Jump to content

Archived

This topic is now archived and is closed to further replies.

bigbob2

Our database contents are open!

Recommended Posts

@@bigbob2 It's too late now but I suggest you install Site Monitor. It will inform of what changes have been made so fixing things after a hacker gets in is a lot easier. As it is now, you don't know what files may be present so you need check your files.

 

Regarding the test I mentioned, be sure you enter the location to your shop. For example, if it is located in a directory named shop, then you have to include that in the url to be tested. Otherwise the test will check the root directory and that may give wrong results. If you did enter the url correctly, try going to http://your domain/includes/configure.php. You shouldn't be allowed to show it. If you can, then there is a serious problem. Do the same with the images.

Share this post


Link to post
Share on other sites

@@bigbob2 It's too late now but I suggest you install Site Monitor. It will inform of what changes have been made so fixing things after a hacker gets in is a lot easier. As it is now, you don't know what files may be present so you need check your files.

 

Regarding the test I mentioned, be sure you enter the location to your shop. For example, if it is located in a directory named shop, then you have to include that in the url to be tested. Otherwise the test will check the root directory and that may give wrong results. If you did enter the url correctly, try going to http://your domain/includes/configure.php. You shouldn't be allowed to show it. If you can, then there is a serious problem. Do the same with the images.

Thanks Jack, 

 

I did have the URL correct, including the /store which is what the directory is called.  I did as you suggested and both the config and images come up forbidden as I would have expected.  I'm not sure why the test site picks these up as fails.  At least I know they are secured, so there is not a gaping hole in the site on any of those issues. 

 

Thanks.

Share this post


Link to post
Share on other sites

@@bigbob2  Kevin I'm a bit puzzled by this...

 

So a hacker I asked to look at the site has told me that they can get in by SQL injection.  I did some reading and found an update that we didn't have in place around the geo-zones page, so I have implemented that.  Here it is for reference:

 

https://github.com/g...fb048bfe31c902 

 

 

Your link points to a minor change in catalog/admin/geo_zones.php. ensuring that the input is an integer.   Given that the file is located in the admin site of your shop, how does anyone, who doesn't have admin access, preform some sort of SQL injection?   Is that even possible?

 

Dan

Share this post


Link to post
Share on other sites

@@bigbob2 That's strange. I can't say why the test would return a false positive. Maybe some setting on your server is causing it. As long as you are sure it is protected, that's all that matters.

 

@@Dan Cole You are correct. It should not be possible. Years ago there was a way to post into the admin without a login but that hole was plugged and I've not heard of it. Although, I don't recall the op saying what version he is using so it may be he has an older version that still has security holes in it.

Share this post


Link to post
Share on other sites

@@Jack_mcs  Kevin mentions that he is running 2.3.4 so I can't see the fix he posted as being relevant to the hack.

 

I am running a heavily modified 2.3.4 version of OSC

 

 

Dan

Share this post


Link to post
Share on other sites

Well, some good news for a change!!!

 

I got the report back from the host and it turns out that the site was not brought down by a malicious attack, and it seems like it was unrelated to the email from the hacker who had accessed our database.  The site was brought down by some very heavy over indexing by bots, which have now been banned by the server and they have made some changes and cleaned up things to prevent the resources from becoming overloaded and crashing our site again.  The site is now showing normal levels of activity and they are going to continue to monitor it.

 

So now my problem is I need to find out how the original SQL injection was done and then block it.  The SQL injection I talked about earlier may or may not have had any relevance to it, I just googled it and when I found that we did not have that patch, I applied it.  From the reaction you guys have given, it sounds like it was probably unrelated to how this person got in, but any holes I can patch can only be a good thing.

 

To reiterate, my site is 2.3.4, but as there have been many other addons done, one of them could have also created a hole.  Obviously the above patch was not there, so there are possibly other patches that have been missed along the way too, so I am not out of the woods yet!

 

Thanks

Kevin

Share this post


Link to post
Share on other sites

×