Potential security breach

[NC Software]

AC 7 users, I don't know if this has anything to do with AC 7 but I had a site breach today. The breach installed a backdoor.trojan detected by my Symantec Endpoint protection and activities also lead me to believe this attacker is knowledgable of AC 7.

-I received an e-mail at my admin e-mail address for a password reset. I didn't initiate it and according to the AC e-mail that if you leave it alone nothing will occur
-I tried to login to my site using my admin credentials and could not
-I immediately locked my user account via SQL Management Studio
-I shut down the site via IIS until I did a full scan and review of the situation
-I found a file "image.asp" places in my App_Themes/MyThemename folder which when viewed with Notepad is a malicious file
-Symantec quarantined "image.aspx" located in the above folder
-Symantec quarantined newup.asp in the store's root folder
-Further watching the Reports...Audit log I noticed a user "test@nc-software.com" was created and assigned to the Admin users group
-The user downloaded backups to the encryption keys, both part 1 and 2 so they obviously know what they're doing!

IP Addresses are:

-77.92.85.16
-209.216.249.71
-115.75.155.51

I am surprised to see that the IP Firewall does not have a GRANT capability where only specific IP addresses can access the Admin, I am implementing this on my site now either via IIS or .NET code.

I also noticed a nc-software.com profile folder created but I cannot see any relation on the server (Win 2008 R2). I use a Watchguard Firewall with AV/IPS, all software is up-to-date (windows updates, etc.).

FYI

[Shopping Cart Admin]

Howdy Neal,

We've not had any other reports, but thank you for the information. I'm surprised they went after you, as we have high profile sites running AbleCommerce 7.0, you'd think they would go after them if there was an issue with AbleCommerce specifically.

I am surprised to see that the IP Firewall does not have a GRANT capability where only specific IP addresses can access the Admin, I am implementing this on my site now either via IIS or .NET code.

The majority of our customers don't have dedicated IP's and if they do it's easy enough to handle this via IIS.

[Shopping Cart Admin]

Howdy Neal,

I'd guess it's the 3rd one. The second one in CA could be traceable by the police, if it's found to be the one.

77.92.85.16 UK UNITED KINGDOM - - UK2.NET
209.216.249.71 US UNITED STATES CALIFORNIA VISTA WEB INTELLECTS
115.75.155.51 VN VIET NAM - - XDSL SERVICES OF HCM

[NC Software]

And the user is trying to login but can't, his/her IP from Fremont, CA is 24.6.27.223
And from Woodstock, IL: 67.159.44.137

[mikek]

Hi Neal,

The attacker is most probably using open proxy servers or VPS account. With so many VPS providers out there a hacker can attack your
server by logging in to a VPS box via remote desktop and delete the VPS instance after the attack. For instance the attacker could be
someone from China using open proxy or VPS server located in Fremont, CA or Woodstock, IL ...

From our experience with AbleCommerce 7.x we have not seen any security or architectural design flows in the Ablecommerce code that
could cause security breach on application level or allow any type of sql/code injection.

Below are few server hardening tips that will help protect your environment on a Server OS level:

- close off networking ports (TCP 135, 139, 1433 and 445; UDP 135, 137, and 445) and any other unused ports
- shut down FTP service by default and enable FTP only when you need to update your site content
- if you are running MSSQL on the same server disable MSSQL Client TCP/IP interface - use local shared memory connections only.
- do not use local SMTP server under 'localhost' (if attacker gains access to your server he can monitor the outgoing smtp queue and gain
access to password reset emails) - use remote smtp server with smtp authentication only.

There are other server hardening steps which require changes to the server group policy settings, but closing off ports and shutting down FTP
should prevent further file injection attacks.

[NC Software]

Hello Mike,

Thanks for the reply. As I use a Watchguard x1250e hardware appliance, only the ports required are open, many of which have proxy filters in use for additional security, among the other intrusion prevention services that the appliance offers. MSSQL is on a dedicated server, it is isolated from the Internet, it is only available via the internal network with exception of my IP addresses for external access via the firewall. E-mail is secured as well, it's a separate box which requires SMTP Auth.

My guess is they may be exploiting the forgot password system. What it appears that they do is find the admin's e-mail, for me it's my personal e-mail, not a dedicated e-mail address for merchant admin, and that e-mail (my personal) has been used forever and for everything, so not hard to determine I suppose. They then trigger a forgot password request, the trick is are they able to intercept that URL either via a callback, viewstate, etc. I imagine if you can get that URL, put it in the browser, you could then change the password and get access. I am going to investigate to see if there is a vulnerability here.

In response to this attack I have since locked down all /admin folders for forums, support desk, and AC with IIS's IP Address security, i.e. put in the IP Addresses that can have GRANT permissions to these folders. I saw the attackers try to do the same attack on my vbulletin forums, they put my e-mail into the forgot password system there too. I also suggest a dedicated and private e-mail address for merchant's to use for access to the admin.

Good lessons learned, sad it takes an attack to learn this.

[NC Software]

Howdy Neal,

We've not had any other reports, but thank you for the information. I'm surprised they went after you, as we have high profile sites running AbleCommerce 7.0, you'd think they would go after them if there was an issue with AbleCommerce specifically.

I am surprised to see that the IP Firewall does not have a GRANT capability where only specific IP addresses can access the Admin, I am implementing this on my site now either via IIS or .NET code.

The majority of our customers don't have dedicated IP's and if they do it's easy enough to handle this via IIS.

Mike,

In my opinion the Security/IP Firewall should have both GRANT and DENY capability. In fact I'm surprised PCI certification doesn't require it. I have Verizon FIOS at home, while I don't pay for a static IP, my IP never changes. I do have static at the office.

While customers may not have static IP's, and I'm not sure how you have the statistics to state "The majority of our customers...." I'm not sure I agree, but it's moot, this capability needs to be in place. It could be set in the web.config as another product I use implements this (Desaware Licensing System) or via your admin interface. Customers may have a static IP but not have admin access to the server OR knowledge of how to configure IIS for this functionality. This gives clients the ability to secure there site via the admin and not require server/IIS access. So for those that do have static IP's and not server access, you don't give them the ability to lock down.

With AC's certification for security via PCI I hope you will implement all available security capabilities to help your customers remain secure.

[AbleMods]

They then trigger a forgot password request, the trick is are they able to intercept that URL either via a callback, viewstate, etc. I imagine if you can get that URL, put it in the browser, you could then change the password and get access. I am going to investigate to see if there is a vulnerability here.

If they know AC7, then once they have admin credentials they can easily view the SQL connection string. So you have to assume both SQL and AC7 have been compromised...from there they've got access to every database on your SQL box.

Ugh what a hassle - who'd you honk off Neal? This sounds "personal".....

[NC Software]

I sure hope no one is using a SQL server login for their AC store that gives access to their entire SQL Server!!! I don't do that and yes, when this occurred yesterday that was one of the many things that was changed, all passwords, accounts, etc.