Recent hacker attack on our shopping cart

You have a lot of stuff in here Jason. 1)Please read this
KB.http://support.salescart.com/kb/KB-details.asp?key=5511 You need to do
everything in this KB. Most importantly do not leave your /online folder as
/online!!! Also, 2) join the security notification list at
userroom.salescart.com. This KB was originally distributed there as well to
notify our customers that were interested. See rest of answers below.


Is it true that they couldn't get customer info during checkout process since we
have SSL secured pages?

We do not know of any way to do this. But security is not
black and white, nothing is impossible...even SSL could theoretically be broken.
Also, all current versions of our product do not store the credit card
information nor do we suggest that you do that. With the abiity to readily
process credit cards via PayPal or AuthorizeNet, the need to store this
sensitive data does not exist. We sell a security service that will test for
currently known methods of access due to misconfiguration and not following our
suggestions.


We would appreciate if you can advise us what we can do better in securing our
data. We have SalesCart Pro.

This is what I'm planning to do:

- remove IUSR from /online folder
- rename folders /fpdb; /online
- rename shop.mdb
- try to relocate these folders and hide them
- ban IP address

I think these are all important things you MUST do in todays
climate which has significantly changed from 3 and just 1 year ago. Renaming
files from the way they ship to something obscure is the most simplest of all
tasks and provides a massive amount of protection.

Do you think that this is going to be adequate to prevent any future attacks?
Were they able to download/learn something more about Sales Cart files?

Our software is a commercial product so they can purchase a copy to learn
everything about the way it ships by default. However, our product puts you in
the drivers seat to change these basic paths to your own so that you have in
essence a completely different version accessibly different from anything we
ship and you alone know where those files are.

Take a look at our SalesCartNET product and look to go to SQL as a database. ASP.NET provides more protection against SQL injection as well as more security protection in general including .dll based code to hide or encode things which was not available in ASP. With the introduction of ASP.NET, ASP as a technology is on a short track to eventually be obsolete within 3-5 years.

Is this the correct procedure for adding username/password to database file:
- Add password using Microsoft Access
- Upload database
- Now I guess that I need to add password/user name in global.asa, is this
correct?
Yes, that will work. If you use a database password for the
shop, then yes it will appear there. Make sure you have the latest versions of
our software and all fixes and patches.


Please advice:
- Can I change the name of database file, with no influence on shopping cart?

- Can I change the name of /fpdb folder?
- How protected is global.asa file?! Is this file available for offline
reading/history or download?
- How vulnerable is the Order Management system? Can they sneak again using
their previous experience? Would it be better to not have Order Management
online? Can it be used without being online?
You can change the name of the database as well as /fpdb, you
just need to make sure your connection string reflects the corrected
name...thats all...as well as adjusting the IIS virtual directory permissions to
prevent read from any new folder name. If you server is set up correctly, you
should not be able to see any .asa files. You can test this yourself with a
browser by trying to do to them. Our order management system is online. Of course from Day 1, it is not where you would
necessarily expect it to be and 2, it also has challenged NTFS permissions on
it...which we would highly recommend and suggest. You should be able to easily
get your ISP to add a password to whatever you eventually call the folder. This
is the most secure because it goes beyond a simple "script-only" solution


Finally, is there anything else that we should implement at our site beside the
standard SSL certificate?

I would still suggest you look at our security service. Even
if you change these things, will someone have access, and mistakenly publish
things back or the like? One of the issues we have seen is that when customers
have the tools necessary to run their own shopping cart and thus make it as
secure or unsecure as they want to....they also have the ability to break
sometimes themselves, or in other cases, someone else fixed for them just hours ago.
Security is not only not black and white, its also not a one time thing, its an
ongoing thing where mistakes must be constantly monitored for. However, alot of
what our service tests for would be solved by changing the default paths and
locations of files and folders.


We will appreciate if you can advise us at your earliest convenience, since we
have stopped our shopping cart until we find a solution.

Thank you.
Jason


Edited by mike