| Author |
 Topic  |
|
|
lynch
VP-CART New User
USA
74 Posts |
 Posted - March 07 2006 : 09:47:05
|
Hackers apparently from Vietnam broke into my VP-ASP 5.0 installation this morning. What diagnostic information can I provide that would help tell me how they got in?
I got the March 7 2006 security update, but the hackers had already done their evil deed. How can I tell if they used that vulnerability to compromise my system?
They appear to have gotten in through the VP-ASP system, not through Windows or SQL Server. |
|
|
apswater
VP-CART Super User
444 Posts |
Posted - March 07 2006 : 13:38:22
|
dO THEY APPEAR IN YOUR ADMIN LOG?
Also if you can get a copy of your server log, you can see exactly what they typed.
They usually like to turn on your credit cards so your system will save the numbers locally and they can grab them later. They also might change the e-mail adress. |
 |
|
|
support
Administrator
4679 Posts |
Posted - March 07 2006 : 13:57:37
|
If you obtain your web server logs from your web host you can open the log file in excel and search for where they got in.
HOW TO VIEW IN EXCEL:
If you open excel and using the Open file option navigate to the folder where your log file is located.
Change the file types to All Files so you can see the log file.
Open this file and a wizard will appear.
From the first screen select Delimited instead of Fixed Width.
Click Next
Tick the Space check box and uncheck Tab.
Click Finish.
Delete the first 3 lines by placing your mouse ove rthe numbers at the left and dragging down.
Now search for the following words:
join
sql
shopa_formatorder.asp
shopkitconfig.asp
Also search on your admin log in page name.
If you find any lines with these words search on the IP address which is in the c-ip field or in the cs-username field.
Use a service like www.iptolocation.com/free.asp to track down the Ip addresses of people accessing your admin.
We are testing a new add-on that provides the ability to stop people from other countries seeing your admin pages.
We also already have in place the ability to both send the site owner an email when the admin is acessed plus you can actually block anyone other than yourself from seeing the admin log in page. Very few customers have taken up this feature and it is a great protection from hackers.
You MUST install all patches. What this latest vulnerability is highlighting is that their are still many customers out there who have not applied any of the other patches to their sites.
Please download the patches and apply them. If you are storing crecit cards, DON'T. We have a free download that allows you to remove all card numbers from your database. Visa and MasterCard do not allow the storage of card numbers in your system. They can fine you if you are hacked and you lose the card details.
If you get hacked and you do not store card details it is an inconvenience. If you get hacked and you do have card details it can be a disaster.
Hackers are changing the settings in sites they get access to so card numbers are stored. Please make sure this has not happened to your site.
The big patch to apply to is the image upload patch.
Please go to the following page and select which patch you need to apply to your site:
http://www.vpasp.com/virtprog/info/faq_security.htm
If you get hacked please contact us through our help desk and we will do our best to assist.
Thank you
Cam
VP-ASP Support |
|
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - March 07 2006 : 17:00:26
|
quote:
Originally posted by apswater
dO THEY APPEAR IN YOUR ADMIN LOG?
Also if you can get a copy of your server log, you can see exactly what they typed.
I've got my server log for today, and I spent a lot of time looking through it this afternoon to follow IPs and see who logged in when. Luckily for me, someone got overzealous and changed xshopadmin (or whatever it's called -- the name of the menu page), which broke the login process.
The original hacker somehow got the magic three pieces of information -- the location of our admin page, a username, and a password. He ended up posting that information to a Vietnamese-language forum, so I had about 15 unwelcome logins in half an hour.
I haven't been looking at the raw log, but using a tool to view the log in a more friendly format. Maybe I should dig in the raw data to see if I can find cookie and form info that will let me know what some of these people were actually looking at in my database.
We were keeping some information we shouldn't, so now we're trying to figure out what to do about this breach.
One piece of advice: Go into IIS and set domain/IP restrictions on your admin login page. In my case, this would have kept all of this from happening. This might be a good thing to add to the security advice page. |
|
|
|
support
Administrator
4679 Posts |
Posted - March 07 2006 : 17:05:44
|
Setting the access in IIS will only work if you have a dedicated server I believe? Can you let us know how this can be done and we will add it to the page for other users.
If you use the IP feature in the login page itself only you will ber able to see the login page.
If you open your login page and near the top will see a setting to insert your Ip address.
Only IP's listed will be able to even view the page then.
Thank you
Cam
VP-ASP Support |
|
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - March 07 2006 : 17:06:39
|
quote:
Originally posted by support
join
sql
shopa_formatorder.asp
shopkitconfig.asp
...
Please go to the following page and select which patch you need to apply to your site:
http://www.vpasp.com/virtprog/info/faq_security.htm
If you get hacked please contact us through our help desk and we will do our best to assist.
Is shopa_formatorder a vulnerability? I don't recall seeing that one before.
I got the advisory about shopkitconfig this morning and simply deleted the file, since we don't use it.
I don't think I've submitted anything through the helpdesk, so I'll drop you a line there. We haven't purchased any support points, but we'll worry about that as we go along.
Up to this point (over two years), we have had no successful fraud or hack attempts. I do my best to keep up with the security advisories that come out, and I hope the YVS/VP-ASP unification leads to a single source of security information and discussions. An RSS feed would be nice. :) |
|
|
|
support
Administrator
4679 Posts |
Posted - March 07 2006 : 17:22:26
|
Actually, that is one of the features of Version 6.00. We also release notifications like this directly to the site owner through the admin home page so they are always up to date on alerts.
shopa_formatorder.asp is not a vulnerability. It is where you can view order detail though so if anyone other than you is looking at this page then you know you have a problem.
Thank you
Cam
VP-ASP Support |
|
|
|
apswater
VP-CART Super User
444 Posts |
Posted - March 07 2006 : 17:36:29
|
I use the e-mail notification that you made for me Cam and it is great.
I run my own servers, but you should be able to do this too.
You must know the guys IP # by now right?
If you do, load that whole log into notepad. Then serch on his ip# and keep hitting next and you can step through his whole session. You are looking the stuff that ends in .asp. It will show each picture and other things on your page as seperate lines so dont worry about them.
If you dont have his IP# then search on the name of your admin page to see who hit it.
I hope your database is not in a web directory is it? It needs to be below the point where they host pages (below wwwroot). If you put it in a web folder it will be pretty easy to get you info. I dont think the security checker looks for that does it?
Definatly turn on the e-mail notification on all admin log ins.
Mine tells me that someone logs on and what their IP# is so I know if something fishy is going on.
Hope it helps. |
|
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - March 08 2006 : 13:57:22
|
quote:
Originally posted by support
Setting the access in IIS will only work if you have a dedicated server I believe? Can you let us know how this can be done and we will add it to the page for other users.
You don't need a dedicated server for this, but you do need access to IIS through the management console (Internet Services Manager). My server is a Windows 2000 machine, co-located at our ISP.
Setting this up is actually very simple -- go to your web site in the console, right-click your admin login file, and select Properties. Choose the "File Security" tab, then Edit the "IP Address and domain name restrictions" section. Choose the radio button to deny access to all computers by default, then enter your IP addresses (a list of individual addresses, or a mask) or domain information. |
|
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - March 08 2006 : 14:22:52
|
quote:
Originally posted by apswater
You must know the guys IP # by now right?
...
I hope your database is not in a web directory is it?
Yes, I have the original guy's IP, and the IPs of other people who successfully logged into the admin pages.
Looking at the raw log in Excel (which makes sorting the log a breeze) shows me who saw what. Things could have been much worse than they actually are. Our site was not systematically looted.
We're using SQL Server, so the database is completely separate from the web-visible file structure. The cart admin was compromised, but not the database directly. |
|
|
| |
Topic |
|
All Forums
I got hacked this morning!
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
