been hacked using zencart?

[mit74]

Recently setup a zencart site that got hacked and used for phising within 2 months. Logs show at least 4 attempts before then. Has anyone else had their Zencart sites hacked or is it a problem for all open source software?

 

[CaterTrade]

It's a problem with all well known, widely distributed site software. Just make sure you are running the latest version and change your passwords regularly. Also sign up to google webmaster tools as there's a Malware reporting tool there. Something Matt Cutts mentioned in his SEO video I watched earlier is that some phishing scripts only appear for certain people or only if the referrer is a search engine so you alone might never know it's there.

 

[cycloneuk]

It's a problem for any software, although opensource is more at risk i suppose since hackers have access to all the source code. All you can do is make sure you stay upto date with patches/upgrades and make sure your server is secure and again all software is updated and files/folders have correct permissions.

 

[mit74]

It's a problem for any software, although opensource is more at risk i suppose since hackers have access to all the source code. All you can do is make sure you stay upto date with patches/upgrades and make sure your server is secure and again all software is updated and files/folders have correct permissions.

yeah the site was 2months old so pretty up to date. A known password recovery exploit was used. I think in future I'll add my own extra code to them. Even simple extra security code may stump a hacker as he's not expecting it.

 

[Adam_Watson]

always use updated software and change your passward resgularly

 

[Andy Walpole]

Something Matt Cutts mentioned in his SEO video I watched earlier is that some phishing scripts only appear for certain people or only if the referrer is a search engine so you alone might never know it's there.

yeah, some scripts only show for Google which is why in the Webmaster Tools section you have the "Fetch as Googlebot" option - you can see the source code as Google would see it

 

[iboxsecurity]

It happens with all widely used software, however from what experience I have had - zencart seems to be getting hacked more often/easier than others.

 

[downsouth]

Yes, last night in fact, order came in but no notification from PP, took a little digging but found a 'random' email address in the PP settings for payment

Just about to contact Paypal to have a discussion on what the customer can do (they have since paid me correctly)

Since changed all my passwords (even though stupidly hard to guess) and deleted the 'admin' type account this person created!!!

 

[14Steve14]

I know this may not help you, but zencart is based on oscommerce. There are many hacks for these sires, and its easy to do apparently. I run a oscommerce store, which has never been hacked since the first time. In the oscommerce forum there are some very good posts on stopping hack. There may be some on the zencart forum.

Good luck with your venture.

 

[MartCactus]

Most if not all of these types of hacks use sql injection. Its very serious because if there is a vulnerability the bad guy has pretty much complete access to your database.

http://en.wikipedia.org/wiki/SQL_injection

If you pick a shopping cart that uses "parametrized queries" this will be immune to such attacks.

http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

It looks like they've at least discussed it at oscommerce.

http://forums.oscommerce.com/topic/299236-proposal-achieving-100-immunity-to-sql-injection/

Any modern shopping cart should be using such queries - there is no reason any site should suffer SQL injection attacks when the solution is already out there.

The next important point is MAKE SURE YOUR DEVELOPER KNOWS ABOUT SQL INJECTION. We've seen several cases of sites running our software being hacked because the developer introduced SQL injection vulnerabilities with his own modifications, presumably because they didn't understand how to code the queries properly.