Possible site probing using "Ask a question" feature.

[IntrepidClassChicken]

Hi Folks,

Virtuemart version 2.0.18a
Joomla version 2.5.11
PHP version 5.3.6

After mistakenly thinking for some time that the Virtuemart community was a bit quiet on the update front, I've just learned that the automatic update tool built into Virtuemart doesn't work on my site. So I need to manually update. If that would fix my problem, that would be great. I'll have to find some time to complete it.

But just to run it by you all, I've recently received a quite typical set of nonsensical character emails coming from the "Ask a question" link that is under each product. I've received these before from sites without a Captcha added to an email function. On two old sites, and a while ago, they got turned into spam sending sites after being hacked.

Unfortunately there is no Captcha attached to the "Ask a question" feature so if included, it leaves the door open to web bots. I've turned this feature off for now but it is a nice feature. I'd like to reactivate it at a time when it can be secured.

General advice for all web based software is to keep it up to date but how at risk is my site?

[jenkinhill]

Yes, your site is at risk of being hacked. See http://forum.virtuemart.net/index.php?topic=118683.0

Current versions include Captcha for the Ask a Question form.

The auto-updater never workd on some servers, and has been removed, VM2.6.6 uses Joomla's own update facility. See http://forum.virtuemart.net/index.php?topic=123808.0

[AH]

As always, Test thoroughly first - Dont update direct into live !

There are a LOT of changes
If you have template overrides, consider what the NEW views are doing and retrofit

But update as there are security holes in your VM version and your Joomla version too!

VM 2.6.6
Joomla 2.5.20

[jenkinhill]

I just noticed your PHP version - 5.3.6 which was released on 19 March 2011. It is far too old to work with the current VM2.6.x versions which require greater than 5.3.10, as it is not compatible with the new security settings. So if you cannot get the host to update PHP to something more recent  (latest stable PHP version is 5.5.13) then the safest version to install is 2.0.26d (from http://dev.virtuemart.net/projects/virtuemart/files )

[AH]

LOL

Jenkin thinks being born in March 2011 makes things too old to work.   

I do agree however that it would be sensible to use php 5.4.x

[IntrepidClassChicken]

Thanks folks. Amazing info.

I guess I have a LOT of work ahead of me.

Pet peeve of the minute: I hate having to constantly rebuild websites that aren't yet broken!!
I'll get over it

[AH]

IChick

Unfortunately they Are broken, it is just that we/you were not aware of it and would not be until you were hacked.

That is the lot of someone running any website.

If we ran a bricks and mortar shop we would have to secure ourselves against thieves that physically had to get to the shop to do damage, these idiots do it from the safety of their bedrooms, with little chance of getting caught and run bots to do the work 24x7.