The Official Website of AgoraCart and Agora.cgi
AgoraCart.com Demos Download AgoraCart User Manuals & Wiki Gold Members Forum Go Gold Now! Gold Version Memberships

AgoraCart.com

About
Features
Download
Payment Gateways
Send a Donation
Founders Club
BLOG: News & Updates

Showcases & Demos

AgoraCart Demos
Shop Live Stores

Downloads & Add-ons

Gold Version Downloads
DBwizz Database Mgr.
AgoraCart.com Store

Help & Support

User Manuals
Gold Version Users Forum
Gold Version Chat
Tech Support
Certified Agora Pros
Certified Designers
Hire a Freelancer

Gold Version Members

Member Benefits
Join Today!
Gold Members Home
Gold Version Users Forum
Gold Version Chat Rooms
Gold Version Downloads

For Store Owners

Merchant Accounts
Cool Resources
Advertise Here
"Powered by" Logos
Web Hosting Search

Misc.

Contact Us
MEET's Talking Guide
The Ancient Greek Agora






AgoraCart Free User Forums

This is the official FAQ and Cool Tips guide For the AgoraCart shopping Cart software


Official Sponsors of the AgoraCart Project:

       


RegisterSearchFAQLog in
Reply to topic Page 1 of 1
Clearly I am being hacked
Author Message
Reply with quote
Post Clearly I am being hacked 
In the past few days my client has received two orders (he runs a rather low-volume website), neither of which created an order file for him to view, although both PayPal payments went through fine. This left him in the embarrassing position of having to seek out the buyer's address, email, and phone number, and ask him, "Can you please tell me what it is you bought, so I can ship it?"

Anyway, while trying to troubleshoot why this has begun happening, I checked out the access and error logs, and found that starting in January of this year I began seeing many records of the form:

FILE OPEN ERROR-
FILE=./agora.cgi
LINE=845
DATE=Tuesday, January 15, 2008 at 12:16:12
AGORAWRAP: *
QUERY_STRING: cartlink=http%3A%2F%2Fwww.protiming.at%2Fgallery%2Falbums%2Fijehiqe%2Fozipeg%2F&cart_id=2070239.15703*-E4Xs82070239.15703
REMOTE_ADDR: 81.31.47.2
REQUEST_URI: /agora.cgi?cartlink=http%3A%2F%2Fwww.protiming.at%2Fgallery%2Falbums%2Fijehiqe%2Fozipeg%2F&cart_id=2070239.15703*-E4Xs82070239.15703
SCRIPT_NAME: /agora.cgi

Note the query string. We have loads of these, every one pointing to some different overseas domain name. Clearly we are being hacked, or we are being used to hack someone else, though I can't tell if they are having any success with these attempts. Is there some patch that addresses whatever it is that these people are doing?

I have no idea if this is connected with the original problem of my client's shopping carts and order log going missing, but I suspect I need to solve it before making any progress with that.

View user's profile Send private message Send e-mail
Reply with quote
Post  
What version of the cart is being used?
If it is a version earlier than v5.0 or v5.2, you will need to upgrade to the current version, v5.2.


_________________
God Bless!
Bonnie - AgoraCart Moderator

Get a Gold Membership
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger ICQ Number
Reply with quote
Post Agora version 
The login page says 4.0K-4b Standard. My client won't be happy to hear that he "has to" pay for us to upgrade it. He's already talking about just taking it down. How much work are we talking about?

View user's profile Send private message Send e-mail
Reply with quote
Post  
Moving from the old v4.x to v5.2 is kinda extensive since there is a change in some of the files structure and all...


_________________
God Bless!
Bonnie - AgoraCart Moderator

Get a Gold Membership
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger ICQ Number
Reply with quote
Post  
I have since watched your flash animation at the site about how easy it is to upgrade to release 5.0 (run a macro) though the results are "not guaranteed." Where can I find out how difficult it is to move to 5.2?

Sadly, my client has no budget to "run as fast as he can just to stay in the same place."

View user's profile Send private message Send e-mail
Reply with quote
Post  
Can't upgrade to only v5.0 as those files are no longer valid... v5.2 has superceded them as v5.2 fixes the bugs that were in v5.0.


_________________
God Bless!
Bonnie - AgoraCart Moderator

Get a Gold Membership
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger ICQ Number
Reply with quote
Post  
this is in your error log. therefore it is an error that the store is reporting. what that means is the cross site attempt failed. you are not being hacked. some idiot who likes to waste his time on some bogas information is trying to do something the store will not tolerate.
if this was not in the error log then it would mean that either the store does not report such errors or that the cross site scripting attempt succeeded, which, it did not. so, security is working with agoracart.
as an aside, all the security wont amount to a hill of beans if one's usernames and passwords are not secure and security measures are not envoked.
make sure your store manager is htaccess password protected... using a secure username and password. make sure your store manager screen has a secure username and password. make sure your cpanel and ftp access have very secure passwords! if you have browser access to your domain's email accounts make sure you access in https and that the passwords are very secure.
secure passwords...
don't use chronological numbers 1234 or 789 or 876
don't use names or words 123dan 1dan2
use at least 6 characters A84Tnd and keep them random in nature.
where allowed use alphanumeric and non-alphanumeric characters and mixed case *G4w#1La
run an online virus and exploit scanner in addition to your installed antivirus program. ewido is a good one. use a program like adaware to find nasty things the antivirus programs usually don't target. keep your OS and defense programs up to date... check every two weeks and run system scans.
you're not being paranoid thinking that everyone is out to get you on the net... because they are.
d

Reply with quote
Post  
scottcrew wrote:
Can't upgrade to only v5.0 as those files are no longer valid... v5.2 has superceded them as v5.2 fixes the bugs that were in v5.0.


Sigh. Your User Manual area has a section about upgrading from 4 to 5.0, which it says is easy. It doesn't have a section about upgrading from 4 to 5.2 at all, and you tell me it is hard. This is like asking my client to sign a blank check.

View user's profile Send private message Send e-mail
Reply with quote
Post  
Yeah, there is no upgrader for v5.2.
It's really not hard, just a lot of things to do.
Like converting old customized headers/footers to new format and agorascript code.
Converting all html files to include new info and remove obsolete info.
Editing v5.2 ppinc files if using a custom layouts in v4.x.
Transferring data.file and PRODUCT images... not button images as there is a new way of doing those...
You can hire one of Agora's moderators or tech support
to do the upgrade for you, then it isn't a "blank check"...

HTH!


_________________
God Bless!
Bonnie - AgoraCart Moderator

Get a Gold Membership
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger ICQ Number
Reply with quote
Post  
WHEW!! I could not imagine what I had done?!?

Not great (knowing someone is trying to get access), but since it is caught by the error log, that is good news.


Did not even think of hacking.

THANKS
Sue

View user's profile Send private message
Reply with quote
Post  
vinsbour wrote:

Not great (knowing someone is trying to get access), but since it is caught by the error log, that is good news.
Did not even think of hacking.


That's two people on this thread who assume that ALL of the attempts are showing up in the error log and are therefore unsuccessful, which is not a valid assumption. These attempts start in January and have continued to this day, so I have to assume that some of them are being productive to somebody. The fact that all the URLs are in foreign domains points immediately to hacking (even if my client were making overseas sales, which he doesn't, the shopping carts wouldn't be overseas).

So how do I get one of these contractors to quote the conversion job?

View user's profile Send private message Send e-mail
Reply with quote
Post  
while it's accurate to assume that some cross site scripting attempts maybe getting through while some failed and are getting logged, it just simply is not the case. i have personally done extensive searches for this type of thing concerning agora.cgi in places most people refuse to believe exist. if there was a viable exploit then i would have found it. in addition my searches are on-going. these people do not keep info like this to themselves, they share and when they do ppl like me can find it. the only reference on the net is a very minor thingy that happens like 8 years ago, which is not valid now and even at the time with the cart version was so minor it's not worth explaining about. this could very well be the source of current trials, which, will get them nothing.
i have several clients who have the same type of thing in their error log. so i have server information, access to potential email complaints from the target sites and more. there has been no feedback and server records display no on-going talkback or responses from targeted sites.
as with any product it is wise to keep it updated to the current version if for no other reason than security updates. this is common sense. changes in server settings, insecure servers, versions of apache and perl can change the playing field. if store code needs to be customized it needs to be done with safe coding practices. other obvious security steps must be ahered to such as the suggestions above.

i'll say it again. as far as i or anyone i know can determine these are attempts only and are not based on a vaild cross site scripting vulnerability. if and when anything like this becomes an issue believe me mr ed will be on it like stink on a skunk and he will broadcast the issue with a fix in the update manager.

as far as foriegn sites being the target this is natural for these ppl. i will not go into details other than to say it is typical and to be expected.

i must say that this type of thing is why i argued on this board and other places that referrers and other overrides not be implimented. in addition while js is not promoted or included in the source files to any extent, it is a well known fact that every cracker on the net must have js disabled because with it enabled can reveal information that cannot be filtered. so if one is major paranoid about this (non-judgemental statement!) then make the store so if js is disabled in the browser they cannot use the store. this will filter 99.999% of crackers but could also lose some sales but the trade-off is warranted IMHO.

d

Reply with quote
Post  
one more thing. this is not a direct attempt to crack your store or site. this is a cross site scripting attempt. it is an attempt to use your store like a proxy to acces or do otherthings elsewhere.
there are security measures embeded in agoracart that specifically prevent this.
i think i know why this is being attempted and the assumptions why it may work. it's because of v5 functions added, i think. but because of the architecture of agoracart this cannot happen.
just be sure to use security measures as i outlined above and everyone will be just dandy.
d

Reply with quote
Post  
Dan wrote:
the only reference on the net is a very minor thingy that happens like 8 years ago, which is not valid now and even at the time with the cart version was so minor it's not worth explaining about. this could very well be the source of current trials, which, will get them nothing.


Since you have knowledge of what subversion these people are trying to attempt, perhaps you might be able to hazard an educated opinion as to whether or not this is likely to be in any way connected with my client's recent problem of never getting order files for successful orders. The PayPal payment goes through fine, the shopping cart is left in the shopping carts folder with the contents in it (I have been manually extracting those for him so he can fulfill those orders) but he gets nothing in the order log. I have checked all the permissions on the files and found nothing amiss. Is it likely or unlikely that this is a side-effect of the particular hack that is going on here? (My guess is unlikely, and I need to be looking elsewhere for why this is occurring.)

I don't think store security is a problem. I can't really suspect that a hacker is logging in and manually erasing the order file, because there is absolutely no profit to be gained by this. The store does not collect CC numbers itself, it only uses PayPal, so breaking into this store would be like breaking into a warehouse full of catalogs.

View user's profile Send private message Send e-mail
Reply with quote
Post  
lol@catalogs
i would venture to guess that the clients are not clicking back to your store from paypal. just a guess. put a message on step two of your paypal form telling ppl they must use the link at paypal to return to your store or the order maybe deemed invalid or delayed.
also, make a test product for a buck. buy it and when you get to the page after paying for it while still at paypal go to google or someplace. see if the order is logged. then buy the product again after deleting your cart. this time use the link back to your store at paypal then check to see that the order has been logged.
i think you'll find this is the case. paypalipn resolves this issue.
be sure to have your client refund the test purchases! these things can add up. grin
d

Reply with quote
Post  
oh. and when testing it's best to use a paypal account and not echeck or credit card. if you personally don't have a paypal account pm me and i'll help.
warning: if i don't get reimbursed i'll have to call tony soprano Laughing
d

Reply with quote
Post  
all that this error means is that it tried to open a non-existent file in the html sub-dir of the store. This protection is in effect for version 4.0f and above. So you do not need to upgrade for this reason. However, the store you are running is 6 years old this year. So it's adviseable to upgrade to get the cool features, better order management, and better SEO & design options.


the .004 versions of 5.2.x and 5.5.x (the agora.cgi file) skip the logging of this error since people don't understand what this is. It will instead post an error to the screen when it's attempted.

these sort of things do not work with the cart. but since people think they are being hacked because it is logged, we're gunna stop logging the attempts to navigate outside the store in this fashion.

it will be easier to get into your site using vulnerabilities in PHP scripts and forums, or guessing your FTP credentials, than to use this method in AgoraCart. You just get nervous because you see yer being scanned/tested and probably not used to it (plus the annoying error logs)


_________________
Vote Mister Ed for Prez 2012, for a REAL change.

Need Low Cost Startup Option? Try NiftyPay's Pay to Play
http://www.NiftyPay.com
View user's profile Send private message Visit poster's website
Reply with quote
Post  
Well, no... you get nervous because every time somebody makes an order you don't have anything in the order log! Then you go looking to determine what is causing it, and when you check the error log the only thing you can find in it is that (unrelated) error. Sad If I could just find and fix the former problem, I'd happily let the latter one grind away.

View user's profile Send private message Send e-mail
Reply with quote
Post  
grin. that's what i explained to mr ed. i figured the two kinda fed off each other.
did you try to duplicate the error by doing two test checkouts?
i think bonnie posted a means to get a silent post back with the standard paypal gateway to avoid this problem. but that could have been on an older version or i maybe just too demented and am dreaming.
i'm pretty sure that this is the cause. you must make it clear to the customer that they must click the link back to the store and no other. if they want to print out a reviept they can click back to the store then go back to paypal and do whatever they want. but printing a recipet is kinda dumb when the get notified by paypal and also your store as well as paypal keeping a running ledger of purchases and payment for their account.
d

Display posts from previous:
Reply to topic Page 1 of 1
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum