Author |
Topic |
|
jdkerr
Starting Member
Canada
43 Posts |
Posted - July 14 2005 : 07:15:34
|
Need some guidance with a problem that I am having, which I feel is on the verge of a security problem on my system.
Running VP-ASP 5.5 customized. Accept payment by PayPal only and this has been working very well.
Approximately four weeks ago, I received an order on my system from a guest using a credit card for payment. Upon receiving notification from VP-ASP of the pending order, this immediately brought to light a “Credit Card” order which I do not take. Upon looking further at my VP-ASP settings, under Configuration…Payments. The XALLOWCREDITCARDS option was set to YES – which allowed the system to take the credit card. I figured this was a “fluke” and something I was doing must have reset it.
A week after that, the setting again changed – at this point, I became a little more concerned. I was always running dual-passwords to allow admin access so I decided at that point to change the admin passwords.
Now we come to this morning – and there is another order sitting there, again with a credit card payment, and the physical shipping address was bogus (you could tell just by looking at it).
Again, the XALLOWCREDITCARDS was changed to Yes. Now, I am worried.
I went into the logs and sure enough, I can see where the visitor is coming in to my admin page (which was renamed to liping.asp – so someone really had to go out of their way to find the name of it) and about 30 minutes of activity from that account.
I am running with a Access DB in a protected folder on the FrontPage based server (I verified I cannot just grab the DB file).
At this point, I have renamed my admin page again. But I am at a loss to explain how these changes are taking place?
The log activity from last night is availble for viewinging from http://www.projectx.com/2005-07-14.log
Appreciate any feedback, hints, slaps-up-the-side-of-the-head, etc…
John
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - July 14 2005 : 07:52:02
|
change everything that you can; the admin userid, pwd, pwd2, rename your database, and change your xshopid in shop$config, change your admin login page again, change your ftp pwd (and userid if you can) and then go through the process again once more in case someone caught your first set of changes before you finished the second half.
make sure your access database file is definitely in a truly secure and non-browsable directory (it should be totally outside the www area), and don't rely on anything to do with frontpage to secure it.
if you're using more than one instance of vpasp (eg a test directory) then make sure each instance has a different xshopid otherwise the config settings in the database will start to inter-mix.
if using paypal, try to use paypal ipn if you can, because standard paypal is way too easy to hack (i won't explain how here obviously, suffice to say it's way too easy)
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons
Edited by - devshb on July 14 2005 07:54:14
Edited by - devshb on July 14 2005 07:56:48 |
|
|
apswater
VP-CART Super User
444 Posts |
Posted - July 14 2005 : 08:33:52
|
you need to run the security bullitin in the admin and it will tell you where you went wrong. You really dont have to worry that you got hacked since you dont store credit card numbers but they turned on the cc so they could go back and grab the info.
If you set the 2nd password it is all but impossible to hack in. I would suspect you didnt follow all the security recomendations. (I did the same hahah). Follow every last letter!
|
|
|
keng
VP-CART New User
152 Posts |
Posted - July 14 2005 : 10:04:09
|
In relation to hacking and all, I was reviewing my web stats lastnight then found out that somebody is typing in keywords like shopdisplaycategories and dbtest to see which stores are using vpasp. Looking at my report, the person typed in those two keywords, found my site but unhappy to found out that i deleted all the files that vpasp support advised us to delete. Just a friendly reminder
|
|
|
jdkerr
Starting Member
Canada
43 Posts |
Posted - July 14 2005 : 18:12:44
|
Thanks everyone for the feedback.
Took some time this evening and started with the VPASP Security add-in and it did in fact report some problems - which I have now cleaned up. Question on this though.. Now that I have them cleaned up - when I start get to the admin page, there is NO note about any security problems nor is there anything indicating that the security check is/has run - should there be something on the page to re-run the check??
Appreciate the feedback - I was just a little worried this morning but think things are under control now..
John
|
|
|
apswater
VP-CART Super User
444 Posts |
Posted - July 14 2005 : 19:03:42
|
I track every thing in and out of our sites. I see people constantly search google and such for inurl:shopadmin.asp , and dbtest and even shopadmin1.asp. Lately I have been seeing a lot of inurl:shopdisplaycategories.asp which I would think they are looking for any vp-asp asite to try and hack. Maybe we should all just put up fake shopadmin.asp pages so at least we keep the hackers busy chasing crap....
|
|
|
keng
VP-CART New User
152 Posts |
Posted - July 15 2005 : 10:08:30
|
Hi jdkerr,
I was told by support in the past that after putting in the security check add in, you're not really suppose to see any message if successfully applied the securities. Otherwise, a message will come out. So, it sounded like you're good.
|
|
|
support
Administrator
4679 Posts |
Posted - July 28 2005 : 19:17:54
|
Great advice from Keng, Simon and apswater re the security check but can I add that it is vital to also install all of the security patches as well to ensure you keep the hackers out.
Plus, do NOT store credit cards on your site for any reason. If you take them to process manually install the snippet from the check list page that auto deletes when you process the order.
http://www.vpasp.com/virtprog/info/faq_securitychecklist.htm
We are offering a security audit service as well for those not confident on implementing the updates themselves and would like a little extra comfort.
http://www.vpasp.com/virtprog/info/faq_audit.htm
Thank you VPASP Support
|
|
|
faolie
VP-CART New User
98 Posts |
Posted - August 26 2009 : 10:37:30
|
Beware, this hasn't gone away. One of my customers just had exactly the same thing done to them - change from paypal to credit card. I looked in the login history and they'd been using the vpasp login. The ip address (116.71.26.93) according to whois, is based in Pakistan. Thing is the 2nd password was in use and the shop admin file name had been changed. Didn't look that easy to hack.
I've now changed all the passwords, db name, admin page name and removed the vpasp user. Looking at Analytics, there were three hacker-looking keywords: .co.uk shopafflogin.asp; allinurl:"shopdisplayproducts.asp?id=1; allinurl:”.uk/shopdisplayproducts.asp?id=" .
Anyone advise anything else I should do?
ta
David Heriot |
|
|
THeVerve
VP-CART New User
117 Posts |
Posted - August 26 2009 : 10:47:05
|
The hackers may be trying to find pages from old or unpatched vpasp which were vulnerable to SQL Injection attack. As long as the cart has the latest security pathces applied, your customer's site should be immune to this.
I would suggest that you FTP to your client's site, sort the files based on last updated date and see if there's any unknown files being uploaded recently. This unknown file could be a backdoor script that gives the hacker access to the server. |
|
|
faolie
VP-CART New User
98 Posts |
Posted - August 26 2009 : 11:47:00
|
Thanks THeVerve. Applied the latest security patch and browsed through the server files and found several php (eh?) files. When I downloaded one to take a look my antivirus software shrieked warnings. Deleted all php files I could find (they were hidden in the images folders). Hopefully that's it.
DH |
|
|
|
Topic |
|