VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Hacks
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

apswater
VP-ASP Super User

317 Posts

Posted - January 31 2005 :  12:32:15  Show Profile  Visit apswater's Homepage  Reply with Quote
This morning I got hacked from RIPE Network.

I have applied all the patches but this gy got in anyway... any suggestions?

Here is the log info

5:36:00 AM 212.138.64.171 cache1-2.jed.isu.net.sa MSIE 6.0 66.121.213.146
5:31:19 AM 212.138.64.174 cache4-2.jed.isu.net.sa MSIE 6.0 66.121.213.146
5:29:41 AM 212.138.64.176 cache6-2.jed.isu.net.sa MSIE 6.0 66.121.213.146
5:29:00 AM 212.138.64.172 cache2-2.jed.isu.net.sa MSIE 6.0
5:20:44 AM 212.138.64.173 cache3-2.jed.isu.net.sa MSIE 6.0
4:45:43 AM 212.138.64.174 cache4-2.jed.isu.net.sa MSIE 6.0
4:27:03 AM 212.138.64.171 cache1-2.jed.isu.net.sa MSIE 6.0
1:57:04 AM 217.5.179.8 MSIE 6.0
1/30/2005
4:48:31 AM 217.5.179.8 MSIE 6.0

He got into my personal admin account, listed orders and then tried some kind of export but I dont think it worked. He could have messed us up bad.. I am thinking or blocking all ip #'s except my home and my office, will this work or are they getting through some backdoor into the database?


greatphoto
VP-ASP Super User

USA
304 Posts

Posted - January 31 2005 :  19:32:26  Show Profile  Reply with Quote
When you say "He got into my personal admin account" what do you mean?

Is this your FTP (web host) account, or your shop admin pages?

How do you normally connect to your host to upload/download your cart or other files? Do you use ftp or some other method?



Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - February 02 2005 :  08:09:38  Show Profile  Visit apswater's Homepage  Reply with Quote
No, it was the shop admin account he got into. We are locked behind routers and firewalls so he cant get into anything else..

Go to Top of Page

eabrams
VP-ASP New User

USA
72 Posts

Posted - February 02 2005 :  19:43:52  Show Profile  Visit eabrams's Homepage  Reply with Quote
You were subject to a SQL Injection attack.

You should do the following.

make sure your web server does not give detailed error messages backto the browser.

Make sure you have the VPASP SQL injection fix if using 5.0 or lower.

Remove the admin page name from the database and had code it in you ASP page.

Add a second login to the admin page that is hard coded to the page

If using SQL server make you Admin log table so records can not be deleted.

If you want some detailed info on any of the above fixes I can supply...

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - February 03 2005 :  10:25:06  Show Profile  Visit apswater's Homepage  Reply with Quote
Thanks..... ok, I am not sure what you are talking about on some of it.. I am not using sql server, I am using what ever ASP supplies, I do run my own servers so more info on the error message thing would be appreciated. I will make the other changes as well. Thank you.

Go to Top of Page

eabrams
VP-ASP New User

USA
72 Posts

Posted - February 03 2005 :  14:14:48  Show Profile  Visit eabrams's Homepage  Reply with Quote
In IIS under home directory > configuration > debugging make sure the "Send the following text error messge to client" is checked.

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - February 03 2005 :  18:11:01  Show Profile  Visit apswater's Homepage  Reply with Quote
Thanks... it was set to show detail.

What is that doing for the hacker?

Go to Top of Page

jodyb
Starting Member

5 Posts

Posted - February 04 2005 :  14:26:40  Show Profile  Reply with Quote
Hi,

I'm also interested in blocking all ip addresses, except for home and work. What's the best way to do this?

Jody.

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - February 04 2005 :  16:45:33  Show Profile  Visit apswater's Homepage  Reply with Quote
I know you can grab the server variables and redirect on the wrong ip. I had that working. One problem I have at home is that the IP # changes so having an easy way to handle that would be good. I cant find the snipit I had so if someone could come up with a redirect on ip# you would be my hero! (then we could use it for other pages too. )


Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - February 08 2005 :  21:34:39  Show Profile  Visit apswater's Homepage  Reply with Quote
ok,

Now I am a bit stumped. I installed the double password, made sure all the patched were in, fixed the error reporting message in IIS5, renamed the admin twice and it took less then 5 minutes for someone to find my admin page. They arnt getting in but how the heck to they find the admin login page????

Funny enough they are in Australia, them aussies be smart!
http://ws.arin.net/cgi-bin/whois.pl?queryinput=203.162.169.82

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - February 09 2005 :  11:51:29  Show Profile  Visit apswater's Homepage  Reply with Quote
Update....

First of all I have to say that the boys at VP-ASP have given me absolutly the best technical service I have ever seen!

We found the holes and plugged them up. My guess is a new patch for 4.5 should be comming soon. All I can say is that it is imperative to follow the scuurity updates listed on this site. If you dont apply every patch you can get hacked quickly.

Thanks again to the Boys in Support.



Edited by - apswater on February 09 2005 12:40:14
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000