Rank: Newbie
Groups: Developers
Joined: 4/17/2020(UTC)
Posts: 1
Thanks: 1 times
|
We are currently running 9.0.5 (we plan to upgrade soon). In the last month, we have received 12 fake orders that all originated from the same IP address. I have now blocked that IP address. The orders were submitted using 5 different, already existing accounts. We found out about the issue because the real users got email notifications of orders they did not place and contacted us about them.
So, it seems someone has figured out how to place fake orders using other people's accounts. Is this a known issue with 9.0.5? I browsed all the release notes for the later releases and didn't see anything that appeared to address it. Anyone else seen this? Has it been fixed in the later releases?
Thanks,
David
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi David,
This is not a known issue, and I'm quite surprised to hear this has happened. So, you are saying that a person has hijacked 5 different accounts? Is the originating IP from a location here in the US?
Do you know if they used any stored payment profiles?
If you check the "Page Views" tab for each of the accounts, can you see anything unusual?
I'm sorry, but I might be inclined to believe that there was a breach at the admin level. Do you think that's possible?
I'd like to have you open a support ticket so you can share your store's login credentials and we can help figure this out.
Also, I just want to make sure you have reset the passwords on each of the accounts involved.
Sorry for all the questions. I just want to find the cause and make sure it can't happen again. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909
Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
|
We block our admin login using Cloudflare, only specific IP's can access the back-end. This might be a good feature to implement in a future update, where you can specify specific IP's to restrict users to the back-end. I hope this helps, -Ray PS: also another idea in addition to blocking the IP would be to have the ability to modify the URL of the back end; in other words, change the default from "https://www.yoursite.com/Login" to a user specific URL that's harder to guess like "https://www.yoursite.com/xx-234568/Login" Magento uses this approach. Edited by user Tuesday, May 9, 2023 12:14:30 PM(UTC)
| Reason: Not specified
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Quote:This might be a good feature to implement in a future update, where you can specify specific IP's to restrict users to the back-end. Yes, I agree this would be a good feature to have. Unfortunately, I can't get a dedicated IP from my internet service provider, but I often use a VPN for other apps that require it. I'll open a feature request. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909
Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
|
You could also implement 2-step verification on the back-end, this could also benefit users.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi Ray,
Good idea. This a feature we added to meet the requirements of PA-DSS 3.2. It uses the Google Authenticator app. To turn it on, check the box for "Enable multi-factor authentication service" from the Configure > Security > Passwords page. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909
Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
|
Can this be done today on a per-user level?
|
|
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/17/2020(UTC)
Posts: 1
Thanks: 1 times
|
I've been able to piece together what happened through the Audit log. It appears someone in Finland managed to login to my server and from there was able to login to my Admin account on our AbleCommerce site (guessing I was signed into LastPass on the server) and create themselves an Admin account. Luckily, some of the security protocols we had in place prevented them from seeing too much sensitive info but I've been taking a variety of steps today to tighten security and I blocked them out of my server shortly after they gained access.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi David,
I'm relieved that you were able to find the breach and take care of it before anything else was compromised on the server. I'm also relieved that there isn't a security issue in the AbleCommerce code.
Thank you for giving us an update.
|
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Originally Posted by: ray22901031  Can this be done today on a per-user level? If the setting is turned on, then it will apply to all admin users. It would be nice if it could be enabled as an individual setting. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909
Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
|
Quote:I've been able to piece together what happened through the Audit log. It appears someone in Finland managed to login to my server and from there was able to login to my Admin account on our AbleCommerce site (guessing I was signed into LastPass on the server) and create themselves an Admin account. Luckily, some of the security protocols we had in place prevented them from seeing too much sensitive info but I've been taking a variety of steps today to tighten security and I blocked them out of my server shortly after they gained access. Is your database and website located on the same server?
|
|
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/17/2020(UTC)
Posts: 1
Thanks: 1 times
|
No, separate servers. I've changed a whole lot of passwords in the last 2 days.
|
|
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909
Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
|
If your database connection string is encrypted, I don't see how they could have gotten your password to log in to your system.
I never run any type of password manager on the server, and, in fact, you shouldn't be running any desktop applications on the server at all. Since we have a static IP at the office, we also limit remote login to specific IP's. I know this is a little more difficult if you have a dynamic IP.
Either way, I'm glad you got your problem fixed, and hopefully, it will never happen again, I strongly suggest that you turn on two-step verification for all your admin users. I'm uncertain if this feature is included in version 9.0.5.
Hope some of this helps, and best of luck.
-Ray
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi, Quote:I'm uncertain if this feature is included in version 9.0.5. We added Multi-factor authentication in the first (beta) versions of AC9. The Google Authenticator was upgraded in 9.0.6. To turn it on, check the box for "Enable multi-factor authentication service" from the Configure > Security > Passwords page. The email template is called "Google Multi factor Authentication" in case you want to customize it. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/17/2020(UTC)
Posts: 1
Thanks: 1 times
|
It seems this hacker was specifically targeting AbleCommerce and they are trying to capture credit card information. Something is intercepting or blocking requests to \Validation\ValidateCreditCardNumber but we haven't found it yet. We upgraded from 9.0.5 to 9.0.6 and went through the code very carefully but the problem is still there. So, it isn't in the AbleCommerce code directly. We searched for service workers, iis modules, handlers, iis redirects, url rewrites. No luck. Windows Defender found Meterpreter.8 Malware today. Likely related so we are running more extensive Anti-virus tests.
We've turned off orders on the live site until we track this down.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi David,
I'm so sorry that you're having to deal with a hacker, because I know how frustrating it can be.
Thank you for keeping us updated on this issue. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/17/2020(UTC)
Posts: 1
Thanks: 1 times
|
I'm hopeful we have now removed the root source of this hack. Today, we found an IIS Module, HTTPCacheLog, that was causing our problems. The DLL for that module had a very recent Timestamp and the path didn't match any of the other IIS Modules. Once we removed that DLL, the problems below went away.
The ongoing issues we noticed were:
1.) Any URL that contained the words "Credit" and "Card" in the path wasn't reaching the intended end-point.
This included: https://[ourAbleCommerceSite]/Checkout/_CreditCardPaymentForm and
https://[ourAbleCommerceSite]/Validation/ValidateCreditCardNumber
2.) The was another Category page on the site that was displaying a blank page.
3.) Malware was popping up on the server on a nightly basis in odd places. The malware was being caught by anti-virus software on the server but it was clear we hadn't found the root source of the malware as it kept appearing and we had URLs that were being intercepted.
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close
