Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

Well. The site was not attacked again until today. I caught it immediately (within 15 minutes of the modification.

 

 

The reason your advised here to wipe your site is that hackers often leave hidden files & folders on the site, that even if you locate can't be deleted. So without the host wiping the site they can always come back.

 

Also consider if usernames/passwords could be compremised, or e-mail accounts passing same hacked.

 

 

If you can give a time frame any decent host should be able to provide more info.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • Replies 657
  • Created
  • Last Reply

Hi,

 

thank you for keeping this thread live and helping us with questions we don´t know answer to...

 

I implemented all suggested changes several months ago.

 

Today I watched who is online and saw this:

67.195.113.242

//index.php?url=http://www.dkmajolika.cz/main???

 

I believe the IP address belongs to Yahoo

I asked google and found this: http://dnsbl.abuse.ch/webabusetracker.php?script=3aff45c9a7e67089e42f914ebff0cb93

and I followed this thread:

http://www.oscommerce.com/forums/topic/286605-after-3-great-years-im-being-hacked/page__view__findpost__p__1190067

 

and I added this code to the application_top.php:

 

// redirect attempted remote file include exploits
 if (strpos(strtolower($_SERVER['QUERY_STRING']),'http:') !== false){
       header("Location: http://www.mydomain.com");
       exit;
 }

 

But to tell the truth, I really don´t know if this is enough...

I couldn´t find anything new (manually and by site monitor)

 

Thank you very much for your advice.

Link to comment
Share on other sites

remote file include exploits

 

 

If you have security pro, that would clean that string & so nulify the attack, if you wish to add specific protection for that attack (in case you expand the allowed list in security pro or excluded pages are attracked) you can add:

 

RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*)
RewriteRule ^(.+)$ - [F]

 

to your htacces, or the code you provided is fine, but needs to be expanded to allow for https & ftp

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hey there,

 

Do any of you know a good app to search mutiple php file at same time.??

 

I couldn't really find something decent over my google searchs. I'd like to check all my files to know if i missed some files where i need to add cleaning code.

i'd rather know wich are the files that got $post and $get var and add code to clean per page rather than "dumbly" cleaning it with 1 code in 1 page for all pages.

 

for now here is what i cleaned, i think i missed some, and don't wanna open file 1 by 1.

login.php

contact_us.php

ask_a_question.php (not in vanilla install)

tell_a_friend.php

products_review_write.php

account_edit.php

account_password.php

password_forgotten.php

adress_book_process.php

checkout_shipping.php

checkout_payment_adress.php

checkout_shipping_adress.php

account.php

 

Some files in article manager contrib for exemple need a clean i think,i just wanna search all my files.

 

thank you for answer!

Regards, Fabien.

Link to comment
Share on other sites

 

 

All the default rc2a files using post are covered in Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202

 

You need to check any pages added by contibutions you've installed, but most pages useing any user input are using post.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hey there,

Do any of you know a good app to search mutiple php file at same time.??

 

Is this something you are looking for? Windows Grep

 

I use it all the time serching for text in my .php files..

Link to comment
Share on other sites

@Sam: thank you for your input, i've started from there and watched wich files was cleaned from your contrib.

 

@Stein: Thank you man, this is exactly such program i was looking for. Thanx for posting

 

1 last question now that i've searched some of my files for $post var. Clean code need to be inserted only in the catalog/root php files, such as creat_account, login etc...and not in other directories such as catalog/includes/....

 

For exemple order.php from catalog/includes/classes do have post var...or another exemple with html_output.php in includes/functions....or even application_top.php in includes...i don't need to clean there??..only the "standard" pages on my root/catalog directory, right?

Link to comment
Share on other sites

Clean code need to be inserted only in the catalog/root php files, such as creat_account, login etc...and not in other directories such as catalog/includes/....

 

 

 

Yes, you only need to look at files in the root as those are the only ones seen directly by your visitors, functions in ancilary files are there for use by the root files and are not directly accessed. wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Question about Cross Site anti hacking with XSS...

 

My host doesn't allow me to add Options +FollowSymLinks and has put # in front of it. With this render this addon null and void or should I still add it?

 

Also what exactly does this do? The 2nd part of the instruction is to create an index_error.php file with whatever content you want to be displayed. What does this mean?

Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller

Link to comment
Share on other sites

Also we're instructed to remove filemanager.php from catalog/admin and from open admin/includes/boxes/tools.php

 

We should also remove define_language.php from catalog/admin so should we go to admin/includes/boxes/tools.php and delete this:

 

'<a href="' . tep_href_link(FILENAME_DEFINE_LANGUAGE) . '" class="menuBoxContentLink">' . BOX_TOOLS_DEFINE_LANGUAGE . '</a><br>'

Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller

Link to comment
Share on other sites

  • 2 weeks later...

Hi, I thought I should share this with you:

 

In your admin's folders htaccess try this:

 

# check admissible IP-address

# Protect files and directories from prying eyes.

<FilesMatch "...">

Order deny,allow

Deny from all

# allow only your ip address (you could add more if you like):

allow from 12.34.56.78

</FilesMatch>

 

# Authentication

Top it of with the normal Authentication

 

If you have a dynamic ip-address, change the above allowed ip-address using your ftp-software.

Link to comment
Share on other sites

hi,

 

i followed all the steps provided in the installation guide for Security Pro but when i logged into my admin panel i couldn't find the FWR Security Pro option anywhere, therefore I couldn't turn it on

 

what am I missing?

Link to comment
Share on other sites

I have read through all the pages and did not see this mentioned. Will either Security PRO or Sam's Anti-hacker Mods take care of the HTTP Response Splitting that McAfee Secure finds? And are they both compatible with PayPal Payments Standard?

 

Thank you.

Link to comment
Share on other sites

Hi,

 

This is basically a question for the site security experts (Spooks, Germ etc)

 

I am up to date with all the security fixes (thanks all) but have seen the recent addition in the add-ons section

PHP Intrusion Detection System for osCommerce
. Would you think this is a worthwhile add-on to include?

 

I don't know enough about php to decide myself, and I have not seen the contributer before.

 

Comments would be appreciated.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

First, let me thank all of you for the many contributions!

 

I am new to osCommerce (I have V2.2 RC2a). I am trying to get my security straight but am having some difficulty following some of the addons.

 

Starting with my directory structure ... I have no catalog folder on my hosted site (dreamdolldesigns DOT com). The root seems to be public_html.

 

Starting with the most basic MUST do fix I am trying to get rid of file_manager.php however, I do not find it where this thread says it should be. I do find english, spanish, german & french versions under admin/includes/languages/ & under cgi-bin/admin/includes/languages/.

 

Do I delete all of them?

Link to comment
Share on other sites

When I go to You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

the download is an empty zip file!

 

Is it still a valid addon and where do I get it?

 

thanks, ed

Go to the Anti XSS link you provided and click "HISTORY" tab. Expand(+) "Best version to use here".

 

Starting with my directory structure ... I have no catalog folder on my hosted site (dreamdolldesigns DOT com). The root seems to be public_html.

If you don't have a catalog folder, most likely your site is installed in root(public_html).

If you're installing an addon, for example, that calls to edit catalog/includes/ application_top.php, for you it will be root( "/" public_html)/includes/ application_top.php.

 

Starting with the most basic MUST do fix I am trying to get rid of file_manager.php however, I do not find it where this thread says it should be...

Go back to the very first page of this thread and read the first post by Spooks(aka Sam).

Link to comment
Share on other sites

Just thought I'd share my discovery of some strange files on my site:

 

Web site and shop were working fine, no reports of problems. Site has 'normal' security, i.e. nothing really special added (but that will change!); I do all file and db changes on my home server before uploading changed files/folders and data to the 'live' site.

 

Just by chance, I discovered files without extensions containing all manner of rubbish (lists of keywords for dubious sites, links to said sites, lists of ISP address. etc) and gzip compressed php files buried deep in the admin/includes/languages/english/images/buttons folder - not the most obvious place to look! These were on the hosted site only; nothing on my home server so I guess they were not from a rogue contribution.

 

As I said, no obvious effects noticed on the site so I don't know if there was malicious intent or just an attempt to pinch a few underhand links - HOWEVER - I have noticed that on a couple of occassions that when I click on my shop's Google search result the link is hijacked and I get redirected to a nuisance site called 'searcheaven.com'.

 

So, now to investigate some of the suggestions in this thread and concentrate more on site security.

 

Thanks guys,

 

Mike

Link to comment
Share on other sites

Go to the Anti XSS link you provided and click "HISTORY" tab. Expand(+) "Best version to use here".

 

 

If you don't have a catalog folder, most likely your site is installed in root(public_html).

If you're installing an addon, for example, that calls to edit catalog/includes/ application_top.php, for you it will be root( "/" public_html)/includes/ application_top.php.

 

 

Go back to the very first page of this thread and read the first post by Spooks(aka Sam).

 

Thanks Bryce ...

 

As for which htaccess file to modify (since it seems all folders have the file) ... would it be the one in public_html ... at the root?

 

As for the file_manager question ... it looks like there was one for osCommerce & others for cPanel. After seeing that v2.2 RC2a release had FMW's Security Pro already included that maybe this version dumped the osCommerce file_manager too. Sound right?

 

Thanks again all,

ed

Link to comment
Share on other sites

"Just thought I'd share my discovery of some strange files on my site:"

 

 

Further to my earlier post, now discovered that the problem is the 'eval(base64_decode hack' as described in another thread - so that's why Google Webmaster Tools kept telling me that 'forex' and other garbage keywords were in my site!!

 

Mike

Link to comment
Share on other sites

Should I download and run all of the recommended security add-ons??

 

 

Yes - Before you do anything you need to make your site secure.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

My host doesn't allow me to add Options +FollowSymLinks and has put # in front of it. With this render this addon null and void or should I still add it?

 

I know this answer is more than a month after the fact, but I also wanted to know why it's necessary.

 

The "Options +FollowSymLinks" statement is required in order for the rewrite rules to work. From the Apache documentation:

 

The rewrite engine may be used in .htaccess files. To enable the rewrite engine for these files you need to set "RewriteEngine On" and "Options FollowSymLinks" must be enabled. If your administrator has disabled override of FollowSymLinks for a user's directory, then you cannot use the rewrite engine. This restriction is required for security reasons.

 

It's possible that your host defaults to FollowSymLinks enabled. You can ask them about that.

Check out Chad's News.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...