Jump to content



Photo
- - - - -

Our database contents are open!


  • Please log in to reply
31 replies to this topic

#21   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 24 February 2017 - 00:26

I have scanned our computers for malware and they all appear to be clean.  

 

The latest development is that our web site has gone down and now only gives a 500 Server Error, so I can only assume that the hacker has taken things to the next level, or perhaps it's a coincidence.  Either way, it's totally out of my abilities, so I have hired a web security person looking in to it.  Now, I have three problems (1) Finding how they got in (2) Stopping them (3) Getting my site back online.

 

As if life was not hard enough already  :(



#22   Jack_mcs

Jack_mcs
  • Members
  • 28,361 posts
  • Real Name:Jack
  • Gender:Male

Posted 24 February 2017 - 01:37

@bigbob2 While waiting on them, you may want to test your site here. It will check some common things that may allow this to happen.



#23   Dan Cole

Dan Cole
  • Community Sponsor
  • 1,647 posts
  • Real Name:Dan Cole
  • Gender:Male
  • Location:Ontario, Canada

Posted 24 February 2017 - 01:38

@bigbob2 Kevin...I'm very sorry to hear that. :(

 

Good luck in getting to sorted out and in getting your site back online. Please keep us posted.

 

Dan



#24   MrPhil

MrPhil
  • Members
  • 6,978 posts
  • Real Name:Phil
  • Gender:Male

Posted 24 February 2017 - 13:31

You might also check with your host as to whether they have made any system changes, such as installing a new PHP version, or changing server security settings. Lots of things could coincidentally be giving you a 500 error, unrelated to anything the hacker is doing. Unfortunately, it's still quite possible that your site has been sabotaged by an intruder to shut you down until you pay the ransom.



#25   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 26 February 2017 - 23:45

Well, the latest update is that our host has our site up and running again - Yayyy!

 

So a hacker I asked to look at the site has told me that they can get in by SQL injection.  I did some reading and found an update that we didn't have in place around the geo-zones page, so I have implemented that.  Here it is for reference:

 

https://github.com/g...fb048bfe31c902 

 

I have spent the day phoning cyber security experts to get someone to do a penetration test for us, which is crazy expensive in my country, so I might have to look internationally.  several people I talked to don't believe there was any link between the email we received and the web site going down, although they did find malicious content, so the site may have been hacked by others in the past.  Their theory is that if someone installed malicious content, the last ting they would want to do is warn us.  I guess I will never know, but I'm still waiting on my host to give a report on what they actually found.

 

I ran our site through the link Jack posted above and is shows fail on the following:

 

ADMIN STATUS:     Your admin appears to not be password protected. This may be a serious security problem (some secured admins may return false results).
IMAGES STATUS:     Your images directory is not secure.
INCLUDES STATUS:     Your includes directory is not secure. This is a serious security hole and needs to be fixed immediately.

 

However there is another site of mine on the same hosting account, with an identical install of OSC (different products but same store files and setting) and that shows as a clean pass on everything.  I have checked one by one and my Admin is secured correctly, My image directory is secured correctly and the Includes directory is secure too, so I'm hoping there is a false positive for some strange reason on this site.  Now I'm paranoid about everything.

 

Thanks.



#26   Jack_mcs

Jack_mcs
  • Members
  • 28,361 posts
  • Real Name:Jack
  • Gender:Male

Posted 27 February 2017 - 03:05

@bigbob2 It's too late now but I suggest you install Site Monitor. It will inform of what changes have been made so fixing things after a hacker gets in is a lot easier. As it is now, you don't know what files may be present so you need check your files.

 

Regarding the test I mentioned, be sure you enter the location to your shop. For example, if it is located in a directory named shop, then you have to include that in the url to be tested. Otherwise the test will check the root directory and that may give wrong results. If you did enter the url correctly, try going to http://your domain/includes/configure.php. You shouldn't be allowed to show it. If you can, then there is a serious problem. Do the same with the images.



#27   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 27 February 2017 - 03:33

@bigbob2 It's too late now but I suggest you install Site Monitor. It will inform of what changes have been made so fixing things after a hacker gets in is a lot easier. As it is now, you don't know what files may be present so you need check your files.

 

Regarding the test I mentioned, be sure you enter the location to your shop. For example, if it is located in a directory named shop, then you have to include that in the url to be tested. Otherwise the test will check the root directory and that may give wrong results. If you did enter the url correctly, try going to http://your domain/includes/configure.php. You shouldn't be allowed to show it. If you can, then there is a serious problem. Do the same with the images.

Thanks Jack, 

 

I did have the URL correct, including the /store which is what the directory is called.  I did as you suggested and both the config and images come up forbidden as I would have expected.  I'm not sure why the test site picks these up as fails.  At least I know they are secured, so there is not a gaping hole in the site on any of those issues. 

 

Thanks.



#28   Dan Cole

Dan Cole
  • Community Sponsor
  • 1,647 posts
  • Real Name:Dan Cole
  • Gender:Male
  • Location:Ontario, Canada

Posted 27 February 2017 - 05:08

@bigbob2  Kevin I'm a bit puzzled by this...

 

So a hacker I asked to look at the site has told me that they can get in by SQL injection.  I did some reading and found an update that we didn't have in place around the geo-zones page, so I have implemented that.  Here it is for reference:

 

https://github.com/g...fb048bfe31c902 

 

 

Your link points to a minor change in catalog/admin/geo_zones.php. ensuring that the input is an integer.   Given that the file is located in the admin site of your shop, how does anyone, who doesn't have admin access, preform some sort of SQL injection?   Is that even possible?

 

Dan



#29   Jack_mcs

Jack_mcs
  • Members
  • 28,361 posts
  • Real Name:Jack
  • Gender:Male

Posted 27 February 2017 - 14:19

@bigbob2 That's strange. I can't say why the test would return a false positive. Maybe some setting on your server is causing it. As long as you are sure it is protected, that's all that matters.

 

@Dan Cole You are correct. It should not be possible. Years ago there was a way to post into the admin without a login but that hole was plugged and I've not heard of it. Although, I don't recall the op saying what version he is using so it may be he has an older version that still has security holes in it.



#30   Dan Cole

Dan Cole
  • Community Sponsor
  • 1,647 posts
  • Real Name:Dan Cole
  • Gender:Male
  • Location:Ontario, Canada

Posted 27 February 2017 - 15:31

@Jack_mcs  Kevin mentions that he is running 2.3.4 so I can't see the fix he posted as being relevant to the hack.

 

I am running a heavily modified 2.3.4 version of OSC

 

 

Dan



#31   Jack_mcs

Jack_mcs
  • Members
  • 28,361 posts
  • Real Name:Jack
  • Gender:Male

Posted 27 February 2017 - 16:31

Ahh, I missed that. Thanks for pointing it out.



#32   bigbob2

bigbob2
  • Members
  • 153 posts
  • Real Name:Kevin

Posted 27 February 2017 - 22:05

Well, some good news for a change!!!

 

I got the report back from the host and it turns out that the site was not brought down by a malicious attack, and it seems like it was unrelated to the email from the hacker who had accessed our database.  The site was brought down by some very heavy over indexing by bots, which have now been banned by the server and they have made some changes and cleaned up things to prevent the resources from becoming overloaded and crashing our site again.  The site is now showing normal levels of activity and they are going to continue to monitor it.

 

So now my problem is I need to find out how the original SQL injection was done and then block it.  The SQL injection I talked about earlier may or may not have had any relevance to it, I just googled it and when I found that we did not have that patch, I applied it.  From the reaction you guys have given, it sounds like it was probably unrelated to how this person got in, but any holes I can patch can only be a good thing.

 

To reiterate, my site is 2.3.4, but as there have been many other addons done, one of them could have also created a hole.  Obviously the above patch was not there, so there are possibly other patches that have been missed along the way too, so I am not out of the woods yet!

 

Thanks

Kevin