logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
judy at Web2Market  
#1 Posted : Wednesday, December 15, 2021 10:26:32 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 286

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I'm showing my ignorance here, but...
We have an AC9 site they say has been hacked and we are trying to find out where. They are saying it is js or something on the payment page. The js is default AC 7.0.2.
The only thing I'm able to see so far is in the network tab of chrome dev tools where it shows the credit card number in the payload tab of the network request. Should it be doing this? It does it on an AC 9.0.4 site I tested also.
See image.
2021-12-15_11-00-19.png (20kb) downloaded 19 time(s).

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Wednesday, December 15, 2021 10:45:53 AM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 421

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Judy,

I've alerted the dev team, so we'll have a response for you soon.

Thanks for bringing this to our attention.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
mazhar  
#3 Posted : Wednesday, December 15, 2021 11:07:25 AM(UTC)
mazhar

Rank: Administration

Groups: Admin, Administrators, HelpDesk, System, Authorized User, Developers, Registered
Joined: 10/5/2018(UTC)
Posts: 175

Thanks: 8 times
Was thanked: 17 time(s) in 15 post(s)
In the network tab, what is the target URL for form data? Is it the authorized domain or something else?
judy at Web2Market  
#4 Posted : Thursday, December 16, 2021 5:43:44 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 286

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
mazhar  
#5 Posted : Thursday, December 16, 2021 7:24:41 AM(UTC)
mazhar

Rank: Administration

Groups: Admin, Administrators, HelpDesk, System, Authorized User, Developers, Registered
Joined: 10/5/2018(UTC)
Posts: 175

Thanks: 8 times
Was thanked: 17 time(s) in 15 post(s)
If data is sent to expected domain then it is not a problem.
Katie S  
#6 Posted : Thursday, December 16, 2021 11:15:13 AM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 421

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Judy,

You can use a tool like WinMerge to compare the site's application files against a stock version of AC.

If any files and/or scripts have been modified, then you should be able to find the suspect code.

Keep us updated if you can. Thanks.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
judy at Web2Market  
#7 Posted : Friday, December 17, 2021 7:25:37 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 286

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
We've done that twice, looked for changed files, security scanned the server, looked in the database for weird code, watched network traffic and don't see any of it going to the domain where the "expert" says the credit cards are being sent from the payment page.
Katie S  
#8 Posted : Friday, December 17, 2021 10:57:04 AM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 421

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Judy,

Can your "expert" provide any additional details or show the reason(s) he/she thinks this is a hacked site?

There's just not much to go on...

Thanks
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Joe Payne2  
#9 Posted : Friday, December 17, 2021 11:51:48 AM(UTC)
Joe Payne2

Rank: Advanced Member

Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564

Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
Judy are you checking the compiled binaries in your comparisons? Not the source files. But the actual compiled live binaries against the factory binaries?

Fiddler would be a great tool to use to see what the page itself is sending outbound during postback.

Let me know if you need another set of eyes, happy to help.
judy at Web2Market  
#10 Posted : Monday, December 20, 2021 5:15:53 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 286

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I had checked the binaries and they were the same, except for the AbleCommerce.dll, of course. But I did check the customizations in it. I ran the site through a free demo of an an intrusion prevention scanner that checked over 10,000 vulnerabilities, and it found no issues. The expert said he could see the traffic across the wire going to this third party site that was collecting the card numbers. Then he came back later and said, well, it's stopped now. You must have fixed something, when we had done nothing except test and investigate.
ray22901031  
#11 Posted : Monday, December 20, 2021 5:29:58 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 826

Thanks: 3 times
Was thanked: 13 time(s) in 13 post(s)
Just curious if you're hosting this at your location, since I know you use WatchGuard technology. If you are, it would be effortless for you to go to Tom and ask him to review the server reports for this particular site. The WatchGuard reports are extremely detail, and you can filter on the fly if need be.

I had a similar situation many moons ago, on an entirely different system, where the modem would just come on and start dialing to a specific number. We were never able to trace the code that did this, but we definitely could block any outward information to that specific number.

Of course, you asked the customer what tools they were using to come to their conclusion, right?

Anyway, if you are behind a WatchGuard appliance, take advantage of its abilities.

Hope this helps,
-Ray
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.