Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
I'm showing my ignorance here, but... We have an AC9 site they say has been hacked and we are trying to find out where. They are saying it is js or something on the payment page. The js is default AC 7.0.2. The only thing I'm able to see so far is in the network tab of chrome dev tools where it shows the credit card number in the payload tab of the network request. Should it be doing this? It does it on an AC 9.0.4 site I tested also. See image.  2021-12-15_11-00-19.png (20kb) downloaded 19 time(s).
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi Judy,
I've alerted the dev team, so we'll have a response for you soon.
Thanks for bringing this to our attention.
|
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Administration
Groups: Admin, Administrators, HelpDesk, System, Authorized User, Developers, Registered
Joined: 10/5/2018(UTC)
Posts: 175
Thanks: 8 times
Was thanked: 17 time(s) in 15 post(s)
|
In the network tab, what is the target URL for form data? Is it the authorized domain or something else?
|
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
|
|
|
|
|
|
Rank: Administration
Groups: Admin, Administrators, HelpDesk, System, Authorized User, Developers, Registered
Joined: 10/5/2018(UTC)
Posts: 175
Thanks: 8 times
Was thanked: 17 time(s) in 15 post(s)
|
If data is sent to expected domain then it is not a problem.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi Judy,
You can use a tool like WinMerge to compare the site's application files against a stock version of AC.
If any files and/or scripts have been modified, then you should be able to find the suspect code.
Keep us updated if you can. Thanks. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
We've done that twice, looked for changed files, security scanned the server, looked in the database for weird code, watched network traffic and don't see any of it going to the domain where the "expert" says the credit cards are being sent from the payment page.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi Judy,
Can your "expert" provide any additional details or show the reason(s) he/she thinks this is a hacked site?
There's just not much to go on...
Thanks |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
Judy are you checking the compiled binaries in your comparisons? Not the source files. But the actual compiled live binaries against the factory binaries?
Fiddler would be a great tool to use to see what the page itself is sending outbound during postback.
Let me know if you need another set of eyes, happy to help.
|
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
I had checked the binaries and they were the same, except for the AbleCommerce.dll, of course. But I did check the customizations in it. I ran the site through a free demo of an an intrusion prevention scanner that checked over 10,000 vulnerabilities, and it found no issues. The expert said he could see the traffic across the wire going to this third party site that was collecting the card numbers. Then he came back later and said, well, it's stopped now. You must have fixed something, when we had done nothing except test and investigate.
|
|
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909
Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
|
Just curious if you're hosting this at your location, since I know you use WatchGuard technology. If you are, it would be effortless for you to go to Tom and ask him to review the server reports for this particular site. The WatchGuard reports are extremely detail, and you can filter on the fly if need be.
I had a similar situation many moons ago, on an entirely different system, where the modem would just come on and start dialing to a specific number. We were never able to trace the code that did this, but we definitely could block any outward information to that specific number.
Of course, you asked the customer what tools they were using to come to their conclusion, right?
Anyway, if you are behind a WatchGuard appliance, take advantage of its abilities.
Hope this helps,
-Ray
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close
