Jump to content



bigbob2

Member Since 21 Aug 2008
OFFLINE Last Active Feb 28 2017 22:07
-----

Posts I've Made

In Topic: Our database contents are open!

27 February 2017 - 22:05

Well, some good news for a change!!!

 

I got the report back from the host and it turns out that the site was not brought down by a malicious attack, and it seems like it was unrelated to the email from the hacker who had accessed our database.  The site was brought down by some very heavy over indexing by bots, which have now been banned by the server and they have made some changes and cleaned up things to prevent the resources from becoming overloaded and crashing our site again.  The site is now showing normal levels of activity and they are going to continue to monitor it.

 

So now my problem is I need to find out how the original SQL injection was done and then block it.  The SQL injection I talked about earlier may or may not have had any relevance to it, I just googled it and when I found that we did not have that patch, I applied it.  From the reaction you guys have given, it sounds like it was probably unrelated to how this person got in, but any holes I can patch can only be a good thing.

 

To reiterate, my site is 2.3.4, but as there have been many other addons done, one of them could have also created a hole.  Obviously the above patch was not there, so there are possibly other patches that have been missed along the way too, so I am not out of the woods yet!

 

Thanks

Kevin


In Topic: Our database contents are open!

27 February 2017 - 03:33

@bigbob2 It's too late now but I suggest you install Site Monitor. It will inform of what changes have been made so fixing things after a hacker gets in is a lot easier. As it is now, you don't know what files may be present so you need check your files.

 

Regarding the test I mentioned, be sure you enter the location to your shop. For example, if it is located in a directory named shop, then you have to include that in the url to be tested. Otherwise the test will check the root directory and that may give wrong results. If you did enter the url correctly, try going to http://your domain/includes/configure.php. You shouldn't be allowed to show it. If you can, then there is a serious problem. Do the same with the images.

Thanks Jack, 

 

I did have the URL correct, including the /store which is what the directory is called.  I did as you suggested and both the config and images come up forbidden as I would have expected.  I'm not sure why the test site picks these up as fails.  At least I know they are secured, so there is not a gaping hole in the site on any of those issues. 

 

Thanks.


In Topic: Our database contents are open!

26 February 2017 - 23:45

Well, the latest update is that our host has our site up and running again - Yayyy!

 

So a hacker I asked to look at the site has told me that they can get in by SQL injection.  I did some reading and found an update that we didn't have in place around the geo-zones page, so I have implemented that.  Here it is for reference:

 

https://github.com/g...fb048bfe31c902 

 

I have spent the day phoning cyber security experts to get someone to do a penetration test for us, which is crazy expensive in my country, so I might have to look internationally.  several people I talked to don't believe there was any link between the email we received and the web site going down, although they did find malicious content, so the site may have been hacked by others in the past.  Their theory is that if someone installed malicious content, the last ting they would want to do is warn us.  I guess I will never know, but I'm still waiting on my host to give a report on what they actually found.

 

I ran our site through the link Jack posted above and is shows fail on the following:

 

ADMIN STATUS:     Your admin appears to not be password protected. This may be a serious security problem (some secured admins may return false results).
IMAGES STATUS:     Your images directory is not secure.
INCLUDES STATUS:     Your includes directory is not secure. This is a serious security hole and needs to be fixed immediately.

 

However there is another site of mine on the same hosting account, with an identical install of OSC (different products but same store files and setting) and that shows as a clean pass on everything.  I have checked one by one and my Admin is secured correctly, My image directory is secured correctly and the Includes directory is secure too, so I'm hoping there is a false positive for some strange reason on this site.  Now I'm paranoid about everything.

 

Thanks.


In Topic: Database Optimizer

26 February 2017 - 23:21

Visit admin->Tools->Database Optimizer and the database changes will be made.

Thanks Jack,

 

I have that part, but it looked like there was supposed to be a configuration page where the items in red could be configured?

 

Thanks.


In Topic: Database Optimizer

26 February 2017 - 18:23

Great addon, but am I missing something?  In the latest version, the instructions say you can go to admin->configuration->database optimizer, but that entry does not seem to be there.  I have read over the install instructions again and I can't find where that entry was coded.  I had very little sleep last night, so I might just be being stupid though :)

 

Thanks