Jump to content

Someone successfully raided my store


Recommended Posts

I'm not sure how this has happened, and I've checked everything I can think of.

Here's the story:

A few days ago, I had a customer try to make a purchase. Authorize.net declined the card twice. Customer sent me an email asking if he could call with the card detail, after which I wrote back saying that I'd have to run it through the same system. I also mentioned that he could try PayPal, which is more forgiving for address mis-matches, which was why his card was declined.

Yesterday, I got the emails for 2 new orders from this same customer, one for a free item and one for a paid item (not the same as he tried purchasing before, but a lower cost one). No payment emails.

When I looked in my admin interface at the orders for the day, I saw that both of his orders were marked as "Completed" (I have the auto order complete mod to do this when downloadable orders have been downloaded), including the paid product.

My first thought was that maybe the payment gateway failed to send the payment email, so I checked Authorize.net for the transaction. Nothing there. I then checked PayPal to see if maybe the customer switched payment gateways and completed the order there. Still nothing. I also checked my E-Gold account, as that is the only other payment gateway I use. Nothing there either.

From here, I considered the possibillity that maybe this person found a security hole in CubeCart, so I searched through the server access logs of the site. I can see this person's IP address, and I can see some activity around the time the order was placed, but there's no record of the order actually being placed. (No record of ANY orders being placed, for that matter - no 'step5' in the whole log (for the month!). I have TraceWatch installed and it recorded the whole order process, including the step5. This makes me wonder if the server logs have been altered.)

I can also see where this person downloaded the files with a different IP address, which doesn't show up anywhere else (this person is on dialup - the IP changes each time he logs in).

I also didn't see anything that looked like an injection hack.

Considering that I know the half dozen people that have websites on my server, I don't suspect any cross site scripting, but I'm thinking that's the only possibility left.

My question is this:

Does anyone know what might have happened here?

And how can we prevent it from happening again?

Link to comment
Share on other sites

Guest trochia

I can also see where this person downloaded the files with a different IP address, which doesn't show up anywhere else (this person is on dialup - the IP changes each time he logs in).

The exact same files?.. Very strange


Link to comment
Share on other sites

Hi Jim,

I guess I wasn't clear enough. The order was placed with one IP and downloaded with a different IP. The files were downloaded only once.

Here's the update.

After thinking about this, I realized that if this person found a loophole in the system, I should just go ahead and let him have whatever products he wants for the information. After all, they're digital and won't cost me anything extra to produce. So I wrote him a note saying that I didn't understand what happened, that I see where he's been able to download the product, but I see no record of a payment, and if he's found a hole in the system I'd gladly give him a copy of everything for the information.

The customer wrote back with a description of what he did, and offering to pay for the product.

In essence, due to switching to a new skin, and forgetting about some modifications I did to the last one, the manual payment page (for Authorize.net) didn't have a clearly visible 'Submit' button, so he filled out the form and hit the Enter key on his keyboard. That's it!

After querying about his OS and browser, I found that he uses Windows and Firefox with no special settings.

With his willingness to complete a payment for the item, I am hesitant to think of this as a 'hack', yet I have had others complete the Authorize.net payment process since the new skin was installed.

I'm still not sure why there wasn't any record of a 'step5' in the server logs, or why his order was set to 'Processed' instead of 'Pending' as several others have been, including the order this same customer tried placing several days ago.

I guess at this point I have to consider this a very weird glitch in the system and hope that it doesn't happen again. If it does, then maybe we'll have additional information to track down the cause.

Link to comment
Share on other sites

Alan I sent you an explanation + fix via PM. State update to FALSE is the quickest but uncomfortable solution.

Have fun!

BTW maybe time to write a list of NON RECOMENDED cc3 built-in payment gateways on store selling digital goods. :dizzy:

This is an example:

Authorize AIM

PayPal Standard

PayPal PRO

PayPal Express Checkout





and moooore

DO NOT ADD PAYMENT PROCESSOR NAME to its description area, this is highly recomended.

Link to comment
Share on other sites

You are a coding GOD, Milos! :yeahhh:

I've installed your fix and tested as you suggested and it works as promised.

You mentioned several other gateways as well. Are there ways to fix those as well?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...