Urgent Zen Cart News
I apologize for a second email but something has come to my notice that I wanted you to know immediately.
A Zen Cart website belonging to one of my clients was hacked this morning. The entry was something that is hard to prevent - the use of a password that had gotten compromised in the past. It didn't have to be compromised on that website but could have easily been compromised on another website.
I'm sure there are some massive databases out there with lots of information that can be used by hackers so even if a hack you might have been subjected to by some other firm (my health insurance company!), it could be at large more than you realize. Do not think you are immune.
Using a massive automated tool, the hackers were able to gain access to an admin account with john as the user (very generic, right?). He had not logged in a while so it triggered the automatic password reset which allowed the bot to continue and login. These are automated attacks and with success comes more automated attacks so I expect to hear of more of these types of hacks.
That's not the worse part. Once in, the hacker was able to upload files that were intended to hack the entire server. This particular situation can potentially happen in any website prior to 1.5.5f.
One thing I do recommend is take a look at your admin users. Is there anyone no longer with your organization? Are there any you don't recognize? Has it been a long time since a person logged in? In all cases actually deleting that user makes sense. Of course you can also do the password resets yourself on anyone you choose to lessen this possibility. Also, think about changing user names. John is just too easy!
So my recommendation that you can wait to upgrade from 1.5.4 to 1.5.5 has changed to just do it. It's really been a long time since I've had to be firm about this but now's the time to upgrade. I prefer to upgrade to 1.5.5f, not to 1.5.6. I will upgrade anyone who asks to 1.5.6 but I cannot promise your mods will work afterwards nor can I guarantee that version as I normally do. Also, it is really specific about which versions of php it can run on and it may not work well on your server.
I guarantee upgrades to 1.5.5f completely. But if you upgrade to 1.5.6 instead, I do not guarantee full upgrade as the version seems to be still in flux. In other words, if an updated version is released, I will not upgrade you from 1.5.6b to another 1.5.6 level for free.
Maintenance clients get a nice discount. Other clients will be able to save especially if I did your last upgrade. New clients will have to pay the full freight of both a site evaluation and an upgrade. If a site eval shows that your site can be easily upgraded, you will be credited part of the eval fee for the upgrade. Contact me for more specific upgrade pricing for your website. If you will need to do a site eval first, here's the information and payment links:
https://wiztech4zc.com/zen-cart-site-evaluations.php
To register/pay:
https://wiztech4zc.com/hosting/cart.php?a=add&pid=25
|
|
|
|
|
