VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Problems and bugs
 Possible Security Breach??
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

jdkerr
Starting Member

Canada
43 Posts

Posted - July 14 2005 :  07:15:34  Show Profile  Visit jdkerr's Homepage  Reply with Quote
Need some guidance with a problem that I am having, which I feel is on the verge of a security problem on my system.

Running VP-ASP 5.5 customized. Accept payment by PayPal only and this has been working very well.

Approximately four weeks ago, I received an order on my system from a guest using a credit card for payment. Upon receiving notification from VP-ASP of the pending order, this immediately brought to light a “Credit Card” order which I do not take. Upon looking further at my VP-ASP settings, under Configuration…Payments. The XALLOWCREDITCARDS option was set to YES – which allowed the system to take the credit card. I figured this was a “fluke” and something I was doing must have reset it.

A week after that, the setting again changed – at this point, I became a little more concerned. I was always running dual-passwords to allow admin access so I decided at that point to change the admin passwords.

Now we come to this morning – and there is another order sitting there, again with a credit card payment, and the physical shipping address was bogus (you could tell just by looking at it).

Again, the XALLOWCREDITCARDS was changed to Yes. Now, I am worried.

I went into the logs and sure enough, I can see where the visitor is coming in to my admin page (which was renamed to liping.asp – so someone really had to go out of their way to find the name of it) and about 30 minutes of activity from that account.

I am running with a Access DB in a protected folder on the FrontPage based server (I verified I cannot just grab the DB file).

At this point, I have renamed my admin page again. But I am at a loss to explain how these changes are taking place?

The log activity from last night is availble for viewinging from http://www.projectx.com/2005-07-14.log


Appreciate any feedback, hints, slaps-up-the-side-of-the-head, etc…

John



devshb
Senior Member

United Kingdom
1898 Posts

Posted - July 14 2005 :  07:52:02  Show Profile  Visit devshb's Homepage  Reply with Quote
change everything that you can; the admin userid, pwd, pwd2, rename your database, and change your xshopid in shop$config, change your admin login page again, change your ftp pwd (and userid if you can) and then go through the process again once more in case someone caught your first set of changes before you finished the second half.

make sure your access database file is definitely in a truly secure and non-browsable directory (it should be totally outside the www area), and don't rely on anything to do with frontpage to secure it.

if you're using more than one instance of vpasp (eg a test directory) then make sure each instance has a different xshopid otherwise the config settings in the database will start to inter-mix.

if using paypal, try to use paypal ipn if you can, because standard paypal is way too easy to hack (i won't explain how here obviously, suffice to say it's way too easy)

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on July 14 2005 07:54:14

Edited by - devshb on July 14 2005 07:56:48
Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - July 14 2005 :  08:33:52  Show Profile  Visit apswater's Homepage  Reply with Quote
you need to run the security bullitin in the admin and it will tell you where you went wrong. You really dont have to worry that you got hacked since you dont store credit card numbers but they turned on the cc so they could go back and grab the info.

If you set the 2nd password it is all but impossible to hack in. I would suspect you didnt follow all the security recomendations. (I did the same hahah). Follow every last letter!

Go to Top of Page

keng
VP-ASP New User

152 Posts

Posted - July 14 2005 :  10:04:09  Show Profile  Reply with Quote
In relation to hacking and all, I was reviewing my web stats lastnight then found out that somebody is typing in keywords like shopdisplaycategories and dbtest to see which stores are using vpasp. Looking at my report, the person typed in those two keywords, found my site but unhappy to found out that i deleted all the files that vpasp support advised us to delete. Just a friendly reminder

Go to Top of Page

jdkerr
Starting Member

Canada
43 Posts

Posted - July 14 2005 :  18:12:44  Show Profile  Visit jdkerr's Homepage  Reply with Quote
Thanks everyone for the feedback.

Took some time this evening and started with the VPASP Security add-in and it did in fact report some problems - which I have now cleaned up. Question on this though.. Now that I have them cleaned up - when I start get to the admin page, there is NO note about any security problems nor is there anything indicating that the security check is/has run - should there be something on the page to re-run the check??

Appreciate the feedback - I was just a little worried this morning but think things are under control now..

John

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - July 14 2005 :  19:03:42  Show Profile  Visit apswater's Homepage  Reply with Quote
I track every thing in and out of our sites. I see people constantly search google and such for inurl:shopadmin.asp , and dbtest and even shopadmin1.asp. Lately I have been seeing a lot of inurl:shopdisplaycategories.asp which I would think they are looking for any vp-asp asite to try and hack. Maybe we should all just put up fake shopadmin.asp pages so at least we keep the hackers busy chasing crap....

Go to Top of Page

keng
VP-ASP New User

152 Posts

Posted - July 15 2005 :  10:08:30  Show Profile  Reply with Quote
Hi jdkerr,

I was told by support in the past that after putting in the security check add in, you're not really suppose to see any message if successfully applied the securities. Otherwise, a message will come out. So, it sounded like you're good.

Go to Top of Page

support
Administrator

4266 Posts

Posted - July 28 2005 :  19:17:54  Show Profile  Visit support's Homepage  Reply with Quote
Great advice from Keng, Simon and apswater re the security check but can I add that it is vital to also install all of the security patches as well to ensure you keep the hackers out.

Plus, do NOT store credit cards on your site for any reason. If you take them to process manually install the snippet from the check list page that auto deletes when you process the order.

http://www.vpasp.com/virtprog/info/faq_securitychecklist.htm

We are offering a security audit service as well for those not confident on implementing the updates themselves and would like a little extra comfort.

http://www.vpasp.com/virtprog/info/faq_audit.htm

Thank you
VPASP Support

Go to Top of Page

faolie
VP-ASP New User

89 Posts

Posted - August 26 2009 :  10:37:30  Show Profile  Visit faolie's Homepage  Reply with Quote
Beware, this hasn't gone away. One of my customers just had exactly the same thing done to them - change from paypal to credit card. I looked in the login history and they'd been using the vpasp login. The ip address (116.71.26.93) according to whois, is based in Pakistan. Thing is the 2nd password was in use and the shop admin file name had been changed. Didn't look that easy to hack.

I've now changed all the passwords, db name, admin page name and removed the vpasp user. Looking at Analytics, there were three hacker-looking keywords: .co.uk shopafflogin.asp; allinurl:"shopdisplayproducts.asp?id=1; allinurl:”.uk/shopdisplayproducts.asp?id=" .

Anyone advise anything else I should do?

ta

David Heriot
Go to Top of Page

THeVerve
VP-ASP New User

117 Posts

Posted - August 26 2009 :  10:47:05  Show Profile  Reply with Quote
The hackers may be trying to find pages from old or unpatched vpasp which were vulnerable to SQL Injection attack. As long as the cart has the latest security pathces applied, your customer's site should be immune to this.

I would suggest that you FTP to your client's site, sort the files based on last updated date and see if there's any unknown files being uploaded recently. This unknown file could be a backdoor script that gives the hacker access to the server.
Go to Top of Page

faolie
VP-ASP New User

89 Posts

Posted - August 26 2009 :  11:47:00  Show Profile  Visit faolie's Homepage  Reply with Quote
Thanks THeVerve. Applied the latest security patch and browsed through the server files and found several php (eh?) files. When I downloaded one to take a look my antivirus software shrieked warnings. Deleted all php files I could find (they were hidden in the images folders). Hopefully that's it.

DH
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000