ProductCart Shopping Cart Software Forums : Database Breach

Database Breach : Hi allI have just been attacked...

Mon, 16 Jun 2008 06:24:25 +0000

Author: MarkCoyle
Subject: 1547
Posted: 16-June-2008 at 6:24am

Hi all

I have just been attacked with a database SQL insert overnight.

This time it was:

(misspelling of script is deliberate above to avoid any issues).

It's a very similar situation to everyone else with an issue though as you can see to a different site.

Early Impact have been helpful and I have been able to remove it using the SQL insert query they provide. However it also removed all flash media players from the site too so I'm going back to Friday's backup and having that restored.

As these types of hacks seem to be on the rise here were the symptoms I discovered when viewing the site this morning in case anyone else is hit:
1. No product cart images were showing up with just the URLs to the images showing.
2. When the site was loading if I looked at the status bar I could see mention of the jumpbnr.com site which of course shouldn't be there.

I then went to look via MySQL admin and found the string I mentioned with the script inserted into each field.

I thought I was patched already but have reapplied it via FTP just in case.

I will also be investigating HackerSafe as soon as things are back.

Any tips, experiences and thoughts welcome. As a user community we need to keep on top of this and track all the variants so that each of us is fully aware and can provide the latest advice.

Many kind thanks

cheers
Mark

Database Breach : Ok - Thanks, that's great...

Wed, 21 May 2008 15:05:11 +0000

Author: Hamish
Subject: 1547
Posted: 21-May-2008 at 3:05pm

Ok - Thanks, that's great :-)

Database Breach : Yes, that is correct. validNum...

Wed, 21 May 2008 13:45:41 +0000

Author: ProductCart
Subject: 1547
Posted: 21-May-2008 at 1:45pm

Yes, that is correct. validNum cannot be used on numbers that are not integers. Those numbers are NEVER used in a query as an ID (e.g. a product or category ID is always an integer).

We will send out a new update in the next couple of hours. We believe we have found and fixed the vulnerability. We are just doing some final testing.

Database Breach : Hi, I've seen the email referring...

Wed, 21 May 2008 13:19:00 +0000

Author: Hamish
Subject: 1547
Posted: 21-May-2008 at 1:19pm

Hi,
I've seen the email referring to SQL injection attacks and that isNumeric should not be used in custom forms.
I did a quick scan of the souce code and see about 50 files in the pc directory that contain isNumeric. We are running V3.11 and the email says all versions after 2.7 should be OK.
Am I correct in presuming then, that the specific uses of isNumeric that remain are fine?

Database Breach : I think another question to be...

Sun, 18 May 2008 20:20:05 +0000

Author: Greg Dinger
Subject: 1547
Posted: 18-May-2008 at 8:20pm

I think another question to be asked is if there were any non-ProductCart scripts in use. The original poster of this thread got nailed through a vendor page, and not as a result of any ProductCart vulnerability. Might that be what happened here?

And why only one day's backup? Does your host not provide a deeper backup than the most recent day? What database are you running?

Database Breach : Hi Dan,Could you clarify which...

Sun, 18 May 2008 19:35:19 +0000

Author: ProductCart
Subject: 1547
Posted: 18-May-2008 at 7:35pm

Hi Dan,

Could you clarify which version of ProductCart you were using at the time the SQL injection attack occurred, and whether any custom forms (or customized ProductCart pages) were used on the Web site?

Also, if you haven't already done so, certainly submit a support ticket.

Database Breach : I, unfortunately, was recently...

Sun, 18 May 2008 18:24:01 +0000

Author: retreat987
Subject: 1547
Posted: 18-May-2008 at 6:24pm

I, unfortunately, was recently hit by an SQL injection attack. It revealed several problems with our database backups; The attack overwrote a lot of fields throughout the database, and the backup saved those changes. The attack happened over a weekend, and by the time we noticed it Monday morning, the backup had taken effect, overwriting the last good backup we had.

I use ProductCart (with the latest version), and am not sure how the attacker was able to do their thing. The inserted this line into most every field in the database:

(Typos in "script" are intentional, just in case).

I'm not sure how best to keep them from doing it again. I've been reading everyone's posts, and will try one of the Hacker prevention tools listed, and hope that is enough.

My initial solution was to block all outside traffic to the site, while I tried to remove all instances of the script from the database. I'm still trying to re-create all the products, which is taking some time as they all have a lot of options and thus sub products.

Currently I've just changed the url for the product cart software (scart/pc, rather than cart/pc) and set up a simple landing page (www.DandDToys.com) for users (we have a brick and mortar store, and process all our orders through product cart, so I can't simply close the store).

Any additional tips would be appreciated.

Thanks,

Dan

Database Breach : This was just forwarded to me....

Wed, 23 Apr 2008 13:46:57 +0000

Author: Greg Dinger
Subject: 1547
Posted: 23-April-2008 at 1:46pm

This was just forwarded to me. I see a familiar domain name (nihaorr1) listed in there:
http://securitylabs.websense.com/content/Alerts/3070.aspx

Database Breach : Nicolai, I, and I'm sure...

Mon, 21 Apr 2008 11:09:36 +0000

Author: Hamish
Subject: 1547
Posted: 21-April-2008 at 11:09am

Nicolai,
I, and I'm sure many others, appreciate being well informed by people who properly understand these things.
So - Thanks & kudos to you & Greg for helping build awareness & , of course, thanks to EA for building a great product that keeps up to date with security.

Situtions like this just remind us all how important keeping security up to date - part of which is keeping pretty close to current on software releases.

Database Breach : Let mejust clarify that I was...

Mon, 21 Apr 2008 08:50:55 +0000

Author: nhertz
Subject: 1547
Posted: 21-April-2008 at 8:50am

Let me just clarify that I was not referring to Early Impact software in any of my posts. It was my bad for not being more specific! You are right that I am not familiar with the source code behind your software and therefore I cannot argue for or against it.
I was referring to posts in forums around the web making reference to antivirus products from companies like Symantec, Bit defender, Sophos etc..
I don't want to criticise these products in any way, I'm just leaving clear that standard antivirus or firewall software is not going to help you on this one.

Regards,

Nicolai Hertz
Software Programmer