TOPIC: [SOLVED] Security Hole - Need Assistance. Urgent Please.

Hello,

We have DT Donate 2.22 installed and someone seems to be using it with a script to try and process mass amounts of credit cards through dt-donate. I am upgrading to 2.23a right now but i didn't see a changelog for it other than few new features added.

When i look at the raw access logs for the site it doesnt even show anyone accessing the component.

They are trying to process hundreds of credit cards per hour and just charging .10 or so to see if they are valid cards or not.

The sheer amount being processed and the fact no access is being show in the raw log leads me to believe there must be vulnerability.

Any help is appreciated. I will also be installing rsfirewall and we are running the latest version of joomla.

Thanks for your help.

also is there any way to capture the ip address i haven't been able to so far.

I had the same problem yesterday. I saw a single card process through DTdonate for $ .10. Authorize.net then saw a load of .10 donations which failed with a general error.

Authorize.net disabled my account due to the flood of transactions. The hacker used DTdonate to process a valid transaction steal my credentials and go directly to authorize.net from some other server.

There must be a way a hacker can run a transaction in dtdonate for authorize.net and see the credentials. Strange two of us reported the same problem. Probably happened to others but nobody realized the relationship or just did not report it.

My assumption is the hacker is reading the forum

Guys... sorry this thread wasn't replied to before, but this issue has already been addressed. Upgrade to 2.2.4 and you'll find this can't happen anymore. Also, the IP address is now captured also. Notification of this update went out on email and also has been posted here in the forum (announcements category).

dthadmin wrote: Guys... sorry this thread wasn't replied to before, but this issue has already been addressed. Upgrade to 2.2.4 and you'll find this can't happen anymore. Also, the IP address is now captured also. Notification of this update went out on email and also has been posted here in the forum (announcements category).

I did the upgrade and added the security image, it happened again. Now that I have the ip address I blocked it in htaccess.

I would like to suggest if a number of failed requests come in from the same address in a short period of time some form of logging, blocking and notification be implemented. There is no logging of failed requests on the DTdonate side, only place you see anything is on Authorize.net

I'm not sure if this is the case or not. Someone had mentioned that the api id / transaction keys were compromised. You may want to reset your transaction key if you haven't already.

I don't know if this is what actually was compromised or not.