There are a couple of simple ways to check which version of Actinic a website is using - I wont post them here, however suffice to say if I wanted to scan Actinic websites for earlier versions to then attack I'd use Google rather than this forum to be honest!

Robots -v- forum

sure, I understand that.

BUT since upgrading to v.10 we have had three further attacks . . . so, we are either in a database somewhere or this forum is is being used as a quick source? [because a robot would ignore us as we are now v.10!]

Either way . . . Actinic are aware of the problem and V.7 or earlier users are vulnerable to this form of attack. As the Hackers gain full access to the web space with full priviliges it is serious a matter. If Actinic won't fix it then upgrade is the only option.

I agree - it is a serious issue. Not only does it mean the website can be compromised, it generates huge amounts of spam which can additional cause the websites and servers to be blacklisted resulting in further ongoing disruption.

Regarding the "three further attacks" I think this is most likely because your website is already listed in a "vulnerable website" list. I'd expect these attack attempts to continue until the offending source either gives up or moves on.

Disruption

It is extremely serious from the users point of view.

1. Your ISP will probably ban your v.7 website - I was told if I reactivated it, it would probably be hacked again and if that happened, they would simply close my account . . . then all my domains and emails etc. would go down!

2. Web site is therefore effectively closed with immediate effect and no web sales until you fix it!

3. The only real option at this point is upgrading . . . so you are now faced with new software and all the headaches of upgrading . . . and v.7 to v.10 can (for some users) be a real headache!!! (and there were major changes in the software from v.8 onwards - which is why we didn't upgrade)

and as you rightly say

4. Even if you then upgrade, your web site can remain blacklisted.

It is a devasting experience to go through . . . from the moment you get the email from your ISP / your website stops working . . . your business is wiped out!

This is disaster planning at its finest . . . it really is not a question of IF it is going to happen but WHEN.

It is an old adage that if it ain't broke don't fix it and we thought our v.7 site was just fine . . . but anyone with v.7 or earlier should know "It's broke and it needs fixing!"

It took us four days to get the v.10 site live. I am fortunate in that I am reasonably computerate, our V.7 site was reasonably standard with just a few tweaks (which were fully documented) and the upgrade went pretty smoothly ( . . . with a little bit of excellent help from Tech Support).

It could take much longer for other users to sort out and in these difficult times the chances are some companies may never recover from the loss of business.

One final point there is no Tech Support for V.7 . . . you are on your own as there is no 'fix' on this forum! (perhaps there is an opportunity for someone to write some new 'plugin' scripts maybe?)

Why would anyone spend the time to create plugins for software that is donkeys years old (close on 10 is it?), unsupported by its maker and has a minimal following, which diminishes weekly. The V11 market has better prospects and that hasn't even been launched yet.

Software companies have to draw the line, actinic have at v8, anyone choosing to stay on a version 3 versions behind the current one is simply asking for trouble IMO. You cannot expect each version to stay up with the times and that is why you should upgrade at worst when you are 2 versions behind IMO.

Customer Loyalty

It is simple . . . loyalty to customers . . . a duty of care?

Actinic know there are plenty v.7 or earlier users still out there (all of whom are in Actinic's Database).

We were never sent a security advisory by Actinic informing us of the vulnerability or any such problems with v.7

I find your attitude 'harsh' towards unsuspecting users of Actinic who, like me, think if it ain't broke don't fix it. It was doing the job it was designed for . . . and I certainly didn't need any new features etc., etc. so why upgrade. However, IF we'd been told that it was vulnerable to attack and providing an open door to the rest of our web site with full access permissions etc. we would have upgraded immediately!

Why would we upgrade just because there is a new version . . . I don't have money to waste just so I can say I have the 'latest' product.

Software companies are constantly issuing security advisories . . . but not in this case!

Since falling foul of this vulnerability I have discovered that this has been a known problem since v.4 . . .

I don't know anything about writing scripts . . . I don't know how long it would take someone to create a 'fix' . . . but it seemed to me to be a worthwhile suggestion

Actinic v7.0.6 GASA was announced on 23rd January 2006 . . . so it is certainly not donkeys years old . . . in fact it is half the age you state.

Depends on which angle you look from surely, as a software company what would you focus on? your new software, the future and your larger user base or your old users who do not upgrade? If they do as you think, the improvements and enhancements on the new version suffer considerably and that's exponential for every release you then do. At which version should they cut support do you think? or should v1 still be supported in your eyes?

You can't use the release date of the penultimate version release to define how old a piece of software is, if you could then v10 will be at least -12 months old as it is.

The whole industry moves forward, constantly improving, if you're not on that journey with it, there is only one place you are going and that is backwards.

You say actinic have a duty of care to its customers, i could argue that you do too with your customers, ensuring they shop on the most secure and up to date website they can. V7 lacks many of the normal features expected nowadays. On a site and for that reason alone, it simply cannot be maximising its sales in almost every marketplace that exists.

Hiding behind 'i didn't know' or 'noone told me' is just wrong, as a retailer online you have a duty to keep yourself informed and if you don't know how to, get advice from someone that does.

You've done the right thing now, you upgraded, albeit after you were unfortunately targeted. Had you upgraded earlier however you probably wouldn't have been targeted at all. That's one reason why Actinic have Cover contracts.

Personally, I'd remove the contact us form and just place an obfuscated email address so people can contact you if they want to.

Contact us forms were only ever used when people didn't want to display their email address, whereas as a customer I would actualy like to find an email address and would be concerned if a company wasn't willing to disclose it.

Mike

I was obfuscated once.
Didn't enjoy it much.

I'll get my coat .....

Laylah left the building

I've got my coat already . . . this is degenerating into 'a forum argument' which is detracting from the extremely serious issues facing some users of Actinic software who remain ignorant of their vulnerability!

Sometimes it is better to keep quiet if you don't have anything to useful to contribute . . . and I am fresh out things to say that might be helpful to other users!

Nuff said . . .

Good point, we include both for that reason but interestingly get the majority of people using the form rather than the email address.

I would guess the form is an easy immediate way for customers to communicate.

It is a quick and easy solution to the main problem being discussed here. Remove the form, delete the mf script, and put an email address on the page so customers can still contact you.

Yes, early versions of Actinic will still be open to attack but on the whole hackers only attack for a reason. The only reason they're doing this with the mailform is because it's an easy, untraceable route for sending spam emails.

Mike

Can I please clarify - is mf00000n.pl in Actinic10 considered a 'safe' thing to have on my site?

Ver. 10

I continue to get hacking attempts and the the version 10 form simplay passes the 'email hack' as an email.

Interesting to note that I am still receiving attempts even though we have version 10 . . . so it leads me to think that whoever is responsible is not bothering to check which version of Actinic I am running but basing attacks on previous success or another source of data such as this forum.

I am still surprised that Actinic didn't warn vers. 7 users as the majority will probably never come across this thread until it is too late.