Earlier this evening I received several messages on both my pager and cellular telephone indicating an attempted hacking of my online site.

The thing that disturbs me most is the whoever the person responsible for the attempted break-in is, they are VERY familiar with the S-Mart shopping script. This was apparent from the files they tried to gain access to.

So far the person's location has been traced down to Orange County, California or at least it appears this way from the log files which have all been download and are now in the hands of network engineers who will be tracing this down until we find the person or persons responsible.

The most disturbing part of the attack is that it came from someone with a good deal of knowledge of the S-Mart software script. They knew which files to look for to gain access into system areas such as the smartadmin script. Since this a server owned by my company the smartadmin does not even reside on this same machine for security purposes, fortunately. NONE of the files with any types of customer info like names, addresses, credit card #'s, etc. remain online. They are all send into an offline database which is not accessible via the internet.

The bad part is that the person responsible is probably someone among our group, considering the working knowledge of the script. I am writing this as a warning to all to be very aware that this person does exist and quite possibly is trying to hack your system as you read this message. It is really a shame. You work hard and try to build a business spending countless hours of your time and every last penny of money and somebody comes along trying to screw it up for you. If you are the person responsible and are reading this, I hope that you will move on to other targets as everyone in this group is just trying to help one another and make a living.

Between security monitoring logs, network system logs, and site server logs the team of engineers working on this issue will track down the person responsible. If any damage does occur, the person responsible can count on the fact that we will prosecute and take every last penny that they can ever hope to make in their lifetime. A clear message must go out that all of us who run legitimate, honest websites are not going to take these type of actions by the hackers of this world.

I'll leave you now simply with the advice to watch your logs and protect your servers. There is an enemy somewhere out there, possibly among us.

-BP

-- BP (bppilot@aol.com), February 19, 2000

Answers

We run our entire demonstration cart on an SSL server. LOOK:

https://ssl4.domainnameservers.net/hosth2/cgi-local/smart/smart.cgi

It only runs a little slower. TRY IT OUT.

-- Gregory Swofford (computer@web-store.net), February 19, 2000.