Knowledgebase
Home » Item #1012
Reports of site hacking
Question
What sites are vulnerable to this latest hack, and what can I do to prevent it, or mitigate it.
Answer
We have been contacted by several web sites running CactuShop that appear to have been hacked. It seems that in most cases, SQL injection was exploited to gain access to the site back end, from where a file was uploaded to enable page modifications. The checkout section was then modified (the ASP files were rewritten) to send credit card details to web site in the far east.
We are not aware of any SQL vulnerabilities in CactuShop v5.1 versions since July 2004. We are not aware of any SQL vulnerabilities in v6 or v6.1. In all the cases we have seen, it appears that the hackers exploited weaknesses introduced into CactuShop by additions made by third parties to the software.
These hacks appear at present to only target MS SQL based sites, though it is possible that MySQL sites might also be vulnerable. MS Access is less likely to be affected as it will not run multiple queries together, so SQL injection is harder to exploit.
It is vital that owners check their web sites to ensure that they have not been compromised. Look for changes to the checkout pages (checkout.asp in CactuShop v6 and 6.1, or the mailorder and payonline pages in v5.1). If these pages have been modified, then immediate action must be taken to address the security breach.
If you have made any changes to CactuShop involving the modification of queries (addition of new pages that run database queries, or changes to existing queries in CactuShop) then you must urgently review this code to ensure that inputs are properly sanitized so that the queries are not vulnerable to SQL injection.
There are some other security enhancements we'd suggest. These won't prevent SQL injection if you have vulnerable scripts, and those must be addressed. But these methods limit some of the options for what an attacker can do.
- Set permissions on all folders so that only the 'uploads' folders have write/modify/full-control permissions. Then in IIS (or a web panel, if the option is available) switch off scripts permissions on these same folders. This will ensure that the only folders where scripts could be uploaded through the back end of CactuShop will not enable those scripts to be run.
- If you run your own server, you MUST ensure that you set up each site on the server with its own I_USR account, and only allow each account permissions on its own web. This will prevent one site's files from being able to access other sites on the same server (which could allow anyone with FTP access to, or who has breached security on one site to modify or read data on any other site).
- Use the IP block feature in the config.asp to limit access to the back end to your IP address (assuming you have a fixed IP).
While we will do our best to assist, reviewing modified sites to address vulnerabilities introduced by third-party code is beyond the scope of support. It is vital therefore that you verify that basic anti-SQL-injection measures have been considered when writing modifications to your site.
If you find evidence of a successful attack we would be interested to view the logs regardless of where the vulnerability lies.