|
|
|
|
|
Post Reply 
|
| Author | |
jason2004 
Groupie 
Joined: September/29/05 Status: Offline Points: 87 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Recent hacker attack on our shopping cartPosted: July/14/06 at 4:34pm |
|
Thank you Mike! I appreciate your time very much and your most then helpfull information. It is nice to have you here!!!
I will do as sugested. Thank once again! Jason |
|
 |
|
|
mikeb
Admin Group 
Joined: March/17/04 Location: United States Status: Offline Points: 194 |
Post Options
Thanks(0)
Quote Reply
Posted: July/14/06 at 10:19am |
|
You have a lot of stuff in here Jason. 1)Please read this
KB.http://support.salescart.com/kb/KB-details.asp?key=5511 You need to do everything in this KB. Most importantly do not leave your /online folder as /online!!! Also, 2) join the security notification list at userroom.salescart.com. This KB was originally distributed there as well to notify our customers that were interested. See rest of answers below. Is it true that they couldn't get customer info during checkout process since we have SSL secured pages? We do not know of any way to do this. But security is not black and white, nothing is impossible...even SSL could theoretically be broken. Also, all current versions of our product do not store the credit card information nor do we suggest that you do that. With the abiity to readily process credit cards via PayPal or AuthorizeNet, the need to store this sensitive data does not exist. We sell a security service that will test for currently known methods of access due to misconfiguration and not following our suggestions. We would appreciate if you can advise us what we can do better in securing our data. We have SalesCart Pro. This is what I'm planning to do: - remove IUSR from /online folder - rename folders /fpdb; /online - rename shop.mdb - try to relocate these folders and hide them - ban IP address I think these are all important things you MUST do in todays climate which has significantly changed from 3 and just 1 year ago. Renaming files from the way they ship to something obscure is the most simplest of all tasks and provides a massive amount of protection. Do you think that this is going to be adequate to prevent any future attacks? Were they able to download/learn something more about Sales Cart files? Our software is a commercial product so they can purchase a copy to learn everything about the way it ships by default. However, our product puts you in the drivers seat to change these basic paths to your own so that you have in essence a completely different version accessibly different from anything we ship and you alone know where those files are. Take a look at our SalesCartNET product and look to go to SQL as a database. ASP.NET provides more protection against SQL injection as well as more security protection in general including .dll based code to hide or encode things which was not available in ASP. With the introduction of ASP.NET, ASP as a technology is on a short track to eventually be obsolete within 3-5 years. Is this the correct procedure for adding username/password to database file: - Add password using Microsoft Access - Upload database - Now I guess that I need to add password/user name in global.asa, is this correct? Yes, that will work. If you use a database password for the shop, then yes it will appear there. Make sure you have the latest versions of our software and all fixes and patches. Please advice: - Can I change the name of database file, with no influence on shopping cart? - Can I change the name of /fpdb folder? - How protected is global.asa file?! Is this file available for offline reading/history or download? - How vulnerable is the Order Management system? Can they sneak again using their previous experience? Would it be better to not have Order Management online? Can it be used without being online? You can change the name of the database as well as /fpdb, you just need to make sure your connection string reflects the corrected name...thats all...as well as adjusting the IIS virtual directory permissions to prevent read from any new folder name. If you server is set up correctly, you should not be able to see any .asa files. You can test this yourself with a browser by trying to do to them. Our order management system is online. Of course from Day 1, it is not where you would necessarily expect it to be and 2, it also has challenged NTFS permissions on it...which we would highly recommend and suggest. You should be able to easily get your ISP to add a password to whatever you eventually call the folder. This is the most secure because it goes beyond a simple "script-only" solution Finally, is there anything else that we should implement at our site beside the standard SSL certificate? I would still suggest you look at our security service. Even if you change these things, will someone have access, and mistakenly publish things back or the like? One of the issues we have seen is that when customers have the tools necessary to run their own shopping cart and thus make it as secure or unsecure as they want to....they also have the ability to break sometimes themselves, or in other cases, someone else fixed for them just hours ago. Security is not only not black and white, its also not a one time thing, its an ongoing thing where mistakes must be constantly monitored for. However, alot of what our service tests for would be solved by changing the default paths and locations of files and folders. We will appreciate if you can advise us at your earliest convenience, since we have stopped our shopping cart until we find a solution. Thank you. Jason Edited by mike |
|
|
|
|
jason2004
Groupie
Joined: September/29/05 Status: Offline Points: 87 |
Post Options
Thanks(0)
Quote Reply
Posted: July/13/06 at 1:41am |
|
We had recent hacker attack on our shopping cart and our data is compromised. We are still investigating the issue, but it looks that we’ve been hacked through the Order Management (unknown IP address multiple access). Not sure how they managed to log in. We had one user, SSL connection, createadmin.asp removed. Our shop.mdb is secured with standard /fpdb folder security (not available for view/download).
Is it true that they couldn’t get customer info during checkout process since we have SSL secured pages? We would appreciate if you can advise us what we can do better in securing our data. We have SalesCart Pro. This is what I'm planning to do: - remove IUSR from /online folder - rename folders /fpdb; /online - rename shop.mdb - try to relocate these folders and hide them - ban IP address Do you think that this is going to be adequate to prevent any future attacks? Were they able to download/learn something more about Sales Cart files? Is this the correct procedure for adding username/password to database file: - Add password using Microsoft Access - Upload database - Now I guess that I need to add password/user name in global.asa, is this correct? Please advice: - Can I change the name of database file, with no influence on shopping cart? - Can I change the name of /fpdb folder? - How protected is global.asa file?! Is this file available for offline reading/history or download? - How vulnerable is the Order Management system? Can they sneak again using their previous experience? Would it be better to not have Order Management online? Can it be used without being online? Finally, is there anything else that we should implement at our site beside the standard SSL certificate? We will appreciate if you can advise us at your earliest convenience, since we have stopped our shopping cart until we find a solution. Thank you. Jason |
|
|
|
|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Recent hacker attack on our shopping cart
Topic Options