Hacker strikes

[Guest Christine from gecko Gully]

I would like to describe what has happened to me in the last 36 hours. Not because I don't know what to do about it, but because I want to warn others to be careful, and to ask if anyone has had the same problem (and how did YOU resolve it?).

I am a web site builder. I build heavily-modded CubeCart sites (all legal and registered and everything - grin). I have built about 80 sites, mainly for clients in a certain niche. The problem was that I used the same admin username and password for all my sites (one for me, and one for the client which THEY set the username and password for).

So once some hacker found out my password for one site (and I am still not sure how they did that), they were able to get into all my sites.

Then what they did is turned off all the Payment Gateways, but turned on PayPal and directed payments to THEIR PayPal account.

I am in Australia, and the hacker appears to be either in the USA or Vietnam - and there might be more than one. So a lot of this happened during the night my time (Thursday night). It wasn't until an alert client noticed that she had had an order notification from CubeCart but no matching notification from PayPal, and that the order had mysteriously been deleted from her admin, that I realised something was wrong. This was obviously a "test" order - there were several of these placed on different sites.

So once I had worked out what was going on, the first step was to go through all 80 sites and change my password (I am using a different randomly-generated one for each site now, like $3Dfo!G}!8,C ), then I turned off the PayPal gateway and re-opened any others that the client was using (some use Mal's, some use PayMate, some use Print Order Form, and these were all OK). Then I emailed all the clients and asked them to go log in and change their PayPal email address to what it should be, because I can't remember them all and they might have been changed since I built the site anyway.

This took several hours, but while I was slogging through this I also got on the phone to PayPal to report the problem. I asked them to (1) shut down the PayPal account immediately (2) refund any payments that went into that account to the buyers and (3) get back to me to let me know what has been done, so I can advise my clients and they can advise their customers. The PayPal lady, who was in North America, took all this down and went away a few times to talk to someone else and eventually told me that someone would probably call me. Well, I haven't heard anything yet, 20 hours later. I am about to contact them again, in writing.

Anyway, while I was going through these sites, I also collected details of any orders that had been placed while the hack was active. This way, once the fire burns down a bit, I can contact each of them and let them know what has happened so they can initiate a complaint with PayPal (if PayPal doesn't refund them as per my request).

On one site, the hacker went even further. He actually deleted my client's admin login and created his own. I'm not sure why he didn't delete mine too, because that would have made it more difficult for me to get in, but maybe he realised it wasn't impossible because I just need to tweak the database and I can get back in.

The next step (it was midnight Friday night by this point!) was that I put some code into the admin/login.php program so that if anyone had a failed login attempt to get into admin, I would be sent an email. This was because the hacker was all this time still trying to get into admin on some sites. It was rather creepy, like having someone peering in your window. Effectively, I now have a guard standing at the door of each site who would not stop entry, but who would let me know if someone had tried to break in.

For the last few hours there have been no more break-in attempts, so I am hoping the idiot has gone away. But I hope you are not his next victim! It is now 9am Saturday, and I am going to bed soon.

Oh, and if you are reading this, I know quite a few details about you and they are all being reported to as many authorities as I can find.

Christine Abela

Gecko Gully.

[Guest samanthab]

Wow! 80 sites... I wouldn't even know what to do. Shoo!

[vokf]

Christine.. do you have professional indemnity insurance? Your decision to use the same log-in details for all sites is basically a serious case of negligence and store owners would be 100% entitled to sue you for their losses.

Be very grateful you're not on the end of any legal proceedings.

[Guest Christine from gecko Gully]

Gee that was a big help - thanks for your input.

</sarcasm>

Christine.