Welcome, Guest ( Customer Panel | Login )




 All Forums
 VPCart Forum
 Credit card fraud and hackers
 How is this possible, hacker emailed me
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

billsingh
VP-CART New User

56 Posts

Posted - May 17 2004 :  19:04:17  Show Profile  Visit billsingh's Homepage  Reply with Quote
Hi Guys,
You all are the expert on the security, I have question for you. How it is possible to access me site while I have done everything said in the security fixes. Hacker emailed me the 2 admin user names and passwords I have on my site.



Thanks
Bill Singh
[email protected]

bmw000
VP-CART New User

137 Posts

Posted - May 17 2004 :  20:38:44  Show Profile  Visit bmw000's Homepage  Reply with Quote
What type of database are you using? If it is ms access then you should rename your database, password protect it and also place it in a directory that is not world accessible. This way they can't download your database.

Choose a password that is very long that includes numbers as well as upper and lowecase letters. Don't use real words.

Change your ftp password, again make it long with letters, both upper and lowercase as well as numbers.

Change your passwords once a week.

Rename and delete the essential files listed in the faq.

Just a few ideas.

I wish vpasp encrypted the passwords stored in the databse.

Brian Weber

Go to Top of Page

billsingh
VP-CART New User

56 Posts

Posted - May 18 2004 :  08:24:18  Show Profile  Visit billsingh's Homepage  Reply with Quote
I am using SQL database.
VPASP does not encrypt the admin password, you can go to tbluser and look at it.

any other ideas.


Thanks
Bill Singh
[email protected]
Go to Top of Page

greatphoto
VP-CART Super User

USA
304 Posts

Posted - May 18 2004 :  21:20:51  Show Profile  Reply with Quote
A key question here is this: How are you connecting to your site to make changes or upload files? Both the shop admin password and the ftp password can be quite vulnerable while you are making your connection if you do not take steps to protect them. These passwords can be sniffed while you are logging in if they are transferred in clear text format, as is the default.

For the shop admin passwords, you can protect them by enabling SSL on your site and then always connecting to your admin page using an url that starts with "https://" The passwords and data you transfer will be encrypted.

The FTP password is tougher to protect but even more critical than the shop passwords. If the hacker snoops the FTP password, he'll have access to EVERYTHING including your shop passwords. Also, the files transferred through standard FTP are not secure so they can be copied while you are uploading them to the server without the hacker even logging into your server. According to this article: http://www.intranetjournal.com/articles/200208/se_08_14_02a.html, "The main reason that web sites get hacked is because they are being updated with insecure FTP transfers." I don't think I've seen anything about this in the security pages of the VP-ASP website.

It is possible that this could be your problem as I think it is often overlooked. I'll be interested in seeing the other responses.

Nathan


Edited by - greatphoto on May 18 2004 22:00:21

Edited by - greatphoto on July 03 2004 12:33:09
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000
0 Item(s)
$0.00