As we alerted all SunShop users last month (Jan 2014), it recently came to our attention that an individual was targeting SunShop stores in an attempt to collect sensitive customer data such as credit card information. In the last few days, we have learned that the attacker is in fact accessing shops through FTP and not through any exploit in SunShop or PHP. Because of this, we wanted to send out an immediate alert on how to determine if your shop is at risk and how to prevent and stop any attacks on yoru site.
We want to reiterate again that SunShop does not currently have any known vulnerabilities and that all customer data stored within the database is secure. In fact, this attacker has only been successful in modifying SunShop payment modules to send himself credit card information before it is encrypted and stored in the database.
IMPORTANT: Please note that we recommend everyone change your FTP account / Control Panel passwords and admin login information ASAP. This is especially important for those that have ever sent FTP details to us via tickets or anyone else outside of their company.
What to Look For (New):
As we stated in our last email, the "404.php" in your files is the most common file found. Once the"404.php" is uploaded, the attacked checks to see if you are collecting credit card information and then proceeds to modify either your payment module file or the credit card payment method file to insert their code. Since our last communication on the issue, the attacker has since started encrypting the files so that our last file checker would no longer return hacked results. We have since updated the checker to check for encryped files that should not be encrypted. For this reason, it is important that you run the checker again.
To check your SunShop install, download the following file and place it in your SunShop root directory. After it is unzipped and uploaded, run the file from your browser to check the results.
How to Monitor & Prevent:
In SunShop 4.4.0 and later, we have implemented a file scanning feature that will monitor your PHP files for any changes and notify you when they have been modified. For instructions and more information, please see the "Security Checks Cron Job" sections of the settings located at:
Settings -> Manage Settings -> Security Settings
If you need assistance in setting this up, please feel free to contact support.
Beef Up Security:
It is always a good idea to make sure you have security measures in place should your site be compromised in any way. We always recommend checking your admin accounts within SunShop regularly to make sure that there are no unauthorized accounts. Additionally, you should delete any unused accounts and change your passwords on a regular basis. It is also a good idea to use the .htaccess credentials available on the “Security Settings” screen to add an additional layer of security to your admin directory.
Because of our recent finding that access was gained through FTP, everyone is encouraged to change your FTP and control panel passwords immediately to avoid any possibility of compromise.
Attention TWT / TWH Hosting Customers:
If you are hosted with TWT or Turnkey Web Hosting, please note that you should not need to take any further actions. We have already scanned our servers and we monitor our servers for malicious files on a daily basis.
How to Get Help:
If you should need assistance with any of this, please feel free to contact support. We will assist anyone with the above tasks no matter what your support status is so please feel free to contact us at firstname.lastname@example.org or open a ticket at http://www.twt-inc.com/support-redirect.html
Tuesday, February 11, 2014