Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Desperation! I've messed up my admin section-Help!


milauskas

Recommended Posts

Hi all,

 

I created an osC store for a client over a year ago. Things were working fine, then I got an email today. There were some problems.

 

1) an additional item was added to the customer's cart automatically--they didn't select it

 

2) Someone was notified that they placed an order which they did not and the shipping address was one they didn't know

 

We suspect someone has hacked in and messed things up. I did some quick checking and noticed the admin section was not secured by SSL.

 

Now, I swear I had made sure the admin section was secure when I built the site, but as of today, that's not the case. I checked my configure.php file in admin/includes to make sure things were okay. It looks alright (I've altered the path names below):

 

// Define the webserver and path parameters
// * DIR_FS_* = Filesystem directories (local/physical)
// * DIR_WS_* = Webserver directories (virtual/URL)
 define('HTTP_SERVER', 'http://domainname.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTP_CATALOG_SERVER', 'http://domainname.com');
 define('HTTPS_CATALOG_SERVER', 'https://pathtosecureserver');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

I refererred to the book I use (OSCommerce: Professional Addition) to see if I'd omitted something and made some changes to configure.php to see if it resolved the problem.

 

I changed define('HTTP_SERVER', 'http://domainname.com'); to define('HTTP_SERVER', 'https://domainname.com'); and then define('HTTP_SERVER', 'https://pathtosecureserver');, uploading the altered file each time and reloading the admin section.

 

At first, it seemed to work. The main admin page was appearing as secure (by that I mean the URL was displaying "https"), but then I found that I couldn't access any other admin section, such as Orders or Customers. All I got was a "transfer Interrupted" page.

 

I reverted the configure.php file back to its orginal state and uploaded it.

 

I then thought it might have something to do with my .htaccess file. Here's what it looked like originally:

 

 

AuthType Basic

 

AuthName "OS Commerce Administration"

 

AuthUserFile "/home/issimo/.htpasswds/storename/admin/passwd"

 

 

require valid-user

 

I added the following at the top: SSLRequireSSL, then uploaded the file.

 

Now, when I try to go to the admin section I get the following:

 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

 

Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

 

More information about this error may be available in the server error log.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

I reverted the .htaccess file to it's orginal state and reuploaded it, but I still can't get into the admin section. This is where I'm stuck. What have I done? Can anyone tell me what I need to do to fix this? Please help!

 

Thanks.

Link to comment
Share on other sites

SSL will make admin details getting encrypted across.

But a hacker if having login details will still get hold of it.

1)Change FTP login details.

2)Change admin login details.

 

Also if IP is static at Your end then thru .htaccess for admin section apply some deny/allow rules for IP address.

 

Also add a code to trap IP who so ever logs in into admin so as to make out and take action.

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

Thanks Satish. I deleted my .htaccess file and was able to get back into the admin, so I solved that problem, but I'm confused now. I don't know what I did that made .htaccess the culprit. If it was working prior to me doing anything, then I made changes, but ultimately changed the file back to its original state then it should have worked again. However, it didn't. Only deleting the file eliminated the problem.

 

So, I believe I need to upload .htacccess again, but is there some correct way to do this? All I did was open .htaccess in my editor (either Dreamweaver or Textwrangler) make changes and upload it via FTP. Does this cause some problem. Is something introduced by doing this that causes the problems I experienced?

 

Also can you tell me where to find code to trap an IP as you suggest?

 

Again, thanks for your reply.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...