Allways CRACK my server in Admin's folder

[szalayzsolt]

We would like to request your help in solving a serious problem in

connection with the shop.

We have installed the on-line shop according the instructions on our

linux server, but there are almost continous hacker attacks through the

administrative panel, where they enter and have acces to the whole server.

Our problem is that we don't know how to avoid/impede these incursions.

They probably use some code or some part or element of the

administrative panel and entering the system have acces to all other

files under the domain.

How can we protect the admin panel(folder) in order to avoid this?

 

We now use a firewall, SSL and every other serious protections, so there

can be no problem with these.

 

Please help us!

Thanks!

[Guest]

Does your Hosting provider offer a control panel for your domain (not osCommerce control panel but hosting)?

 

If yes, there should be a feature call password protect directories or similar.

 

Use that feature to password protect your admin folder

 

The_Bear

[szalayzsolt]

Does your Hosting provider offer a control panel for your domain (not osCommerce control panel but hosting)?

 

If yes, there should be a feature call password protect directories or similar.

 

Use that feature to password protect your admin folder

 

The_Bear

 

dont have control panel for my domain, I have a physical pc + linux(firewall, php4.1.1, apache2.0, mysql4.0.24,OpenSSL...) with paranoid settings.

The catalog directiory and "admin" directory are password protected with .htaccess file:

 

my .htacces file in the admin directory:

 

AuthUserFile /www/beallitas/passwd
AuthGroupFile /dev/null
AuthName "Aruhaz"
AuthType Basic
require valid-user

SSLRequireSSL

<IfModule mod_setenvif.c>
 <IfDefine SSL>
SetEnvIf User-Agent ".*MSIE.*" \
		 nokeepalive ssl-unclean-shutdown \
		 downgrade-1.0 force-response-1.0
 </IfDefine>
</IfModule>

 

thx your answer...

[AlanR]

Put the password file above the www directory, preferably above the htdocs directory (if there is one).

 

This is why host password systems are preferable on shared servers, they put the password file above user accessible web space.

[boxtel]

dont have control panel for my domain, I have a physical pc + linux(firewall, php4.1.1, apache2.0, mysql4.0.24,OpenSSL...) with paranoid settings.

The catalog directiory and "admin" directory are password protected with .htaccess file:

 

my .htacces file in the admin directory:

 

AuthUserFile /www/beallitas/passwd
AuthGroupFile /dev/null
AuthName "Aruhaz"
AuthType Basic
require valid-user

SSLRequireSSL

<IfModule mod_setenvif.c>
 <IfDefine SSL>
SetEnvIf User-Agent ".*MSIE.*" \
		 nokeepalive ssl-unclean-shutdown \
		 downgrade-1.0 force-response-1.0
 </IfDefine>
</IfModule>

 

thx your answer...

 

if you run your own server, forget htaccess, will only slow you down, use your httpd file to limit directory access.

[♥Vger]

Also check to make sure that you have your server set up to automatically 'hide' .htaccess files - so that they are not readily visible.

 

This is the downside of trying to manage your own server, especially the lack of a user-friendly control panel interface which would automate many of those tasks for you - and hosting companies get paid to lock down the servers against external intrusion.

 

Check your log files to see if the attacks are coming from one dedicated ip address or ip address range, because if you know what it/they are then you can block them via .htaccess.

 

Rename the 'admin' folder to something unique - not 'admin2', and then edit the two references in admin/includes/configure.php to /admin/ to /newname/ - if a hacker can't find 'admin' he can't hack it.

 

Vger

[boxtel]

if you run your own server, forget htaccess, will only slow you down, use your httpd file to limit directory access.

 

in httpd this will password protect your admin AND only allow access from your ip address.

 

<Directory "path to admin dir">

AllowOverride none

Order deny,allow

allow from "your ip address"

AuthType basic

AuthName "Password Required"

AuthUserFile "path to password file"

Require user valid_user

SSLRequireSSL

</Directory>

[galto]

in httpd this will password protect your admin AND only allow access from your ip address.

 

<Directory "path to admin dir">

AllowOverride none

Order deny,allow

allow from "your ip address"

AuthType basic

AuthName "Password Required"

AuthUserFile "path to password file"

Require user valid_user

SSLRequireSSL

</Directory>

 

 

Amanda, that was great that you put in the actual configuration that needs to be put into the httpd.conf file. Your information helped me finally secure my admin module which has been exposed for quite some time.

 

For the last 2 days I've been trying to secure my ADMIN module and was struggling with figuring it all out. I've spent hours and hours reading past posts on this issue and the majority of the help was RTFM (Read the F' Manual). Surprising to me since SECURITY should be a key issue and OSCOMMERCE standard configuration has this module WIDE OPEN. I've been having major hack attacks on my server over the last week so this is frustrating. The attacks are not from the admin module (at least I don't think they are) but I knew the admin module was wide open so I wanted to secure it. The attacks I'm having are most definitely something in OSCOMMERCE/PHP (writes are happening to the whos_online table which means they're excuting oscommerce code) - I've been unable to stop them completely (but I have been able to contain them though). Anyone interested in helping, my post is http://www.oscommerce.com/forums/index.php?showtopic=190859&hl= (actually, it was amanda that gave me the best information to contain the problem).

 

I used your information as well as the information in the Apache How To (http://httpd.apache.org/docs/2.0/howto/auth.html) for Access Control. The combination of both allowed me to successfully configure my admin module.

 

A key learning I had in there was to create an APACHE PASSWORD file. I had originally thought it was just the password file on my server. So my first few attempts didn't work until I read that HOW TO.

 

I have it working now. However, I had to comment out the SSLRequireSSL directive you have in there. When I had it in there I had two problems. 1). It does not prompt me for a password but instead lets me right to the admin module as long as I get there with https (using http gives Forbidden error which is good); and 2). Once I'm in, if I click on any of the links (e.g., to configuration), the url is http and not https so I get the forbidden error. So once I commented out the SSLRequireSSL it all works fine via http access.

 

It's probably an issue with my admin/configure.php file. I have the following:

 

 

define('HTTP_SERVER', 'http://www.mydomain.com/');

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.mydomain.com');

define('ENABLE_SSL_CATALOG', 'true');

define('DIR_FS_DOCUMENT_ROOT', '/var/www/html/mydomain/');

define('DIR_WS_ADMIN', 'admin/');

define('DIR_FS_ADMIN', '/var/www/html/mydomain/admin/');

define('DIR_WS_CATALOG', '');

define('DIR_FS_CATALOG', '/var/www/html/mydomain/');

[ASDCO]

you're making a simple problem difficult. Go on google and dl a control panel,there's many of them out there, some free, some not, and if you're running a server you REALLY need one neways.

[PhpNurd]

in httpd this will password protect your admin AND only allow access from your ip address.

 

<Directory "path to admin dir">

AllowOverride none

Order deny,allow

allow from "your ip address"

AuthType basic

AuthName "Password Required"

AuthUserFile "path to password file"

Require user valid_user

SSLRequireSSL

</Directory>

 

 

Hi friend

your script is great :) I am surprised , and also feel shocked it never stuck anyone that admin folder

is left open to hackers. I deleted cookes , etc everything and managed to access /admin folder.

:o

 

Now renamed the /admin folder and will also put the above code.

 

Thanks

James

[PhpNurd]

hi again,

 

where should the password file be and in what format?

Can you just give a simple example .

 

Sorry new to all this.

[boxtel]

Amanda, that was great that you put in the actual configuration that needs to be put into the httpd.conf file. Your information helped me finally secure my admin module which has been exposed for quite some time.

 

For the last 2 days I've been trying to secure my ADMIN module and was struggling with figuring it all out. I've spent hours and hours reading past posts on this issue and the majority of the help was RTFM (Read the F' Manual). Surprising to me since SECURITY should be a key issue and OSCOMMERCE standard configuration has this module WIDE OPEN. I've been having major hack attacks on my server over the last week so this is frustrating. The attacks are not from the admin module (at least I don't think they are) but I knew the admin module was wide open so I wanted to secure it. The attacks I'm having are most definitely something in OSCOMMERCE/PHP (writes are happening to the whos_online table which means they're excuting oscommerce code) - I've been unable to stop them completely (but I have been able to contain them though). Anyone interested in helping, my post is http://www.oscommerce.com/forums/index.php?showtopic=190859&hl= (actually, it was amanda that gave me the best information to contain the problem).

 

I used your information as well as the information in the Apache How To (http://httpd.apache.org/docs/2.0/howto/auth.html) for Access Control. The combination of both allowed me to successfully configure my admin module.

 

A key learning I had in there was to create an APACHE PASSWORD file. I had originally thought it was just the password file on my server. So my first few attempts didn't work until I read that HOW TO.

 

I have it working now. However, I had to comment out the SSLRequireSSL directive you have in there. When I had it in there I had two problems. 1). It does not prompt me for a password but instead lets me right to the admin module as long as I get there with https (using http gives Forbidden error which is good); and 2). Once I'm in, if I click on any of the links (e.g., to configuration), the url is http and not https so I get the forbidden error. So once I commented out the SSLRequireSSL it all works fine via http access.

 

It's probably an issue with my admin/configure.php file. I have the following:

define('HTTP_SERVER', 'http://www.mydomain.com/');

define('HTTP_CATALOG_SERVER', 'http://www.mydomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.mydomain.com');

define('ENABLE_SSL_CATALOG', 'true');

define('DIR_FS_DOCUMENT_ROOT', '/var/www/html/mydomain/');

define('DIR_WS_ADMIN', 'admin/');

define('DIR_FS_ADMIN', '/var/www/html/mydomain/admin/');

define('DIR_WS_CATALOG', '');

define('DIR_FS_CATALOG', '/var/www/html/mydomain/');

 

just set :

 

define('HTTP_SERVER', 'https://www.mydomain.com/');

[Mediajuggle]

Hi friend

your script is great :) I am surprised , and also feel shocked it never stuck anyone that admin folder

is left open to hackers. I deleted cookes , etc everything and managed to access /admin folder.

:o

 

Now renamed the /admin folder and will also put the above code.

 

Thanks

James

 

 

Most people DO PROTECT their admins...