking an AOL IP is especially pointless, and may even block a randomly unlucky legit customer one day) and I got tired of checking them all personally, so I've only got 33 hack IPs stored.
But I think shopdisplaycategories.asp is this month's third most popular search term to find our site...
[edit]Actually, if you include all the variants on shopdisplaycategories.asp (allinurl:..., etc.) it is THE most popular search term! Anybody have any guesses how troublesome it would be to rename shopdisplayproducts and shopdisplaycategories?
~D
Edited by - Dulrr on August 12 2004 09:48:20 |
 |
|
|
leem
Starting Member
United Kingdom
17 Posts |
Posted - August 12 2004 : 10:33:46
|
I have just done a quick search on Google myself. I found a few sites out there using VP-ASP. I can't believe the number of people out there who have not renamed there shopadmin1.asp pages and the number of these sites that have not employed the additional passowrd checks. These people haven't followed the basics outlined in the security document.
leem |
|
|
|
Jill
VP-CART Super User
USA
249 Posts |
Posted - August 12 2004 : 13:35:04
|
How troublesome? Wouldn't it just be a matter of Find and Replace all instances of shopdisplaycategories.asp, etc? I know this can be done with some programs (FrontPage) and there is a mention of a small program that will do it somewhere in this forum.
I've always thought that it would be a good idea to rename all the pages.
Jill
|
|
|
|
keng
VP-CART New User
152 Posts |
Posted - August 12 2004 : 13:45:05
|
quote:
I can't believe the number of people out there who have not renamed there shopadmin1.asp pages
leem
Do you mean shopadmin.asp? If you also suggest to rename shopadmin1.asp what is the best approach?
|
|
|
|
Dulrr
VP-CART New User
57 Posts |
Posted - August 12 2004 : 16:20:13
|
Yeah, I've got some nice tools handy for changing the links, (Dreamweaver) and I suppose running a find/replace to go through database records to update any cross-referencing links would work. It might take a while before the search engines crawl the proper pages again, and as long as shopdisplay__ pages remained in the search engines' caches and indecies we'd be getting hits.
quote:
How troublesome? Wouldn't it just be a matter of Find and Replace all instances of shopdisplaycategories.asp, etc? I know this can be done with some programs (FrontPage) and there is a mention of a small program that will do it somewhere in this forum.
I've always thought that it would be a good idea to rename all the pages.
Jill
~D |
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
|
|
Jill
VP-CART Super User
USA
249 Posts |
Posted - August 12 2004 : 21:59:22
|
I don't think anything official has ever been said or written about changing shopadmin1 or shopdisplaycategories or any of the other page names. It's just that the hackers know that these are common to vpasp, so it helps them find us. That's why I think it would be a good idea to change the names.
Jill 
|
|
|
|
rgoetz
Starting Member
USA
29 Posts |
Posted - August 14 2004 : 22:48:24
|
What about the robots.txt file? I kept my cart in a separate folder. Will disallowing that folder in my robots file, keep search engines from indexing my cart files?
Rhonda Goetz, CIW-CI
http://esitecreations.com |
|
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - August 19 2004 : 22:45:18
|
So how are the search engine bots even finding any of the admin pages? If you have removed the link to your admin login screen (shopadmin.asp) from your home page and have directory listing disabled, I don't think the search bots should be able to find it.
For example, I just perused the first 11 matches for a google search for inurl:"shopadmin.asp" "Shop Administrators only". At least half of them still had links on their home pages to the admin page. I'm not sure how the others got indexed, but my guess is that either there is still a link to it that I just didn't see, or there was previously a link that got indexed, but has since been removed.
Of course all the normal customer pages such as shopdisplaycategories, shopdisplayproducts, shopaddtocart.asp, shopcustomer.asp, shopcreateorder, shopcheckout, etc are linked within all our sites and therefore will get indexed. If we don't rename them, then our VP-ASP carts will be easily identified through a search.
hmmm....I just got some ideas, but I'm not going to post them here in public. I'll wait until I have time to try out the private security discussion forum....
|
|
|
|
Cam
VP-CART Super User
Australia
361 Posts |
Posted - August 20 2004 : 20:52:01
|
Hi Nathan,
Have you had a chance to have a look through our security forum? Any input from you would be great.
We have quite a fair number of merchants on their now so any ideas greatly appreciated.
This search engine stuff would be great.
Cheers,
Cam
*************************************
Cam Flanigan
YourVirtualStore Sales
e-mail:
http://www.vpasp.com/sales/shopcustcontact.asp
web: http://www.yourvirtualstore.net
Build you own YourVirtualStore!!!
www.yourvirtualstore.net
************************************* |
|
|
|
ProductivePC
VP-CART New User
USA
199 Posts |
Posted - August 29 2004 : 22:51:20
|
Actually, I implemented everything except for renaming the shopadmin1.asp and we just got hacked... They did not get anything. We have been awaiting a customized development of the 5.0 cart so we are still on 4.5. We are not sure how we got hacked. Perhaps an older backup without the security fixes was put into place but I am checking all of that right now. We are pretty sure that it was an SQL Injection however I remember a long time ago using the fix for that. They were looking for credit cards and as a rule we do not list not keep credit card numbers on file.
Here is what I will be implementing to help against hackers coming in. First of all, you said the magic words. They are finding us through Google and searching for allinurl: shopdisplay*.asp. If you are one of the unlucky ones that show up in the 1000 websites then you too will have automated attempts.
To get around that. Since most of those pages are dynamic anyway, you can put a script to tell Google not to walk your pages OR just not to cache your pages or save a description. This will prevent those pages from coming up. If you include this into your header.htm file, you will be all set.
Yes, this will prevent any of the pages that you can get to without using session id's from showing up as well but I believe that it is worth it unless you are number one for some highly competitive keyword phrase with that page.
Agent Ransack is the utility you are talking about for searching Jill..... That utility is the best thing since sliced bread. That in combination with NoteTab Pro.... WOW! You find the pages with Agent Ransack and then drop them all into NoteTabPro. NTP has a replace all in all documents function that works instantly. None of this waiting forever for FrontSlop to work and finish stuff.
Straight from Google
http://www.google.com/webmasters/3.html#A1
2. I don't want Google to keep a cached version of my page.
Google automatically takes a "snapshot" of each page it crawls and caches it. This enables us to show the search terms highlighted on text heavy pages so users can find relevant information quickly, and to retrieve pages for users if the site's server temporarily fails. Users can access the cached version by choosing the "Cached" link on the search results page. If you do not want your content to be accessible through Google's cache, you can use the NOARCHIVE meta-tag. Place this in the <HEAD> section of your documents:
If you want to allow other robots to archive your content, but prevent Google's robots from caching, you can use the following tag:
<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">
OR
<META NAME="GOOGLEBOT" CONTENT="NOINDEX">
Note that the change will occur the next time Google crawls the page containing the NOARCHIVE tag (typically about once a month). If you want the change to take effect sooner than this, the site owner must contact us and request immediate removal of archived content. Also, the NOARCHIVE directive only controls whether the cached page is shown. To control whether the page is indexed, use the NOINDEX tag; to control whether links are followed, use the NOFOLLOW tag. See the Robots Exclusion page for more information.
Hope it helps.
Wayne
www.WorldFamousGiftBaskets.net |
|
|
|
jackbox
VP-CART New User
United Kingdom
72 Posts |
Posted - September 06 2004 : 05:00:52
|
Hmmmm.
Well all this is a bit like trying to camouflage a house that has an open door. It doesn't actually solve the problem and I don't exactly want Google NOT indexing pages.
I'm working with a programmer to scrap the login altogether and build a server side app that talks to the site administrator using a login code of somewhere around 2000 characters.
All shop administrators will go through one central login and have their own app to do this - unique to their site admin. It does mean a server app running and not every ISP will go for that, but I'm determined to find a tighter login system than the one VPASP uses.
I've implemented EVERY security update and made SURE the obvious pages have been renamed etc but STILL they get in. A persistent hacker will find a way - they always do. The only way around this is to think in much bigger terms and be less reliant on a relatively simple login page. Hiding and renaming pages still doesn't solve the inherent problem and any future version of VPASP needs a more heavyweight approach to the admin. I just do not feel comfortable with it. It certainly needs better protection against a brute force attack and the script in this post (http://www.vpasp.com/virtprog/vpaspforum/topic.asp?TOPIC_ID=1802) is one of the more better ideas. It just needs expanding. I don't use a fixed IP so it wouldn't really suit as is.
|
|
|
|
jackbox
VP-CART New User
United Kingdom
72 Posts |
Posted - September 09 2004 : 12:29:55
|
Right, heres our solution. We set up a database at a remore location that stores an the IP address of anyone who attempts to incorrectly access the login page (ie brute force or fly-by-night chancer). On the fourth attempt it automatically bans that IP with a redirect (should they try again) to something along the lines of "Your IP has been banned. If you are an authorised user you will need to request that your IP address is released". This works for more than one shop and stores the time and date that the site was blocked as well as the URL of the shop. We can do this with sessions, or within a time period of say an hour, or simply 4 bad attempts.
The administrator for blocked IPS has a separate interface independent of the cart/carts and can unblock IPs on request. That way all carts (if more than one) could be covered in one go. If they get banned on one, they'll be banned for any other shop. It runs independently of vp-asp and could apply to almost any login page. Oh one last thing, it also mails the blocked IP administrator, or even the shop owner, so he or she can be alerted that an unsuccessful login was attempted. Not bad for 24 hours eh? Works a little better than manually adding IPs and gives you a fair indication of whats going on at the login page as well as offering better protection.
Edited by - jackbox on September 11 2004 02:54:16
Edited by - jackbox on September 11 2004 02:57:10 |
|
|
|
trajan
Starting Member
8 Posts |
Posted - October 08 2004 : 11:08:47
|
great post
|
|
|
|
Topic |
|
All Forums
Attempted Hacks
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
