Login database at your store hacked?

Status
Not open for further replies.
If they got the usernames and pw, then they could have executed a script to login to all the accounts and grab the rest of the data in the account. So yes, your pal number address etc could definitely be out there. Great for criminals wanting to know where firearms might be located. Very unimpressed.
 
ARmike said:
Good post, thanks again for your insights on this. I can handle a password and email breach. (happens all the time)

It's the address that makes me cringe. (since its a gun-related retailer) it's a bit worrisome for obvious reasons. I haven't found any evidence of other data yet (addresses,credit cards)
Hoping its was a low level SQL injection.

All I can say is, CanAmmo really needs to secure their box, last hop seems to be LunaNode Hosting, secure your box...

Not shown: 983 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1500/tcp closed vlsi-lm
3306/tcp closed mysql
5432/tcp closed postgresql
35500/tcp closed unknown
Click to expand...

Also more great information!

I'm assuming its just a DB Exploitation just due to the amount of attempts that are in the dataset that was released. Like this for example:

78871,"","';print(md5(31337));$a='",$P$BVa/PFPrKxEJs5klJzyJMP5LxZufXn1,"",2021-03-28 02:52:43,2021-03-28 02:53:41,"",3120206955,
78872,"",""";print(md5(31337));$a=""",$P$Bw.3U38D.hSq6pN/0LqpfgKxm3JcPI.,"",2021-03-28 02:52:44,2021-03-28 02:53:42,"",3120206955,
78873,"",${@print(md5(31337))},$P$BN8Bz0h8.JyW1/apLXxQtcqnkLYxLK.,"",2021-03-28 02:52:45,2021-03-28 02:53:42,"",3120206955,
78874,"",${@print(md5(31337))}\,$P$B.9purcRVjTeUaq.ar9er4dM40Wyc60,"",2021-03-28 02:52:46,0000-00-00 00:00:00,"","",
78875,"",'.print(md5(31337)).',$P$B..JRNXtLE1bVBP2FPb807HZkvjCDr0,"",2021-03-28 02:52:47,2021-03-28 02:53:44,"",3120206955,
78876,"",-1 OR 2+133-133-1=0+0+0+1 -- ,$P$B86SKsV8Nc0wHruH2vZkokeoPK2FSV1,"",2021-03-28 03:05:28,2021-03-28 03:05:29,"",3120206955,
78877,"",-1 OR 2+883-883-1=0+0+0+1,$P$Bn.k34t7gzetAhd.Mbxj8d00wxy9mY/,"",2021-03-28 03:05:30,2021-03-28 03:05:31,"",3120206955,
78878,"",-1' OR 2+141-141-1=0+0+0+1 -- ,$P$BDVbZHCmoxyMXDxd15IAWP27w3YZWo1,"",2021-03-28 03:05:31,2021-03-28 03:05:32,"",3120206955,
78879,"",-1' OR 2+231-231-1=0+0+0+1 or 'FmKvjEhw'=',$P$BXg/VllIaafPzt5V3qc6M7mLvB0jCP/,"",2021-03-28 03:05:32,2021-03-28 03:05:33,"",3120206955,
78880,"","if(now()=sysdate(),sleep(15),0)",$P$Bh9Edoq8Ksqbd8pT8ZIIfZ0Le0BL37.,"",2021-03-28 03:05:56,2021-03-28 03:05:56,"",3120206955,
78881,"","0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z",$P$Bxqiez0IRrIQAuFcc55uR5NS7Sx9gL0,"",2021-03-28 03:06:12,2021-03-28 03:06:12,"",3120206955,
78882,"","0""XOR(if(now()=sysdate(),sleep(15),0))XOR""Z",$P$BRLA9y3i2M451eJPCukt4zeLEGQwHX.,"",2021-03-28 03:06:29,2021-03-28 03:06:29,"",3120206955,
78883,"","(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'""+(select(0)from(select(sleep(15)))v)+""*/",$P$B73ZBdkXfbpBHcwi8nlVXgT0X3Ug7T0,"",2021-03-28 03:06:49,2021-03-28 03:06:50,"",3120206955,
78884,"",1 waitfor delay '0:0:15' -- ,$P$Bpv4z22ZAM0e.kwk4RGtBTxUPVBzt.1,"",2021-03-28 03:07:06,2021-03-28 03:07:07,"",3120206955,
Click to expand...

Checking the timestamps here from the registration date shows its a botnet trying exploits continuously. The fact that this is in the database and nobody was cleaning it out as those are definitely potentials for points of re-entry shows that the IT Team or Web team is not very proactive on their Cyber Security protocols here.

The database is also in alphabetical order until RowID 9516 - This shows that there was a data migration as all the previous DB Rows are in alphabetical order. This means we can conclude that 2012-06-17 was the date that this database has been used in production along the same system for the duration of the past 10 years. We then can see via the sourcecode that the theme itself being used is called "canadaammo-2014". The website is using the Foundation framework for the development of this.

Heres another link for some more interesting info on the legacy of this website - https://www.canadaammo.com/info.php

PHP Version 5.6.40
Click to expand...

PHP Version 5.6 End of Life: 31 Dec 2018 (3 years, 3 months ago)

Basically, doesn't matter how many ports are opened or closed, or how much development could be done. Any highschool kid googling a 5.6.40 exploit can cause some harm
 
Sh*t happens, but I’m not impressed that we’re told to delete our personal information from our account yet it still has all that information in our order history.
 
.30/06 FTW said:
Sh*t happens, but I’m not impressed that we’re told to delete our personal information from our account yet it still has all that information in our order history.
Click to expand...

THIS!

Everything including order history needs to be WIPED! I just cancelled my CC, not happy at all.
 
foghsho said:
Also more great information!

I'm assuming its just a DB Exploitation just due to the amount of attempts that are in the dataset that was released. Like this for example:



Checking the timestamps here from the registration date shows its a botnet trying exploits continuously. The fact that this is in the database and nobody was cleaning it out as those are definitely potentials for points of re-entry shows that the IT Team or Web team is not very proactive on their Cyber Security protocols here.

The database is also in alphabetical order until RowID 9516 - This shows that there was a data migration as all the previous DB Rows are in alphabetical order. This means we can conclude that 2012-06-17 was the date that this database has been used in production along the same system for the duration of the past 10 years. We then can see via the sourcecode that the theme itself being used is called "canadaammo-2014". The website is using the Foundation framework for the development of this.

Heres another link for some more interesting info on the legacy of this website - https://www.canadaammo.com/info.php



PHP Version 5.6 End of Life: 31 Dec 2018 (3 years, 3 months ago)

Basically, doesn't matter how many ports are opened or closed, or how much development could be done. Any highschool kid googling a 5.6.40 exploit can cause some harm
Click to expand...


Right I hear ya, but you can say the same thing for other services their running. They have other issues @ OS level too.
Canadaammo is probably running Redhat 3.10.0-1127.18.2.el7 (RHEL 7.8)
(RedHat Enterprise Linux 7)
Current End of Maintenance Support for RHEL 7.8 is 31 October 2020. Current End of Maintenance Support for RHEL 7.9 is 30 April 2021
(vulnerable)
Exim smtpd 4.94 (vulnerable) Multi CVE's & exploits.
bind .version: 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 (vulnerable)
Apache 2.4.6 (probably, dont care to check)

They just re-newed their cert(s) around Tuesday March 29th as well.
(wonder if they expired? or just a coincidence)

I mean, just from the outside looking in, they seem to have a bunch of problems.. I wouldn't be surprised if other dealers have the same issues. They probably don't care until something happens.
such is life.
 
ARmike said:
Right I hear ya, but you can say the same thing for other services their running. They have other issues @ OS level too.
Canadaammo is probably running Redhat 3.10.0-1127.18.2.el7 (RHEL 7.8)
(RedHat Enterprise Linux 7)
Current End of Maintenance Support for RHEL 7.8 is 31 October 2020. Current End of Maintenance Support for RHEL 7.9 is 30 April 2021
(vulnerable)
Exim smtpd 4.94 (vulnerable) Multi CVE's & exploits.
bind .version: 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 (vulnerable)
Apache 2.4.6 (probably, dont care to check)

They just re-newed their cert(s) around Tuesday March 29th as well.
(wonder if they expired? or just a coincidence)

I mean, just from the outside looking in, they seem to have a bunch of problems.. I wouldn't be surprised if other dealers have the same issues. They probably don't care until something happens.
such is life.
Click to expand...

Exactly. Also there are a lot of moving parts as we know in an environment like this. Could all come down to just paying $5/mo for some ####ty shared webhosting plan. Host, Development Team, Maintenance Team - all have their duties to do.

I feel bad for businesses who get put in these situations, however from my experience a lot of it comes from the common thought process that you dont need IT until it breaks. Proactive IT Maintenance needs to be budgeted. I'm sure there are many dealers out there in a similar situation. Its only a matter of time until these websites get exploited, and their responses will dictate their customers' probability of opening their wallet to them again.

Imagine what would happen if all the customers within the industry found out that 99% of dealers run their websites on USA servers. Pretty sure people wouldnt be keen on that once they research how NSA handles all this personal data over the border.
 
Bubbafett33 said:
This is exactly why vendors asking for photos of PALs, DOB/Address and even credit card numbers via email is such a bad idea.
Click to expand...

exactly
thankfully I have never ordered from this retailer but I'll take this thread as a reminder to go over all my own online security measures.
 
the data is gone and the content of the dump is only the proof that is released to sell the rest of the data most likely. You need a darknet monitoring service to know where they will try to sell it. To contain this you need cybersecurity professionals that are likely too expensive for a small shop. You need to close the site.

To everyone if your not sing up for a credit monitoring service like equifax now is the time.
 
Painkillers said:
Jeezus Chrisp.

Yes you do need to do something. Assume "they" have your cc number, your address and email...perhaps phone number as well? That's more than enough to make another "you".

Dump your cc, change all passwords and curse Canada Ammo for not informing us.
Click to expand...

they did send emails to customers
 
trebor2880 said:
I tried to delete mine, couldn't do it. Or didn't know the proper way to do it.
Click to expand...

Same here. I couldn't access my account to delete or change anything. WTF? Tell us how we can protect our account or update us with what you are doing toward that end. You have a responsibility to your customers and short of cancelling all my accounts, visas and passwords, we need to know how you plan to address this.
 
canuckchap said:
they did send emails to customers
Click to expand...

yes telling you to do something their IT team should be able to do in 2 minutes. They simply sent an e-mail and washed their hands of liability in their own eyes. If they were taking this seriously, their website wouldnt be up this whole time without notice to front facing customers about the situation at hand. They also stated they "discovered that it is likely there has been a data breach" when theres more than enough proof this is real... yet no action.
 
I wonder how many of us will start "checking out as guest" after this. I spent a while going through suppliers to remove information. I guess convenience has a downside.
 
Status
Not open for further replies.
Back
Top Bottom