Automatic Discount added somehow

  • Posts: 194
  • Thank you received: 5
  • Hikashop Business
2 weeks 3 days ago #308189

-- url of the page with the problem -- : n/a
-- HikaShop version -- : 4.0.2 -> 4.1.0
-- Joomla version -- : 3.9.6
-- PHP version -- : 7.1.x
-- Browser(s) name and version -- : various
-- Error-message(debug-mod must be tuned on) -- : na

We have a site where only 2 of us have admin access and we rarely access the admin (because the site just has worked fine almost on auto-pilot - other than regular updates).

We were running on 4.0.2 and about 5 weeks ago somehow a 15% discount was added that gets applied to all orders.

The problem is that neither of us that have admin access created that discount - nor know who might have done that.

Was there any know security issue in 4.02 (or previous) that would have allowed that type of access somehow?

I looked at the coupon/discount table and there isn't any way to tell who/when that discount was created (not even a created date or created by field). It would sure be helpful to be able to see by who and when discounts/coupons were created (and last modified).

We've since unpublished that discount and have been tightening the security across the entire site (new passwords, and other site hardening).

Any thoughts/tips appreciated.

Please Log in or Create an account to join the conversation.

  • Posts: 66270
  • Thank you received: 9720
  • MODERATOR
2 weeks 2 days ago #308209

Hi,

There are no know security issues in HikaShop 4.x. However, note that as long as there is a security issue in any of the extensions installed on your website, then someone could access the backend and modify HikaShop.
However, in such case, why make a 15% discount and not something bigger ? Like redirect the payments to your own merchant account. Or make a 100% discount to get the products delivered for free ?
To me, it's likely that someone on your end added the discount, didn't configure it properly so that it would apply to everyone instead of a one use discount, and forgot about it.
Now note that Joomla has a log system so if it's activated, you could check who logged on the backend of the website around the time the discount was first used in an order and you should be able to find who did it.
Alternatively, you can also check the apache access logs for accesses to /administrator/index.php?option=com_hikashop&ctrl=discount around that same timeframe to find the IP address who connected to the backend and compare it to the IP addresses of the different persons involved on your end.

Adding action logging in the future could be interesting for similar cases yes.

Please Log in or Create an account to join the conversation.

  • Posts: 194
  • Thank you received: 5
  • Hikashop Business
2 weeks 1 day ago #308230

Yes, it is VERY strange, and with only 2 people using the admin you would think that one of us would remember this - but we don't.
Thanks for mentioning the system logs - just didn't think of that, and that should help with this case because only 2 admin users and we don't regularly log-in.
However, I work with another web site where there are over a dozen staff members with admin access and all are logging in every day so IF this were to happen on that site the system logs probably wouldn't help, so adding date and ID for create and modify to that table would be very helpful to prevent issues like this on that or other similar sites.
Thanks.

Please Log in or Create an account to join the conversation.

  • Posts: 194
  • Thank you received: 5
  • Hikashop Business
2 weeks 1 day ago #308232

FYI .. I did check the User Action Logs and there was nobody that logged in between 2019-06-05 and 2019-06-24.
The first order that received the automatic discount was on 2019-06-14.
The discount was configured to apply to ALL orders (and all orders from 2019-06-14 and after (until we disabled it) got the automatic 15%. There were no other types of restrictions on the discount to limit it to certain users/orders.
However, there were a number of orders between 2019-06-05 and 2019-06-14 and they did not get the automatic discount.

So the discount must have been added some how by code (or some other means that doesn't get logged in the user action logs).

Just very strange.

Please Log in or Create an account to join the conversation.

  • Posts: 66270
  • Thank you received: 9720
  • MODERATOR
2 weeks 1 day ago #308235

Hi,

That's indeed very strange. Even if it was a hack, the first thing they would do would be to log on your backend, and from there, they would add the discount via the interface.

Couldn't it be that the discount had a "start date" configured ? In that case, it could have been a discount created months or years in the past that was forgotten until the date reached the start date, which happened to be on 2019-06-14 ?

Please Log in or Create an account to join the conversation.

  • Posts: 194
  • Thank you received: 5
  • Hikashop Business
2 weeks 18 hours ago #308259

Nope. No start/end dates were entered, and no other 'restrictions'.
Just very strange.

The only couple things that I've noticed ...

We are running the nightly cron job for hikashop for updates - maybe that somehow got hacked (but again can't imagine why that would happen).

We have been getting a LOT of bot hits against this site (mainly 404 Shield notices from Akeeba Admin Tools). This site has historically gotten a lot of bot traffic.

The site has been scanned by MyJoomla and appears to be fine (re:security)

This is just a VERY weird. Not sure if we can ever figure this out without having that created by/date data within the discounts table. So hopefully that feature could be added in the future to be able to address this type of issue (and just provide general historical info on that data file).

Please Log in or Create an account to join the conversation.

  • Posts: 66270
  • Thank you received: 9720
  • MODERATOR
2 weeks 7 hours ago #308261

Hi,

Well, even if we add it in the future, that won't explain why you got the issue in the past. And even if you get the issue again in the future, it could still be a mistery. If it was added by a hack, then if it was done through a direct MySQL query, these fields wouldn't be filled.
All that would tell you is who added it when if it was really added by you through the interface.
But yes, we'll look at actions logging in the future. And not just for that, but for orders, customers, products, etc.

Please Log in or Create an account to join the conversation.

Time to create page: 0.064 seconds
Powered by Kunena Forum