Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Site hacked!! next day after installing osCommerce


cdiimaging

Recommended Posts

Greetings. Probably just a coincidence but I just finished a fresh install of OSC. The next day the people who host my dedicated server tell me that my server was compomised. Here's the message:

 

This is to inform you that your server has been compromised, and that your webmaster password has been changed. The compromise has been corrected, and your new password has been sent to you. For additional security, the users on the server have been reset to the default; you should be able to recreate the user logins with new passwords. Please be sure to set new strong passwords for these accounts, as this will prevent further security problems.

Please let us know if you have any further questions or require additional assistance.

 

They could not give me more info yet.

 

I installed then protected only my /Admin/index.php file. I'm on Windows 2003 with IIS6. Is there other files in that directory I should protect? Can anyone suggest how else to secure an install on a windows/IIS machine?

 

Thanks, Mike

Link to comment
Share on other sites

More than likely it was a coincidence but if you have access to logs, you should study them carefully to better understand how they got in or they may do it all over again.

 

I would secure the entire admin folder, not just the index.php file.

 

I have a dedicated server, but it is a Linux box so my knowledge of Windows servers is minimal. But the first thing that I must ask is (and please don't take offense, it is simply a precursor question), are you experienced at securing and managing a dedicated server? If you are then you can probably disregard the following.

 

Many people that migrate from a managed shared hosting environment to a dedicated server are unaware of many necessary security measures.

 

1.) It must be kept patched with all of the latest patches for the operating system and all applications. Both at startup and frequently (i.e. checking for updates every few days is a good sysadmin practice)

 

2.) It must be firewalled. This should include blocking unused ports and only permit administrative access from IP's or limited IP ranges that actually need to have that access (i.e. you and your hosting providor, and even the latter is optional)

 

3.) A multi layered security approach is best and should include both intrusion protection and intrusion prevention software.

 

4.) Passwords must be strong.

 

5.) Logs should be checked regularly.

 

6.) Unistall services that are not needed.

 

7.) Keep informed about new security threats and how to protect against them.

 

hth

Rule #1: Without exception, backup your database and files before making any changes to your files or database.

Rule #2: Make sure there are no exceptions to Rule #1.

Link to comment
Share on other sites

More than likely it was a coincidence but if you have access to logs, you should study them carefully to better understand how they got in or they may do it all over again.

 

I would secure the entire admin folder, not just the index.php file.

 

I have a dedicated server, but it is a Linux box so my knowledge of Windows servers is minimal.  But the first thing that I must ask is (and please don't take offense, it is simply a precursor question), are you experienced at securing and managing a dedicated server?  If you are then you can probably disregard the following.

 

Many people that migrate from a managed shared hosting environment to a dedicated server are unaware of many necessary security measures.

 

1.) It must be kept patched with all of the latest patches for the operating system and all applications.  Both at startup and frequently (i.e. checking for updates every few days is a good sysadmin practice)

 

2.) It must be firewalled. This should include blocking unused ports and only permit administrative access from IP's or limited IP ranges that actually need to have that access (i.e. you and your hosting providor, and even the latter is optional)

 

3.) A multi layered security approach is best and should include both intrusion protection and intrusion prevention software.

 

4.) Passwords must be strong.

 

5.) Logs should be checked regularly.

 

6.) Unistall services that are not needed.

 

7.) Keep informed about new security threats and how to protect against them.

 

hth

 

Thanks for your reply and all the suggestions. I'll get into it and study the log files. Most of the things you said I know but got lazy. Maybe this was my "wake up call".

Thanks again for responding.

 

Mike

 

PS. I'd like to secure entire directories in Windows/IIS but have yet to find a way. I'm looking at migrating to Apache Sever but dread the work involved.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...