Welcome, Guest ( Customer Panel | Login )




 All Forums
 VPCart Forum
 Credit card fraud and hackers
 hackers using this forum
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

bluesky
VP-CART Super User

304 Posts

Posted - March 17 2007 :  10:13:14  Show Profile  Reply with Quote
many .. err MANY years ago it became apprent ( it seemed to me anyways ) that hackers were using these forums as an easy one stop shop to obtain urls were VPAP carts were installed and expolit any security issues.
Following a hacker event were a hacker order $500 worth of goods and then hacked in a week later and deleted a weeks worth of records ..it later becam apprent it was a fraudulent transaction i stopped using my urls in my posts and profile.

Is it now geenrally safe to post urls here now if all security updates are actioned ?

its just i have went thru recent upgrade to 6.5 and it would be useful to post the urls to get advise to obtain advise on changes I am making but i am still very cautious about posting urls

PAUL

support
Administrator

4679 Posts

Posted - March 17 2007 :  18:05:53  Show Profile  Visit support's Homepage  Reply with Quote
Hi Paul,

One of the biggest changes here at VP-ASP has been the focus placed on security.

We now have multiple tools in place to ensure that security measures are followed by VP-ASP users such as:

- A list of check points that must be followed that display high-lighted in the admin until fixed
- email site owner upon admin login
- accepted IP addresses that can see admin login
- a new news area in the admin where we can push security alerts directly to the site owners
- a new service coming out soon that will enable the merchant to assess the likelihood of an order being fraudulent
- a new service coming out soon where we keep your site up to date with the very latest security patches so you do not have to worry about making any changes or being left vulnerable
- a further list of points to ensure your site is as secure as possible on our site

If you have followed all security tips on the following page then you can post your url however if you still have some points to check off then I probably would wait until then.

https://www.vpasp.com/virtprog/info/faq_security.htm

Most hackers are fairly malicious generally and delight in causing problems even in sites that are not live just for the fun of it.

Of course there are also some are actually quite helpful and just enjoy trying to find vulnerabilities and then alert the site owners to the problems without breaking things. We actually employed someone as a security consultant who got in touch with us for this very reason.

Thanks
Cam

VP-ASP Support
Go to Top of Page

lynch
VP-CART New User

USA
74 Posts

Posted - March 19 2007 :  12:35:08  Show Profile  Reply with Quote
quote:
Originally posted by bluesky
Is it now geenrally safe to post urls here now if all security updates are actioned ?


A hacker who knows how to break into VP-ASP knows enough about the cart to find your site through Google. The hacker who broke into my site last year came from a Google search for a specific filename that VP-ASP uses.

I use Version 5.0, and I don't know if the folks at VP-ASP have given much thought to ways to "camouflage" the cart without having to change lots of file names.
Go to Top of Page

elammers
VP-CART Super User

USA
256 Posts

Posted - March 19 2007 :  15:28:04  Show Profile  Visit elammers's Homepage  Reply with Quote
Simon from BYZ can speak up because I think they sell some tool that creates static friendly names for your URL's so instead of www.yourcompany.com/shopexd.asp?whatever it would be www.yourcompany.com/widgets.asp. That helps eliminate some of those common filenames that a hacker would search for on google I guess.

I know that doesn't eliminate all the commonly known VP-ASP filenames, but if getting hacked is a concern, I would think this could be one more trick in your arsenal to protect yourself.

Regards,

Eric in Maine
Go to Top of Page

devshb
Senior Member

United Kingdom
1904 Posts

Posted - March 19 2007 :  15:37:01  Show Profile  Visit devshb's Homepage  Reply with Quote
ah; yes; I was going to mention that because while I was browsing through this topic that popped into my head too; our "asp-generator" would eliminate the need for the generic product pages etc, but it depends on how far you go (eg also changing the contact-us pages).

it won't be a 100% solution to hackers finding out if your site's a vpasp one, but as per eric's posting, it's another potential way to divert/confuse/disable a hacker, and the more ways of diverting hackers the better.

for those of you who don't know what our asp-generator is/does, have a look at:

Demo:
http://www.bigyellowzone.com/aspgendemo/products/default.asp

ASP Generator Info:
http://www.bigyellowzone.com/shopexd.asp?id=138

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page

lynch
VP-CART New User

USA
74 Posts

Posted - March 20 2007 :  12:09:31  Show Profile  Reply with Quote
I'm already using my own pages to show categories, so the only real "danger" I appear to be in is using shopexd.asp for my item detail pages. The actual cart/checkout pages won't show up in search engines because they require form submissions.

I did a little tinkering this morning and discovered that a page that included nothing but #include "shopexd.asp" works just fine as a shopexd.asp replacement.

Again, this is version 5.0, so I don't know how well it would work for others.
Go to Top of Page

elammers
VP-CART Super User

USA
256 Posts

Posted - March 20 2007 :  15:13:21  Show Profile  Visit elammers's Homepage  Reply with Quote
Isn't there someplace in the admin console where you can tell the cart what file to use for the extended descriptions? If so, then you could simply rename SHOPEXD.ASP and still use the proper code without any customizing.

Just a thought.

Regards,

Eric in Maine
Go to Top of Page

support
Administrator

4679 Posts

Posted - March 20 2007 :  17:57:27  Show Profile  Visit support's Homepage  Reply with Quote
Don't forgot though everyone that the most important thing you can do is to actually ensure your site is secure in the first place.

If your site is secure and you have applied all security settings required before going live then it wont matter how many hackers find your site.

Seems this thread is moving away from the obvious a bit.

We have a list of fixes and check lists for current and previous versions at:

http://www.vpasp.com/virtprog/info/faq_security.htm

Make sure you go through these. This is vital.

If you have secured your site the hackers will simply move on.

Thanks
Cam

VP-ASP Support

Go to Top of Page

extremeskillz
VP-CART New User

USA
94 Posts

Posted - March 21 2007 :  11:33:42  Show Profile  Reply with Quote
To add to Cams rely above it also involves configuring your web server correctly with the correct permissions, etc. Before i went live I made sure my test server was deleted and the offical server is completely configured and secured as well as the software. Haven't had a issue so far. Adding Captcha to 6.09 helped with spam and since I own the server and moniter it at least once a day to make sure nothing is going on. To this date i have no spam and if i do i take care of that fool quick and no hacker attempts. (Knocking on wood)
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000
0 Item(s)
$0.00