Author |
Topic |
|
billsingh
VP-CART New User
56 Posts |
Posted - May 17 2004 : 19:04:17
|
Hi Guys, You all are the expert on the security, I have question for you. How it is possible to access me site while I have done everything said in the security fixes. Hacker emailed me the 2 admin user names and passwords I have on my site.
Thanks Bill Singh [email protected] |
|
bmw000
VP-CART New User
137 Posts |
Posted - May 17 2004 : 20:38:44
|
What type of database are you using? If it is ms access then you should rename your database, password protect it and also place it in a directory that is not world accessible. This way they can't download your database.
Choose a password that is very long that includes numbers as well as upper and lowecase letters. Don't use real words.
Change your ftp password, again make it long with letters, both upper and lowercase as well as numbers.
Change your passwords once a week.
Rename and delete the essential files listed in the faq.
Just a few ideas.
I wish vpasp encrypted the passwords stored in the databse.
Brian Weber
|
|
|
billsingh
VP-CART New User
56 Posts |
Posted - May 18 2004 : 08:24:18
|
I am using SQL database. VPASP does not encrypt the admin password, you can go to tbluser and look at it.
any other ideas.
Thanks Bill Singh [email protected] |
|
|
greatphoto
VP-CART Super User
USA
304 Posts |
Posted - May 18 2004 : 21:20:51
|
A key question here is this: How are you connecting to your site to make changes or upload files? Both the shop admin password and the ftp password can be quite vulnerable while you are making your connection if you do not take steps to protect them. These passwords can be sniffed while you are logging in if they are transferred in clear text format, as is the default.
For the shop admin passwords, you can protect them by enabling SSL on your site and then always connecting to your admin page using an url that starts with "https://" The passwords and data you transfer will be encrypted.
The FTP password is tougher to protect but even more critical than the shop passwords. If the hacker snoops the FTP password, he'll have access to EVERYTHING including your shop passwords. Also, the files transferred through standard FTP are not secure so they can be copied while you are uploading them to the server without the hacker even logging into your server. According to this article: http://www.intranetjournal.com/articles/200208/se_08_14_02a.html, "The main reason that web sites get hacked is because they are being updated with insecure FTP transfers." I don't think I've seen anything about this in the security pages of the VP-ASP website.
It is possible that this could be your problem as I think it is often overlooked. I'll be interested in seeing the other responses.
Nathan
Edited by - greatphoto on May 18 2004 22:00:21
Edited by - greatphoto on July 03 2004 12:33:09 |
|
|
|
Topic |
|