AbanteCart Community
Shopping Cart Operations => Support => General Support => Topic started by: lostmytophat on January 08, 2015, 12:27:41 PM
-
Suddenly, our online store is just showing seemingly random customer info to anyone who visits the store. They don't have to log in or anything. Someone who called in on the phone even said she saw another customer's credit card info. I had to put the store in maintenance mode for obvious reasons. Any idea what went wrong or how this can be fixed?
-
Did you have any custom work done for AbanteCart? Credit cards are nor stored in AbanteCart.
Can you PM screenshot of what was shown on storefront and access to your admin so I will check?
-
I can't get the screen shot w/out opening the store again, and unfortunately I can't give you the admin info without the ok from my boss, who's on a business trip at the moment... I did tell our web host about the problem though. It might be that someone just hacked us or something, I really have no idea (it's such an odd problem). I'll let you know what the web host people say once their support people get back to me, and if I can get the okay from my boss, I'll get back to you with the admin info when I can also.
-
It is possible that your site was hacked. Check dates on php files and make sure permissions are secured.
If your PHP files are compromised, you might want to take your site offline completely as maintenance mode might not help.
You did not answer my first question by the way.
-
Oh, sorry. No, I don't think there was much customizing. Just a custom CSS. Other than that, just using the UPS, FedEx, and Authorize.net plugins. I can't think of anything else that's been changed or customized.
And I'll do my best to look into the PHP (I'm not an expert in this sort of thing though, just a graphics designer who's somewhat talented at figuring things out when I need to).
-
Also, I'll try to take the site off line too if that will help... just have to figure out how to do that...
-
I just heard back from our web host company, and you were right, there were compromised PHP files. They are running a full scan now.
-
Please share details, how this actually happened, if you have details.
This will be valuable for everyone to know and prevent this in the future.
-
Here's what I have from our host so far:
These malicious files have been uploaded on these dates:
############################
File: `./store/extensions/default_perpetual_payments/storefront/.press45.php'
Size: 19203 Blocks: 40 IO Block: 4096 regular file
Device: 805h/2053d Inode: 61022395 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1157/store) Gid: ( 1152/store)
Access: 2014-10-03 18:06:56.000000000 -0400
Modify: 2014-10-03 18:06:56.000000000 -0400
Change: 2014-12-08 16:03:39.000000000 -0500
############################
I'll let you know when I have more.
Also, is there a setting inside AbanteCart Cart to take the store off line?
-
No. Just change permission on main index.php or rename it.
Interesting to know what request was used to place .press45.php file in the directory.
You can probably find this in the server log.
-
Thanks for the info. And I don't really know how to find the info you asked for in our logs. I will ask our web host people though and let you know what they tell me.
-
Is there a way you can tell me what the likelihood is on our customers' info being compromised over this? Or even if it's possible that the hacker could have gotten credit card #s? Like I said, we Authorize.net for credit card transactions, but is there a way the hacker could have gotten to that info through AbanteCart Cart's interface with Authorize.net?
-
I just talked with Authorize.net, and they say that the credit card info is secure, but that there's a chance that the credit card info entered after the site was hacked could have been stolen by the malicious PHP sending the info to both a 3rd party and Authorize.net (but only those entered after, none before).
-
I just talked with Authorize.net, and they say that the credit card info is secure, but that there's a chance that the credit card info entered after the site was hacked could have been stolen by the malicious PHP sending the info to both a 3rd party and Authorize.net (but only those entered after, none before).
Authorize.net payment does not store credit cards on your site. Credit card details are passed to Authorize.net server and no longer available. You should be OK here.
-
I did ask our web hosts about it, but I wasn't able to find out anything about the request used from them unfortunately.
I ended up having to scrap the whole store, do a new install, and build it again from scratch, actually. And, as bad luck would have it, I'm having some trouble with it. The image zoom feature, reviews, and the final payment submission button aren't working. Any idea what could be causing that?
-
I have an update. To see if I could troubleshoot this some on my own, maybe find the point of failure, I installed a fresh version of AbanteCart and went about building the store as I did before, checking the front end every few steps to see if the scripts I mentioned before were still working.
I deleted the sample customers, orders, products, categories, and manufacturers, and then created a product. No problems up until that point.
Next, I modified the page layouts for "Default Page Layout", "Home Page", and "Default Product Page", and then uploaded a new version of "style.css" via FileZilla (version 3.9.0.5) and checked those scripts again. They'd failed, just like they had before.
I restored the default version of "style.css" and returned the page layouts to as close to their default appearances as I could remember, but the scrips still did not work.
I did not modify this new test install of AbanteCart in any other ways than those I just described.
Any idea what could be going on?
-
I finally found out what was causing these script errors. It wasn't anything to with the security breach on my site, it was that I was disabling the background sections in "Layout & Blocks Manager". When I disabled "Footer Top", "Footer Bottom", and "Footer", the errors would occur. Re-enabling them and disabling the blocks inside them instead fixed the problem. I disabled and enabled those background sections a few times over to reproduce it and make sure it was what I thought, and it happened every time. I then narrowed it down further to just the "Footer" block as the source, not "Footer Top" or "Footer Bottom". So it sounds like it's a bug you should look into.
Why it showed up after the breach and not before, I would deduce, was because after the breach I was using a new version of AbanteCart, and before the breach I was using an older version where the "Layout & Blocks Manager" was different than it is now.