bigbob2

Our database contents are open!

32 posts in this topic

Out of the blue I got an email today to say that there is a bug in our web site and that the sender can access our database.  They attached screenshots where they can indeed access our database.  They want me to contact them for advice on how to fix it.  What do I do???  Where could the breach be???

 

Thanks.

Share this post


Link to post
Share on other sites

You can change the DB password ASAP via cpannel.

 

You'll then have to also change you configure files to match.

 

Obviously you should be seriously concerned as to how they've managed to access your DB.

 

Maybe you're using a very old version of OsC? Or have a very easy password on the DB - which they've managed to crack?

 

Someone with more experience will prob jump in...

Share this post


Link to post
Share on other sites

I will go and change the password now, but no my site is up to date, my config files are set to the right permissions and I don't think my password is easy, but it will be like the Da Vinci Code now!

 

Thanks

Share this post


Link to post
Share on other sites

I would prob consider changing you admin, cpannel and even you WHM (if you have a VPS) passwords as well.

 

Good luck.

Edited by greasemonkey

Share this post


Link to post
Share on other sites

One thing I did find was that our admin .htpasswd_oscommerce file was missing (I don't know why, it's always been there before), so I have reinstated that.  Could that alone be enough to give someone access to our database?

Share this post


Link to post
Share on other sites

@@bigbob2 When you say, "access our database", do you really mean they can access your database (see its tables) or that they can access your admin? If the former, and assuming you are referring to the shop side, there is something wrong with your code since there shouldn't be anything in it to display the database, even if you wanted to. If the latter, how is It that your customers know the name of your admin?

Share this post


Link to post
Share on other sites

Hi Jack, so they sent me screen shots of our database tables, showing our customer details, so they are genuine.  As far as I know they cannot access our Admin side.  

 

Thanks

Share this post


Link to post
Share on other sites

This should not be possible so without more details it will be difficult to find the reason.

 

Can you post the image that was sent to you?

 

Can you duplicate the problem?

 

Had someone worked on your site that may have displayed the tables for troubleshooting purposes?

 

Is what's being shown an error?

Share this post


Link to post
Share on other sites

Could you post an image (with your customer details blanked out) of the image they posted.

That would enable anyone with some knowledge to see what they have had access to in order to take that image.

 

Does that make sense?

 

So the image might show your cPanel.  It might be a script they have managed to upload.  It might be something else...

Share this post


Link to post
Share on other sites

Be leery of contacting these guys -- they may be trying to blackmail or extort money from you. Of course, you should change every password in sight, after (or before and after) scanning your PC for malware such as keystroke loggers and password sniffers. Does the data they showed you involve more than one customer? Does it show internal data that a customer or man-in-the-middle would never see? That would give a clue that they are indeed able to access your database, rather than building what looks like a (for example) phpMyAdmin screen shot from available data. You may want to bring in your host on this, in case it's an inside job at the host (as opposed to someone you had hired to do work for you).

 

If you are storing customer sensitive information (especially credit card information) in your database, you could be in deep legal trouble if it indeed has been breached. Check to see if you are required to notify authorities, financial institutions, or customers about it. It's not pleasant, but you could be in worse legal trouble if you try to hide it.

 

When you have cleaned up, send a thank you note to these guys for bringing it to your attention. If they contact you again with fresh data, you have a serious problem with system security and the authorities should be brought in.

Share this post


Link to post
Share on other sites

@@bigbob2  I assumed you were speaking of customers on the site. If this is some guy looking for work, that is a different story. It might be that your shop has some security holes, which may be what he is pointing out.  But Phil is correct. I wouldn't trust someone that contacted me that way. It may be legitimate but if you want it fixed, find someone that you can feel confident with, not some stranger that happens upon your site.

Share this post


Link to post
Share on other sites

I don't doubt that it will be someone trying to extort money, so I want to do everything in my power to close the security hole without communicating with this person.  I am actually appreciative that they brought it to my attention and if they had made a financial offer clearly in the email, perhaps it could be a good way for a hacker to get some business, but no, it feels like this is leading to trouble.

 

Here is the picture they sent me...

 

I hope it might mean something to someone.  I have blanked out the personal data.

post-222142-0-42529300-1487627810_thumb.jpg

Edited by bigbob2

Share this post


Link to post
Share on other sites

@@bigbob2 from the screen cap it would seem they have access to your file structure as well...

Share this post


Link to post
Share on other sites

@@bigbob2  Kevin I'm not familiar with that database software...is that a program you have on your computer or installed in your shop or one that they are using to view your database?

 

Dan

Share this post


Link to post
Share on other sites

@@bigbob2 Are you running any other software on your server (Wordpress, dupal, Typo3, etc.)?

 

Did you install any add-ons for the osCommerce version you're using?

 

AD

Share this post


Link to post
Share on other sites

I do not recognise that software.  It is not cPanel or Plesk (phpmyadmin)...

 

It is something that they have on their computer.

OR

It is something uploaded to your hosting account.

OR

It is something uploaded to a different hosting account on the same server.

 

In all 3 cases; This means that they have your usernames and passwords to be able to see those details.

You need to work out how they got these details.  Changing your passwords is advised, but unless you know how they got them in the first place...you don't know if they would be able to get them again.

 

What I would do next:

 

First; download malwarebytes and scan all my devices for anything that should not be there.

Second; change all passwords EVERYWHERE, not just this site, but all of them.  Your bank, your email, your ISP, EVERYTHING.

 

Then

 

a.  Find a new host

b.  Go through all my site files and database to ensure they are clean

c.  Get site up and running on new host

 

and then;

 

d.  Rip out any added extra "add ons", get back to clean code as best you can

OR

e.  Update to the responsive osCommerce (and keep it clean of "add ons" that touch core code.

Edited by burt

Share this post


Link to post
Share on other sites

Hi guys, I have just been flying for 13 hours, so I am back in the office and able to reply to the questions.  Thank you all so much for your help and support.

 

The screen shot was sent to me by the person in question, this is not my software, so I don't know what it is.  I am running a heavily modified 2.3.4 version of OSC, so it would be almost impossible to start to strip it back from this point, without losing all the functionality I need.

 

To answer another question, I am on a share hosting server, but on my own hosting, I only have OSC and a MediaWiki installation.  I also had an installation of a program called clip bucket, but I was not using it, so I have uninstalled that.

 

We only access our site from Mac computers here, and I am carful about what I install, so I would not expect that I have a loggers or malware etc. installed. 

 

I have had our hosting company do a security check and they reported back "We scanned your account and your account is clean and there are no such findings which needs attention. Just make sure you update your scripts to the latest versions and audit your account timely for any suspicious or unwanted files. We also recommend that all PC's with access to your account must be audited for malware. Please note that one of the main purpose of malware on websites is to infect visitors. Therefore a simple visit on your website could have resulted in an infection for your PC. ALL users currently available on your sites must be reviewed and all malicious or suspicious users removed"  Because our web site is a commercial shop, I can't get every user to do anything.

 

Burt, I will go and change all my passwords (God, I have so many, that's going to be a full time job  :wacko: ).  I will need to get someone to go through the files and database to ensure that it is clean, as I do not personally have the skills to know what to look for.  I am looking at changing to a non-shared host too.

 

Thanks

 

 

 

 

Share this post


Link to post
Share on other sites

@@bigbob2 Kevin, be sure to change the user name and password for your database as well.  I would also make sure that you scan your computers for viruses etc.  You need to figure out how they got access to your data.  Does your host know if any other sites on your shared hosting had similar issues?

 

Dan 

Share this post


Link to post
Share on other sites

@@bigbob2  Kevin the other thought I had....is there anything in the screen shot or data that was showing within it that might allow you to figure out when they accessed the database?   Maybe that could be of some help to your host in trying to pin down how and from where it was accessed.

 

Dan

Share this post


Link to post
Share on other sites

 

We only access our site from Mac computers here, and I am carful about what I install, so I would not expect that I have a loggers or malware etc. installed. 

 

Macs (and Linux) machines can catch malware too, though not as easily as Windows systems. Bottom line: they're not immune to viruses, etc.

 

It's possible to become infected by a "drive by" installation of malware, just by visiting a bad site. If you're not running anti-malware because you're on a Mac, your machines could have gotten infected that way. Run anti-malware monitors, and scan on a regular basis.

Share this post


Link to post
Share on other sites

I have scanned our computers for malware and they all appear to be clean.  

 

The latest development is that our web site has gone down and now only gives a 500 Server Error, so I can only assume that the hacker has taken things to the next level, or perhaps it's a coincidence.  Either way, it's totally out of my abilities, so I have hired a web security person looking in to it.  Now, I have three problems (1) Finding how they got in (2) Stopping them (3) Getting my site back online.

 

As if life was not hard enough already  :(

Share this post


Link to post
Share on other sites

@@bigbob2 While waiting on them, you may want to test your site here. It will check some common things that may allow this to happen.

Share this post


Link to post
Share on other sites

@@bigbob2 Kevin...I'm very sorry to hear that. :(

 

Good luck in getting to sorted out and in getting your site back online. Please keep us posted.

 

Dan

Share this post


Link to post
Share on other sites

You might also check with your host as to whether they have made any system changes, such as installing a new PHP version, or changing server security settings. Lots of things could coincidentally be giving you a 500 error, unrelated to anything the hacker is doing. Unfortunately, it's still quite possible that your site has been sabotaged by an intruder to shut you down until you pay the ransom.

Share this post


Link to post
Share on other sites

Well, the latest update is that our host has our site up and running again - Yayyy!

 

So a hacker I asked to look at the site has told me that they can get in by SQL injection.  I did some reading and found an update that we didn't have in place around the geo-zones page, so I have implemented that.  Here it is for reference:

 

https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902 

 

I have spent the day phoning cyber security experts to get someone to do a penetration test for us, which is crazy expensive in my country, so I might have to look internationally.  several people I talked to don't believe there was any link between the email we received and the web site going down, although they did find malicious content, so the site may have been hacked by others in the past.  Their theory is that if someone installed malicious content, the last ting they would want to do is warn us.  I guess I will never know, but I'm still waiting on my host to give a report on what they actually found.

 

I ran our site through the link Jack posted above and is shows fail on the following:

 

ADMIN STATUS:   mark_x.jpg  Your admin appears to not be password protected. This may be a serious security problem (some secured admins may return false results).
IMAGES STATUS:   mark_x.jpg  Your images directory is not secure.
INCLUDES STATUS:   mark_x.jpg  Your includes directory is not secure. This is a serious security hole and needs to be fixed immediately.

 

However there is another site of mine on the same hosting account, with an identical install of OSC (different products but same store files and setting) and that shows as a clean pass on everything.  I have checked one by one and my Admin is secured correctly, My image directory is secured correctly and the Includes directory is secure too, so I'm hoping there is a false positive for some strange reason on this site.  Now I'm paranoid about everything.

 

Thanks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now