coffman Posted February 18, 2009 Share Posted February 18, 2009 Sigh... I am not necessarily looking for any help, just want to warn others of this scam, and to encourage people to take security vulnerabilites seriously. Today I received an email from the company at the following URL: http://www.securityanalystics.net/ stating that my site had been compromised. As proof, the email included the first 15 customers from my database :( As best I can tell, they were able to grab them via an issue with the customer_testimonials addon (since disabled on my site). The email went on to request payment for info describing the flaw and the fix, or they would email all my customers :( They also have a link on the site for customers to pay to find out where their data was retrieved from.... A quick look at the site says they have been on the internet since 2004, but the name has only been registered since 2/5/09 with Dynadot Privacy no less. The web page is actually a frame really points to another website http://alajoh89.freehostia.com. A google search turns up nothing.. You get the idea.. I am going to take my chances as I consider this extortion and have reported the site to the FBI here: http://www.ic3.gov/ and my Local Police. Luckily I have never stored CC or SSN info in my database. I don't even ask for the date of birth or sex. It still is a loss of info and a breach of trust with my customers. Hopefully this will help someone else. Sigh..... -Michael -MichaelC Link to comment Share on other sites More sharing options...
Jan Zonjee Posted February 18, 2009 Share Posted February 18, 2009 As best I can tell, they were able to grab them via an issue with the customer_testimonials addon (since disabled on my site). Likely route: see the German forum for example. Link to comment Share on other sites More sharing options...
ronr1999 Posted February 18, 2009 Share Posted February 18, 2009 I received the same emails and find it very troubling. Most troubling is that they are able to extract my customers data. The extracted data that they sent me is much more than just customers who left testimonials. This is data from my customer database. Does turning off testimonials fix this ? RR Link to comment Share on other sites More sharing options...
spooks Posted February 18, 2009 Share Posted February 18, 2009 I received the same emails and find it very troubling. Most troubling is that they are able to extract my customers data. What is the fix ? Do I need to rebuild my testimonials application? It's not clear... RR Its long been know that the testimonials contrib is leaky, I `don't know if the problems have ever been fixed, I don`t use it. See http://www.oscommerce.com/forums/index.php?showtopic=313323 for general security fixes. If the issue is failure to clean the POST I use: reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $$_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } Thats similar to that used by security pro for the GET If there are arrays it needs to be expanded. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
coffman Posted February 18, 2009 Author Share Posted February 18, 2009 I received the same emails and find it very troubling. Most troubling is that they are able to extract my customers data. The extracted data that they sent me is much more than just customers who left testimonials. This is data from my customer database. Does turning off testimonials fix this ? RR Using this exploit, a remote user can execute SQL statements against the database, doing pretty much what ever they want. As far as I can tell, nothing else was really done to my database, nor were any files on my site affected. But the email I received had a database dump of the first 15 customers in my database. A bit frightening, makes we wonder if I am cut out to self support my own site any more :( I am not sure what you mean by turning it off. As long as the file customer_testimonials.php is available on your site, you are open to this attack unless you fix the sql calls. I put an exit statement at the top of the file to prevent the db query from executing and I removed links to the testimonials from my site. I will be removing it altogether as I get time. -MichaelC Link to comment Share on other sites More sharing options...
ValleyRoaster Posted February 18, 2009 Share Posted February 18, 2009 I also just recieved the same email with customer info included. How do we in General stop attacks like this? Is it just through the testimonials script? The testimonials drive a lot of traffic to my site and help with conversion and sale rates greatly so I do not want to not use it. Any ideas? Life Is Too Short, Enjoy Your Coffee! Pete Link to comment Share on other sites More sharing options...
web-project Posted February 18, 2009 Share Posted February 18, 2009 instead of some kind of patches, better to have the proper hosting for oscommerce with firewall protection Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here! 8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself. Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues. Any issues with oscommerce, I am here to help you. Link to comment Share on other sites More sharing options...
ncoded Posted February 18, 2009 Share Posted February 18, 2009 instead of some kind of patches, better to have the proper hosting for oscommerce with firewall protection what!? we are talking about an sql-inject, not a dictionary attack. Link to comment Share on other sites More sharing options...
ncoded Posted February 18, 2009 Share Posted February 18, 2009 can someone clarify if this is osc default testomonies, or an add-on? Link to comment Share on other sites More sharing options...
spooks Posted February 18, 2009 Share Posted February 18, 2009 This s talking of http://addons.oscommerce.com/info/5477 not the default 'reviews' though that can be expanded with http://addons.oscommerce.com/info/4397 I`ve taken a quick look at the contrib & don`t see any sanitising of the POST other than use of tep_db_prepare_input, so I would suggest adding: reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } At the start of customer_testimonials_write.php If you do just use the reviews, the post still needs sanitising. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted February 18, 2009 Share Posted February 18, 2009 Same email received here- fishy though. It gave me 'a selection' of my customers credit card numbers except- I don't save their credit card numbers and I know these numbers, by going to my processors site and checking the last 4, weren't used any time lately (if ever). Like Coffman, I see this as an attempt at extortion and so I reported them at the ic3 link and also to freehostia for breaching TOS. Link to comment Share on other sites More sharing options...
Dennisra Posted February 18, 2009 Share Posted February 18, 2009 Thank you for your help spooks. Link to comment Share on other sites More sharing options...
bkellum Posted February 18, 2009 Share Posted February 18, 2009 Sigh... I am not necessarily looking for any help, just want to warn others of this scam, and to encourage people to take security vulnerabilites seriously. Today I received an email from the company at the following URL: http://www.securityanalystics.net/ stating that my site had been compromised. As proof, the email included the first 15 customers from my database :( As best I can tell, they were able to grab them via an issue with the customer_testimonials addon (since disabled on my site). The email went on to request payment for info describing the flaw and the fix, or they would email all my customers :( They also have a link on the site for customers to pay to find out where their data was retrieved from.... A quick look at the site says they have been on the internet since 2004, but the name has only been registered since 2/5/09 with Dynadot Privacy no less. The web page is actually a frame really points to another website http://alajoh89.freehostia.com. A google search turns up nothing.. You get the idea.. I am going to take my chances as I consider this extortion and have reported the site to the FBI here: http://www.ic3.gov/ and my Local Police. Luckily I have never stored CC or SSN info in my database. I don't even ask for the date of birth or sex. It still is a loss of info and a breach of trust with my customers. Hopefully this will help someone else. Sigh..... -Michael This has been long fixed in the later versions of Customer Testimonials v3.2 and above. See the support thread of Customer Testimonials for more info: http://www.oscommerce.com/forums/index.php?s=&...t&p=1370890 Bill Kellum Sounds Good Productions STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE Link to comment Share on other sites More sharing options...
ronr1999 Posted February 18, 2009 Share Posted February 18, 2009 They're website has been suspended: http://www.securityanalystics.net RR Link to comment Share on other sites More sharing options...
Guest Posted February 19, 2009 Share Posted February 19, 2009 They're website has been suspended: http://www.securityanalystics.net RR We got the same email blackmailing us. We went to report it to the police today and gave them very presicse information about IP's, etc. Fraud department called me today and I was on the phone for a while. The guy I spoke to actually seemed very interested but said nothing could be done if they were out side the country. The only avenue to pursue these people through was via paypal and their registered email address on their. And trying to trace them down by their bank acount details registered. Felt like I had to do something. Link to comment Share on other sites More sharing options...
Dennisra Posted February 19, 2009 Share Posted February 19, 2009 ourcoffeebarn and coffman what version of Testimonials do you have installed? Link to comment Share on other sites More sharing options...
Dennisra Posted February 20, 2009 Share Posted February 20, 2009 Rather: Kartdemon ourcoffeebarn and coffman what version of Testimonials do you have installed? Link to comment Share on other sites More sharing options...
coffman Posted February 20, 2009 Author Share Posted February 20, 2009 ourcoffeebarn and coffman what version of Testimonials do you have installed? Embarrassingly old. Here is what the header shows... $Id: customer_testimonials.php,v 1.00 2002/12/27 Exp $ -MichaelC Link to comment Share on other sites More sharing options...
Dennisra Posted February 20, 2009 Share Posted February 20, 2009 Embarrassingly old. Here is what the header shows... $Id: customer_testimonials.php,v 1.00 2002/12/27 Exp $ Well that does explain a lot. I am using version 3.62 Link to comment Share on other sites More sharing options...
mr_absinthe Posted February 20, 2009 Share Posted February 20, 2009 See my post here. Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Guest Posted February 20, 2009 Share Posted February 20, 2009 Rather: Kartdemon Mine was an old version too. But I must admit like most, once you have your store setup the way you like, you tend to just leave it. So it is very hard to keep track of issues. Especially hacks that people become aware of. We have about 90 contributions. Most being back end so are secure behind the admin login. All the ones that are accessible from the front end I am going through. Their is a good link here where you can monitor hacks for oscommerce. I just stumbled accross it a little while ago. http://www.securityfocus.com/bid Just change the vendor to oscommerce. Link to comment Share on other sites More sharing options...
ronr1999 Posted February 20, 2009 Share Posted February 20, 2009 Received a apology today: ========================================================================== Hello, I am contacting you after previously contacting you regarding some security issues on your website. I am writing because my previous email was totally unacceptable, and I would like to appologise. I sent the email to around 30 other sites, and am contacting them also to issue the same appology. I am someone who works hard (in I.T), and I literally feel sick to the stomach that I stooped to the level of taking advantage of others misfortune. What I said and how I said it was totally wrong, am I so sorry. This is the worst thing I have ever done, and I regret it deeply. I hope you can accept this appology as sincere, and please be certain that under no cisrcumstances will I contact any of your customers. I would like to let you know that the problem with your site is with a file called customer_testimonials.php I would suggest you delete it right away. Someone with the right skills should be able to fix the problem long term, but you should look to remove that file in order to stop your data being vulnbrable. Once again, I am sorry for any worry I have cause you. ========================================================================== He should have just let us know that there was a problem and he'd been a hero. RR Link to comment Share on other sites More sharing options...
Guest Posted February 20, 2009 Share Posted February 20, 2009 Received a apology today: ========================================================================== Hello, I am contacting you after previously contacting you regarding some security issues on your website. I am writing because my previous email was totally unacceptable, and I would like to appologise. I sent the email to around 30 other sites, and am contacting them also to issue the same appology. I am someone who works hard (in I.T), and I literally feel sick to the stomach that I stooped to the level of taking advantage of others misfortune. What I said and how I said it was totally wrong, am I so sorry. This is the worst thing I have ever done, and I regret it deeply. I hope you can accept this appology as sincere, and please be certain that under no cisrcumstances will I contact any of your customers. I would like to let you know that the problem with your site is with a file called customer_testimonials.php I would suggest you delete it right away. Someone with the right skills should be able to fix the problem long term, but you should look to remove that file in order to stop your data being vulnbrable. Once again, I am sorry for any worry I have cause you. ========================================================================== He should have just let us know that there was a problem and he'd been a hero. RR Hmm, Very odd email to send. I would be amazed if it really is sincere. One part of it is not correct English but I could have made the same mistake. We shall see. I actually did speak to another person who uses oscommerce and let them know that their site had the same vunerability like ours did. He thanked me which was nice. Like you say he would have been a hero rather than a W***** to let people know. Link to comment Share on other sites More sharing options...
Guest Posted February 21, 2009 Share Posted February 21, 2009 Same apology email received here- totally unexpected but I appreciate his taking responsibility for what he did and going the extra mile to detail exactly what the problem was (in case I wasn't aware of it by now). The real shame of it is, had he sent me an email saying look, you've got a problem, this is what it is and oh by the way would you like me to take a look at the rest of the site to ensure you're as secure as you can be for $XX I'd have, at the very least, considered it. Link to comment Share on other sites More sharing options...
coffman Posted February 23, 2009 Author Share Posted February 23, 2009 Did anyone that got either of these emails happen to grab the paypal info pointed to by the site? -MichaelC Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.