I got hacked!

[charmed-imsure]

Hi all,

 

Fortunately I'm a Customer in my own OSCommerce site, I registered just to test it, and if I hadn't I would possibly never have known what just happened in the last hour... I've been hacked!!! I received an email from myself titled "We Offer" and spotted an out of office response to it from one of my Customers. Very baffled I checked it out, turns out, someone has managed to hack my OSCommerce, grab all the email addresses of all Customers & send out an email with a link for viagra.

 

I have written to the company but I don't expect a response.

 

Just thought I'd let everyone know coz I'm sure I won't be the only target here. Not sure what steps I can take apart from just changing my password to something far stronger. I'd be happy to hear any further suggestions though to prevent this happening again.

 

:-(

[K3D]

Your admin has a security vulnerability.

 

Read http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/ for further information.

[Guest]

Angela,

 

 

I am just curious how they managed to get into your customer list ? Was your site running an SSL certificate ?

 

 

 

 

Chris

[Ben Nevis]

Customer lists are trivially easy to get if the store has not been secured.... I don't think SSL certificates prevent that particular hack, I am sure that if they did it would have been mentioned before, and if you aren't aware of the hack Chris, you'd better secure your store too....

[Guest]

Richard,

 

I have configured dozens of stores, and have NEVER had a site hacked. This is why I was wondering what(if anything) her store was lacking security wise.

 

 

 

Chris

[aligp]

It is NOT a difficult logic to understand is it? The statement that a site or sites have never been hacked does NOT necessarily mean it is or they are secure. It is rather a naive statement. On the other hand, just becasue you think your site is secure because you have applied all the "how to secure your site" tips does not necessarily mean it will never be hacked as there is alway other ways, some unknown, to "hack" a site. It is a golden rule for webmasters or server admins that one should never boast yours are unhackable. If you are stupid enough to make such a silly claim, before long, you would see somewhere prominent on your site/server someone posts a msg to claim victory! It is a matter of time and interest (to the hackers). What you can do is, apart from all the security precautions, keep your fingers cross.

Ali

[K3D]

I am just curious how they managed to get into your customer list ? Was your site running an SSL certificate ?

 

This was discussed in the link I posted.

 

I think you overestimate what an SSL certificate does.

[Ben Nevis]

This was discussed in the link I posted.

 

I think you overestimate what an SSL certificate does.

Although the details of the exploit have been removed.. ;)

 

But suffice it to say that without the necessary action, Chris, accessing the customer list is child's play on every site where the required actions have not been taken.

[K3D]

Well it was there when I originally posted :P

 

The initial post still gives an idea of the vulnerability though. Protect your renamed admin directory with htaccess if possible, cuts out a lot of worries about files in admin being accessed directly.

[hannja]

ehm... is the SSL certificate automatic enabled or have I set the options?