Author |
Topic |
|
bluesky
VP-CART Super User
304 Posts |
Posted - March 17 2007 : 10:13:14
|
many .. err MANY years ago it became apprent ( it seemed to me anyways ) that hackers were using these forums as an easy one stop shop to obtain urls were VPAP carts were installed and expolit any security issues. Following a hacker event were a hacker order $500 worth of goods and then hacked in a week later and deleted a weeks worth of records ..it later becam apprent it was a fraudulent transaction i stopped using my urls in my posts and profile.
Is it now geenrally safe to post urls here now if all security updates are actioned ?
its just i have went thru recent upgrade to 6.5 and it would be useful to post the urls to get advise to obtain advise on changes I am making but i am still very cautious about posting urls
PAUL |
|
support
Administrator
4679 Posts |
Posted - March 17 2007 : 18:05:53
|
Hi Paul,
One of the biggest changes here at VP-ASP has been the focus placed on security.
We now have multiple tools in place to ensure that security measures are followed by VP-ASP users such as:
- A list of check points that must be followed that display high-lighted in the admin until fixed - email site owner upon admin login - accepted IP addresses that can see admin login - a new news area in the admin where we can push security alerts directly to the site owners - a new service coming out soon that will enable the merchant to assess the likelihood of an order being fraudulent - a new service coming out soon where we keep your site up to date with the very latest security patches so you do not have to worry about making any changes or being left vulnerable - a further list of points to ensure your site is as secure as possible on our site
If you have followed all security tips on the following page then you can post your url however if you still have some points to check off then I probably would wait until then.
https://www.vpasp.com/virtprog/info/faq_security.htm
Most hackers are fairly malicious generally and delight in causing problems even in sites that are not live just for the fun of it.
Of course there are also some are actually quite helpful and just enjoy trying to find vulnerabilities and then alert the site owners to the problems without breaking things. We actually employed someone as a security consultant who got in touch with us for this very reason.
Thanks Cam
VP-ASP Support |
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - March 19 2007 : 12:35:08
|
quote: Originally posted by bluesky Is it now geenrally safe to post urls here now if all security updates are actioned ?
A hacker who knows how to break into VP-ASP knows enough about the cart to find your site through Google. The hacker who broke into my site last year came from a Google search for a specific filename that VP-ASP uses.
I use Version 5.0, and I don't know if the folks at VP-ASP have given much thought to ways to "camouflage" the cart without having to change lots of file names. |
|
|
elammers
VP-CART Super User
USA
256 Posts |
Posted - March 19 2007 : 15:28:04
|
Simon from BYZ can speak up because I think they sell some tool that creates static friendly names for your URL's so instead of www.yourcompany.com/shopexd.asp?whatever it would be www.yourcompany.com/widgets.asp. That helps eliminate some of those common filenames that a hacker would search for on google I guess.
I know that doesn't eliminate all the commonly known VP-ASP filenames, but if getting hacked is a concern, I would think this could be one more trick in your arsenal to protect yourself.
Regards,
Eric in Maine |
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - March 19 2007 : 15:37:01
|
ah; yes; I was going to mention that because while I was browsing through this topic that popped into my head too; our "asp-generator" would eliminate the need for the generic product pages etc, but it depends on how far you go (eg also changing the contact-us pages).
it won't be a 100% solution to hackers finding out if your site's a vpasp one, but as per eric's posting, it's another potential way to divert/confuse/disable a hacker, and the more ways of diverting hackers the better.
for those of you who don't know what our asp-generator is/does, have a look at:
Demo: http://www.bigyellowzone.com/aspgendemo/products/default.asp
ASP Generator Info: http://www.bigyellowzone.com/shopexd.asp?id=138
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - March 20 2007 : 12:09:31
|
I'm already using my own pages to show categories, so the only real "danger" I appear to be in is using shopexd.asp for my item detail pages. The actual cart/checkout pages won't show up in search engines because they require form submissions.
I did a little tinkering this morning and discovered that a page that included nothing but #include "shopexd.asp" works just fine as a shopexd.asp replacement.
Again, this is version 5.0, so I don't know how well it would work for others. |
|
|
elammers
VP-CART Super User
USA
256 Posts |
Posted - March 20 2007 : 15:13:21
|
Isn't there someplace in the admin console where you can tell the cart what file to use for the extended descriptions? If so, then you could simply rename SHOPEXD.ASP and still use the proper code without any customizing.
Just a thought.
Regards,
Eric in Maine |
|
|
support
Administrator
4679 Posts |
Posted - March 20 2007 : 17:57:27
|
Don't forgot though everyone that the most important thing you can do is to actually ensure your site is secure in the first place.
If your site is secure and you have applied all security settings required before going live then it wont matter how many hackers find your site.
Seems this thread is moving away from the obvious a bit.
We have a list of fixes and check lists for current and previous versions at:
http://www.vpasp.com/virtprog/info/faq_security.htm
Make sure you go through these. This is vital.
If you have secured your site the hackers will simply move on.
Thanks Cam
VP-ASP Support
|
|
|
extremeskillz
VP-CART New User
USA
94 Posts |
Posted - March 21 2007 : 11:33:42
|
To add to Cams rely above it also involves configuring your web server correctly with the correct permissions, etc. Before i went live I made sure my test server was deleted and the offical server is completely configured and secured as well as the software. Haven't had a issue so far. Adding Captcha to 6.09 helped with spam and since I own the server and moniter it at least once a day to make sure nothing is going on. To this date i have no spam and if i do i take care of that fool quick and no hacker attempts. (Knocking on wood) |
|
|
|
Topic |
|