Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Security Breach

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

This is very serious, I have been getting calls from customers saying that after they placed an order at my web site they would get fraudulent charges on their cards from other companies. At first I thought it was a coincidence but I got my 7th call about this today. Does anyone have input, suggestions, comments? My web site is www.officetronics.com

GraphicsGuy

GraphicsGuy

Posted
Posted

You may want to review this thread from earlier today. By any chance do you have the same web developer. I notice you are both in San Diego. You may want to compare notes for anything you might have in common (i.e. developer, web hosting company, server management company, etc.).

 

There are many ways a site can get hacked. I looked over your site just now (nice site btw) and it looks like you (or your developer) did a pretty good job of the basics of securing it. But there are still possibilities

 

- If you are on a shared host, the server could have been compromised through another site and opened a root level back door into your site.

 

- If you are on a dedicated server, how well is it secured and kept patched and how well is it monitored for intrusions.

 

- Check for additional logins in the securing of the admin section of osc.

 

- Do you have any employees, contractors (i.e. web developer), relatives or friends that have either authorized access to the admin section, or physical access to the computer you use to access it?

 

- If your site has been online for a while, if you have any older file backups you might use a file compare utility like WinMerge to compare files now vs. then looking for differences that could be a back door.

 

If you have access to your domains logs, you may want to spend some time studying them. This is extremely tedious but can reveal vital information.

 

As painful as it may be, you do need to contact your merchant account bank and inform them of this. They can give you pointers on investigating it and help in the investigation. And by reporting it yourself, you will likely be treated with more respect by them than if they end up coming to you about it.

 

If you do find evidence that your server was compromised and card information stolen, then you also need to report it to the police. Theft of that kind of information is a felony.

Rule #1: Without exception, backup your database and files before making any changes to your files or database.

Rule #2: Make sure there are no exceptions to Rule #1.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...