The Equifax breach information page has some interesting root cause analysis:
- The particular vulnerability (that the bad guys used) in Apache Struts was identified and disclosed by U.S. CERT in early March 2017.
- The attack was done May 13-July 30.
If they had responded promptly to the CERT advisory, this whole thing might not have happened.
If you read the page “Important Security Recommendations” under the docs folder of your Zen Cart, you’ll see that SFTP is recommended as a file transfer method over FTP.
Why is that?
The reason is simple: when you use FTP, your password is transmitted in clear text over the Internet. Which means snoopers can see it. And if you are using WiFi, particularly in a public place, snooping is really easy! So don’t do it!
What do you need to do to use SFTP? Just two things:
- A client for your PC that can use SFTP. The one Zen Cart recommends, which is excellent, free and runs on Windows is WinSCP. If you are on a Mac, look at Transmit. If you use Linux, use gftp, which is built in to most distros.
- The server settings for SFTP transfer. You may need to ask your hoster to enable sftp, and you’ll need to get the port number to use. Although the default port for SFTP is 22, many hosters will use other ports so you’ll need to check with your hoster.
If you’re running a version of Zen Cart prior to 1.3.9, you must must must apply the known critical patches for you rZen Cart version. I came across a site just this weekend that had the earliest version of this hack I had ever seen. Going to Admin->Extras->Record Companies showed this in the right hand sidebar:
Pressing the edit button on this shows that it’s not an image at all, but rather a PHP file called “own.php”:
This was done 6/25/09, and the announcement of the vulnerability was made 06/19/09.
The best way to prevent this from happening to you is to upgrade to the latest version of Zen Cart!
It’s very important to stay on top of Zen Cart Security Announcements. Follow that link and then click on the link that says “Click here to subscribe to these announcements.”
And while you’re at it, subscribe to That Software Guy’s Zen Cart Newsletter. I nag people to stay on top of things like this!
TJ Maxx is being ordered to hold a one-day “we got hacked” sale as part of their punishment for lax data security. Tip to shoppers: pay with cash. 🙂
Interspire (formerly StoreSuite) was found to have an XSS vulnerability. It takes time to armor against these things; hopefully they’re doing that now.