VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Credit Card and VPASP Changes
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Ed Williams
Starting Member

3 Posts

Posted - December 21 2004 :  09:39:37  Show Profile  Reply with Quote
Periodically my preferences change in my configuration to allow credit card purchases. I have this disabled and only allow credit card purchases via PayPal using the approved PayPal gateway pages downloaded from this site.

Why does this happen?

Every now and then my "xallowcreditcards" changes from "NO" to "YES" and there are always credit card purchases at that time. I was doing perdiodic checks of the purchase pages and the configuration page. Now I'm doing daily checks of both. I change my passwords weekely for the admin pages. I have 5.0 running that is using a Microsoft Access database.

Is there something I should change?

ed

eabrams
VP-ASP New User

USA
72 Posts

Posted - December 21 2004 :  20:16:52  Show Profile  Visit eabrams's Homepage  Reply with Quote
Do you have a hacker playing games with you. Please look at you rlogs for a select statement associated with the shopdisplayproducts.asp.. Have you applied the SQL injection patch from VPASP?

http://www.spws.net
Go to Top of Page

Ed Williams
Starting Member

3 Posts

Posted - December 23 2004 :  06:55:19  Show Profile  Reply with Quote
quote:

Do you have a hacker playing games with you. Please look at you rlogs for a select statement associated with the shopdisplayproducts.asp.. Have you applied the SQL injection patch from VPASP?

http://www.spws.net


Where are the rlogs located? Where can I find the SQL Injection Package?

Go to Top of Page

eabrams
VP-ASP New User

USA
72 Posts

Posted - December 23 2004 :  15:00:16  Show Profile  Visit eabrams's Homepage  Reply with Quote
Sorry, you web logs. Your ISP should be keeping logs of visitors. In your logs you can search for comething like shopdisplayproducts.asp id=1%20and%201=convert(int,(

or

convert(int

If you find these type of test strings you are being attacked and unless you have applied patches to VPASP or set your web server to not display detailed error messages, someone has gotten into your administration area.

http://www.spws.net
Go to Top of Page

Ed Williams
Starting Member

3 Posts

Posted - December 25 2004 :  11:15:53  Show Profile  Reply with Quote
Thanks for the information eabrams. I've gone to the Security Fixes page ( http://www.vpasp.com/virtprog/info/faq_securityfixes.htm ) and added all of the security fixes from July 7th until now. I purchased 5.0 in May of 2004 and some of the security fixes were already included.

I didn't see the "shopaffio.asp" page at all. I'm not sure if the SQL Injection even applies since I use a Microsoft Access database. I did, however, order the SQL Injection add-on.

Also, I didn't see this code in the pages listed below at all. Could this have been removed by a hacker?

_______________________________________

edit file shopreviewlist.asp and shopreviewadd.asp

If catalogid="" then
shoperror LangNoCatalogId
end if

add
If not isnumeric(catalogid) then
shoperror LangNoCatalogId
end if


_________________________________________

Thanks again for all your assistance. I'll continue to monitor the site and report back if there are any changes.


Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000