Jump to content



Photo
- - - - -

Our database contents are open!


  • Please log in to reply
31 replies to this topic

#1   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 19 February 2017 - 22:19

Out of the blue I got an email today to say that there is a bug in our web site and that the sender can access our database.  They attached screenshots where they can indeed access our database.  They want me to contact them for advice on how to fix it.  What do I do???  Where could the breach be???

 

Thanks.



#2   greasemonkey

greasemonkey
  • Members
  • 1,058 posts
  • Real Name:Scott
  • Gender:Male

Posted 19 February 2017 - 22:27

You can change the DB password ASAP via cpannel.

You'll then have to also change you configure files to match.

Obviously you should be seriously concerned as to how they've managed to access your DB.

Maybe you're using a very old version of OsC? Or have a very easy password on the DB - which they've managed to crack?

Someone with more experience will prob jump in...

#3   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 19 February 2017 - 22:32

I will go and change the password now, but no my site is up to date, my config files are set to the right permissions and I don't think my password is easy, but it will be like the Da Vinci Code now!

 

Thanks



#4   greasemonkey

greasemonkey
  • Members
  • 1,058 posts
  • Real Name:Scott
  • Gender:Male

Posted 19 February 2017 - 23:11

I would prob consider changing you admin, cpannel and even you WHM (if you have a VPS) passwords as well.

Good luck.

Edited by greasemonkey, 19 February 2017 - 23:12.


#5   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 19 February 2017 - 23:42

One thing I did find was that our admin .htpasswd_oscommerce file was missing (I don't know why, it's always been there before), so I have reinstated that.  Could that alone be enough to give someone access to our database?



#6   Jack_mcs

Jack_mcs
  • Members
  • 28,361 posts
  • Real Name:Jack
  • Gender:Male

Posted 20 February 2017 - 03:23

@bigbob2 When you say, "access our database", do you really mean they can access your database (see its tables) or that they can access your admin? If the former, and assuming you are referring to the shop side, there is something wrong with your code since there shouldn't be anything in it to display the database, even if you wanted to. If the latter, how is It that your customers know the name of your admin?



#7   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 20 February 2017 - 03:35

Hi Jack, so they sent me screen shots of our database tables, showing our customer details, so they are genuine.  As far as I know they cannot access our Admin side.  

 

Thanks



#8   Jack_mcs

Jack_mcs
  • Members
  • 28,361 posts
  • Real Name:Jack
  • Gender:Male

Posted 20 February 2017 - 13:47

This should not be possible so without more details it will be difficult to find the reason.

 

Can you post the image that was sent to you?

 

Can you duplicate the problem?

 

Had someone worked on your site that may have displayed the tables for troubleshooting purposes?

 

Is what's being shown an error?



#9   burt

burt

    I drink and I know things

  • Community Team
  • 12,463 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 20 February 2017 - 13:54

Could you post an image (with your customer details blanked out) of the image they posted.

That would enable anyone with some knowledge to see what they have had access to in order to take that image.

 

Does that make sense?

 

So the image might show your cPanel.  It might be a script they have managed to upload.  It might be something else...


This is a signature that appears on all my posts.  It is not specifically aimed at you.

 

IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
If you are still on the old style osCommerce, it is time to move to Responsive.

 


#10   MrPhil

MrPhil
  • Members
  • 6,978 posts
  • Real Name:Phil
  • Gender:Male

Posted 20 February 2017 - 15:38

Be leery of contacting these guys -- they may be trying to blackmail or extort money from you. Of course, you should change every password in sight, after (or before and after) scanning your PC for malware such as keystroke loggers and password sniffers. Does the data they showed you involve more than one customer? Does it show internal data that a customer or man-in-the-middle would never see? That would give a clue that they are indeed able to access your database, rather than building what looks like a (for example) phpMyAdmin screen shot from available data. You may want to bring in your host on this, in case it's an inside job at the host (as opposed to someone you had hired to do work for you).

 

If you are storing customer sensitive information (especially credit card information) in your database, you could be in deep legal trouble if it indeed has been breached. Check to see if you are required to notify authorities, financial institutions, or customers about it. It's not pleasant, but you could be in worse legal trouble if you try to hide it.

 

When you have cleaned up, send a thank you note to these guys for bringing it to your attention. If they contact you again with fresh data, you have a serious problem with system security and the authorities should be brought in.



#11   Jack_mcs

Jack_mcs
  • Members
  • 28,361 posts
  • Real Name:Jack
  • Gender:Male

Posted 20 February 2017 - 18:17

@bigbob2  I assumed you were speaking of customers on the site. If this is some guy looking for work, that is a different story. It might be that your shop has some security holes, which may be what he is pointing out.  But Phil is correct. I wouldn't trust someone that contacted me that way. It may be legitimate but if you want it fixed, find someone that you can feel confident with, not some stranger that happens upon your site.



#12   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 20 February 2017 - 21:55

I don't doubt that it will be someone trying to extort money, so I want to do everything in my power to close the security hole without communicating with this person.  I am actually appreciative that they brought it to my attention and if they had made a financial offer clearly in the email, perhaps it could be a good way for a hacker to get some business, but no, it feels like this is leading to trouble.

 

Here is the picture they sent me...

 

I hope it might mean something to someone.  I have blanked out the personal data.

Attached Files


Edited by bigbob2, 20 February 2017 - 21:56.


#13   greasemonkey

greasemonkey
  • Members
  • 1,058 posts
  • Real Name:Scott
  • Gender:Male

Posted 21 February 2017 - 01:00

@bigbob2 from the screen cap it would seem they have access to your file structure as well...

#14   Dan Cole

Dan Cole
  • Community Sponsor
  • 1,647 posts
  • Real Name:Dan Cole
  • Gender:Male
  • Location:Ontario, Canada

Posted 21 February 2017 - 02:09

@bigbob2  Kevin I'm not familiar with that database software...is that a program you have on your computer or installed in your shop or one that they are using to view your database?

 

Dan



#15 ONLINE   AngusD

AngusD
  • Members
  • 79 posts
  • Real Name:Rene
  • Gender:Male

Posted 21 February 2017 - 13:14

@bigbob2 Are you running any other software on your server (Wordpress, dupal, Typo3, etc.)?

 

Did you install any add-ons for the osCommerce version you're using?

 

AD



#16   burt

burt

    I drink and I know things

  • Community Team
  • 12,463 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 22 February 2017 - 09:57

I do not recognise that software.  It is not cPanel or Plesk (phpmyadmin)...

 

It is something that they have on their computer.

OR

It is something uploaded to your hosting account.

OR

It is something uploaded to a different hosting account on the same server.

 

In all 3 cases; This means that they have your usernames and passwords to be able to see those details.

You need to work out how they got these details.  Changing your passwords is advised, but unless you know how they got them in the first place...you don't know if they would be able to get them again.

 

What I would do next:

 

First; download malwarebytes and scan all my devices for anything that should not be there.

Second; change all passwords EVERYWHERE, not just this site, but all of them.  Your bank, your email, your ISP, EVERYTHING.

 

Then

 

a.  Find a new host

b.  Go through all my site files and database to ensure they are clean

c.  Get site up and running on new host

 

and then;

 

d.  Rip out any added extra "add ons", get back to clean code as best you can

OR

e.  Update to the responsive osCommerce (and keep it clean of "add ons" that touch core code.


Edited by burt, 22 February 2017 - 09:59.

This is a signature that appears on all my posts.  It is not specifically aimed at you.

 

IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
If you are still on the old style osCommerce, it is time to move to Responsive.

 


#17   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 23 February 2017 - 00:08

Hi guys, I have just been flying for 13 hours, so I am back in the office and able to reply to the questions.  Thank you all so much for your help and support.

 

The screen shot was sent to me by the person in question, this is not my software, so I don't know what it is.  I am running a heavily modified 2.3.4 version of OSC, so it would be almost impossible to start to strip it back from this point, without losing all the functionality I need.

 

To answer another question, I am on a share hosting server, but on my own hosting, I only have OSC and a MediaWiki installation.  I also had an installation of a program called clip bucket, but I was not using it, so I have uninstalled that.

 

We only access our site from Mac computers here, and I am carful about what I install, so I would not expect that I have a loggers or malware etc. installed. 

 

I have had our hosting company do a security check and they reported back "We scanned your account and your account is clean and there are no such findings which needs attention. Just make sure you update your scripts to the latest versions and audit your account timely for any suspicious or unwanted files. We also recommend that all PC's with access to your account must be audited for malware. Please note that one of the main purpose of malware on websites is to infect visitors. Therefore a simple visit on your website could have resulted in an infection for your PC. ALL users currently available on your sites must be reviewed and all malicious or suspicious users removed"  Because our web site is a commercial shop, I can't get every user to do anything.

 

Burt, I will go and change all my passwords (God, I have so many, that's going to be a full time job  :wacko: ).  I will need to get someone to go through the files and database to ensure that it is clean, as I do not personally have the skills to know what to look for.  I am looking at changing to a non-shared host too.

 

Thanks

 

 

 

 



#18   Dan Cole

Dan Cole
  • Community Sponsor
  • 1,647 posts
  • Real Name:Dan Cole
  • Gender:Male
  • Location:Ontario, Canada

Posted 23 February 2017 - 00:53

@bigbob2 Kevin, be sure to change the user name and password for your database as well.  I would also make sure that you scan your computers for viruses etc.  You need to figure out how they got access to your data.  Does your host know if any other sites on your shared hosting had similar issues?

 

Dan 



#19   Dan Cole

Dan Cole
  • Community Sponsor
  • 1,647 posts
  • Real Name:Dan Cole
  • Gender:Male
  • Location:Ontario, Canada

Posted 23 February 2017 - 05:07

@bigbob2  Kevin the other thought I had....is there anything in the screen shot or data that was showing within it that might allow you to figure out when they accessed the database?   Maybe that could be of some help to your host in trying to pin down how and from where it was accessed.

 

Dan



#20   MrPhil

MrPhil
  • Members
  • 6,978 posts
  • Real Name:Phil
  • Gender:Male

Posted 23 February 2017 - 14:03

 

We only access our site from Mac computers here, and I am carful about what I install, so I would not expect that I have a loggers or malware etc. installed. 

 

Macs (and Linux) machines can catch malware too, though not as easily as Windows systems. Bottom line: they're not immune to viruses, etc.

 

It's possible to become infected by a "drive by" installation of malware, just by visiting a bad site. If you're not running anti-malware because you're on a Mac, your machines could have gotten infected that way. Run anti-malware monitors, and scan on a regular basis.