Some how a user from Malaysia has gained access to our website using what looks to be like an account during the ordering process.
Im not sure if he had access to our database or admin area.
But he also created a coupon for 100 percent discount and also change the Paypal payment address to his own and changed it to another one a day later.
We have told Paypal of which they can see that this email has the same account linked to it.
His email addresses are darrylgohjenfai@gmail.com / kkgoh@msn.com / darryl.mw3@gmail.com / dar.goh.96@gmail.com and from his order he placed his IP is 175.143.255.97 but he used another persons account.
I am using the latest version of OpenCart and I have now changed all passwords to admin and control panels etc..
Is there anything I can do to track exactly how he gained access or is this a known exploit?
Thanks
Adam
Im not sure if he had access to our database or admin area.
But he also created a coupon for 100 percent discount and also change the Paypal payment address to his own and changed it to another one a day later.
We have told Paypal of which they can see that this email has the same account linked to it.
His email addresses are darrylgohjenfai@gmail.com / kkgoh@msn.com / darryl.mw3@gmail.com / dar.goh.96@gmail.com and from his order he placed his IP is 175.143.255.97 but he used another persons account.
I am using the latest version of OpenCart and I have now changed all passwords to admin and control panels etc..
Is there anything I can do to track exactly how he gained access or is this a known exploit?
Thanks
Adam
Last edited by i2Paq on Tue Dec 18, 2012 12:21 am, edited 1 time in total.
Reason: Title adjusted
Reason: Title adjusted
Is your version an upgrade or a clean install?
Are you on a shared server?
Are you on a shared server?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Because you are the first to report such an issue I think it could be related to you server security setup.
Are there other websites running on that server?
Are there other websites running on that server?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Wordpress is up-todate?
What version is the other OC?
What version is the other OC?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
You can advise abuse@gmail.com and abuse@msn.com of his addresses there. A general search for his name(s) yields quite a few of him, either wearing different hats or as different people in fact.
You can check your server's logs (for traffic, statistics, whatnot) for his address(es) and regional server(s). That may give you an idea of how long he took to figure out what where.
You can block that address in .htaccess; and if you do not want or need orders from that region, then you can moreover block address ranges. Check your encryption key (inside admin panel) to ensure that neither you left it nor he changed it back to anything as simple as "12345". Change the database password, too, while you're at it (if you haven't already), and be especially careful where the username "root" is allowed to appear anywhere. If your virtual server is under auspices of Amazon or any other that has data centers strewn around the globe, you might as well tell their support what you know (and will presently learn), so that they can check subtleties in their own way.
PayPal's computers will not forget him or suspiciously similar ones (even now, look at the e-mail names); he may have been flagged without enough in the bag to nail him dead to rights; laws and locations may have been completely impractical to do the latter.
The documentation and forums for the software for forums, blogs, carts, routers, whatever, is for the owners' benefit but, of course, hackers know to look there for how to get in.
You can check your server's logs (for traffic, statistics, whatnot) for his address(es) and regional server(s). That may give you an idea of how long he took to figure out what where.
You can block that address in .htaccess; and if you do not want or need orders from that region, then you can moreover block address ranges. Check your encryption key (inside admin panel) to ensure that neither you left it nor he changed it back to anything as simple as "12345". Change the database password, too, while you're at it (if you haven't already), and be especially careful where the username "root" is allowed to appear anywhere. If your virtual server is under auspices of Amazon or any other that has data centers strewn around the globe, you might as well tell their support what you know (and will presently learn), so that they can check subtleties in their own way.
PayPal's computers will not forget him or suspiciously similar ones (even now, look at the e-mail names); he may have been flagged without enough in the bag to nail him dead to rights; laws and locations may have been completely impractical to do the latter.
The documentation and forums for the software for forums, blogs, carts, routers, whatever, is for the owners' benefit but, of course, hackers know to look there for how to get in.
Who is online
Users browsing this forum: Amazon [Bot] and 2 guests