Follkes Posted March 8, 2010 Share Posted March 8, 2010 I can´t install Sam´s since this http://www.oscommerce.com/forums/topic/298099-header-tags-seo/page__view__findpost__p__1491051 So you mean to adapt the code to all the forms affected by Sam line by line? Link to comment Share on other sites More sharing options...
spooks Posted March 8, 2010 Author Share Posted March 8, 2010 I can´t install Sam´s since this http://forums.oscomm...ost__p__1491051 Why not? Just because you added header tags does not mean you cannot add that, esp as most of those pages are ssl, so should not be indexed by the robots so don't nead header tags anyway. What benefit would having any form page (for input) a good seo score other than to make it easy for hackers to find them? (I'm thinking of the reviews input there, common target). But if you just want to add the sanitising, add the function and use the instructions for product_reviews_write.php for all those pages, of course you'll loose all the validation benefits so get some PCI scan false positives. PS spotted the specific post your refering too (don't rely on forum links, they often fail) Thats talking of a totaly different contrib and product_info.php which Sam's Anti-hacker Account Mods does not touch!! (Its a non-issue too!!) Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
jo24 Posted March 8, 2010 Share Posted March 8, 2010 Ok , I have renamed my files and changed permissions. Do I need to add these adds on to secure my site more? Many thanks. Link to comment Share on other sites More sharing options...
spooks Posted March 8, 2010 Author Share Posted March 8, 2010 Ok , I have renamed my files and changed permissions. Do I need to add these adds on to secure my site more? Many thanks. YES. Renaming filemanger.php is not sufficient, it must be deleted. Renaming admin is not sufficient you must do remaining admin security steps. You must do all steps in the OP to properly secure your site, if it was as easy as a bit of renaming & permission changes I would have said so!! If you don't believe it, get a PCI scan, or wait till the hackers find you!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
jo24 Posted March 8, 2010 Share Posted March 8, 2010 Thanks for getting back to me Spooks. I have deleted the file manager as well. Basically I need to do put the adds on. Which adds on do you recommend? Many thanks. Link to comment Share on other sites More sharing options...
spooks Posted March 8, 2010 Author Share Posted March 8, 2010 Basically I need to do put the adds on. Which adds on do you recommend? The ones I gave in my OP, still!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
bluecoral Posted March 9, 2010 Share Posted March 9, 2010 Does anyone have a clean OsCommerce version with all these modules updated? Is there any place where you can download the whole thing, or the only way is to manually install each security update separately? Thanks in advance! D. Link to comment Share on other sites More sharing options...
Follkes Posted March 9, 2010 Share Posted March 9, 2010 I don´t think so, if you find such a thing please tell me!! Spooks, Ok then ,i will update jack´s 3.1.8 to 3.1.9 -3.2.0 an then i will apply your antihack. One thing dough, and I tell this to everyone, in jack 3.2.0 one of the steps is replace /admin/includes/application_top.php so the mail.php hack is back in case you put FWR patch!!! Link to comment Share on other sites More sharing options...
Follkes Posted March 10, 2010 Share Posted March 10, 2010 Sorry being a pain but i am having error when bunkering my htaccess. My actual file is like follows: # If you are getting errors you may need to comment this out like .. # Options +FollowSymLinks #Options +FollowSymLinks <IfModule mod_rewrite.c> RewriteEngine On # RewriteBase instructions # Change RewriteBase dependent on how your shop is accessed as below. # http://www.mysite.com = RewriteBase / # http://www.mysite.com/catalog/ = RewriteBase /catalog/ # http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/ # Change RewriteBase using the instructions above RewriteBase /shop/catalog/ RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-c-([0-9_]+).html$ index.php?cPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING} RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING} # Articles contribution RewriteRule ^(.*)-t-([0-9_]+).html$ articles.php?tPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING} # Information pages RewriteRule ^(.*)-i-([0-9]+).html$ information.php?info_id=$2&%{QUERY_STRING} # Links contribution RewriteRule ^(.*)-links-([0-9_]+).html$ links.php?lPath=$2&%{QUERY_STRING} # Newsdesk contribution RewriteRule ^(.*)-n-([0-9]+).html$ newsdesk_info.php?newsdesk_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-nc-([0-9]+).html$ newsdesk_index.php?newsPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-nri-([0-9]+).html$ newsdesk_reviews_info.php?newsdesk_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-nra-([0-9]+).html$ newsdesk_reviews_article.php?newsdesk_id=$2&%{QUERY_STRING} </IfModule> RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] # Block people seeing the htaccess file <Files .htaccess> order deny,allow deny from all </Files> # Force type & prevent script execution <Files site> ForceType application/x-httpd-php </Files> # no access to htaccess files <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> And i want to include this i.e. [code]RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR] RewriteCond %{QUERY_STRING} tool25 [OR] RewriteCond %{QUERY_STRING} cmd.txt [OR] RewriteCond %{QUERY_STRING} cmd.gif [OR] RewriteCond %{QUERY_STRING} r57shell [OR] RewriteCond %{QUERY_STRING} c99 [OR] I know is part of the basics but i don´t know how to glue it to the actual file. All i see in guides are blocks like this but not the proper logic in it. I guee i don´t need another RewriteEngine On because the XSS are working so just RewriteRule? Thanks Link to comment Share on other sites More sharing options...
Follkes Posted March 11, 2010 Share Posted March 11, 2010 Solved i think , and maybe someone with usu5 will find this useful. #Options +FollowSymLinks <IfModule mod_rewrite.c> RewriteEngine On # RewriteBase instructions # Change RewriteBase dependent on how your shop is accessed as below. # http://www.mysite.com = RewriteBase / # http://www.mysite.com/catalog/ = RewriteBase /catalog/ # http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/ # Change RewriteBase using the instructions above RewriteBase /shop/catalog/ RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-c-([0-9_]+).html$ index.php?cPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING} RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING} # Articles contribution RewriteRule ^(.*)-t-([0-9_]+).html$ articles.php?tPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING} # Information pages RewriteRule ^(.*)-i-([0-9]+).html$ information.php?info_id=$2&%{QUERY_STRING} # Links contribution RewriteRule ^(.*)-links-([0-9_]+).html$ links.php?lPath=$2&%{QUERY_STRING} # Newsdesk contribution RewriteRule ^(.*)-n-([0-9]+).html$ newsdesk_info.php?newsdesk_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-nc-([0-9]+).html$ newsdesk_index.php?newsPath=$2&%{QUERY_STRING} RewriteRule ^(.*)-nri-([0-9]+).html$ newsdesk_reviews_info.php?newsdesk_id=$2&%{QUERY_STRING} RewriteRule ^(.*)-nra-([0-9]+).html$ newsdesk_reviews_article.php?newsdesk_id=$2&%{QUERY_STRING} </IfModule> RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots Deny from env=block_bad_bots RewriteBase /shop/catalog/ RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR] RewriteCond %{QUERY_STRING} tool25 [OR] RewriteCond %{QUERY_STRING} cmd.txt [OR] RewriteCond %{QUERY_STRING} cmd.gif [OR] RewriteCond %{QUERY_STRING} r57shell [OR] RewriteCond %{QUERY_STRING} c99 [OR] RewriteCond %{HTTP_USER_AGENT} almaden [OR] RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR] RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR] RewriteCond %{HTTP_USER_AGENT} ^attach [OR] RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR] RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR] RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR] RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR] RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] RewriteCond %{HTTP_USER_AGENT} ^Bot [OR] RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR] RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR] RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR] RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] RewriteCond %{HTTP_USER_AGENT} ^CICC [OR] RewriteCond %{HTTP_USER_AGENT} ^Collector [OR] RewriteCond %{HTTP_USER_AGENT} ^Copier [OR] RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR] RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] RewriteCond %{HTTP_USER_AGENT} ^DA [OR] RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR] RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR] RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR] RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR] RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR] RewriteCond %{HTTP_USER_AGENT} ^Drip [OR] RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR] RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR] RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] RewriteCond %{HTTP_USER_AGENT} email [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR] RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR] RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR] RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR] RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR] RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR] RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] RewriteCond %{HTTP_USER_AGENT} ^gotit [OR] RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR] RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR] RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR] RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR] RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR] RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR] RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR] RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR] RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR] RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR] RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR] RewriteCond %{HTTP_USER_AGENT} ^Iria [OR] RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR] RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR] RewriteCond %{HTTP_USER_AGENT} ^JustView [OR] RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR] RewriteCond %{HTTP_USER_AGENT} ^lftp [OR] RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR] RewriteCond %{HTTP_USER_AGENT} ^likse [OR] RewriteCond %{HTTP_USER_AGENT} ^Link [OR] RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR] RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR] RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR] RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR] RewriteCond %{HTTP_USER_AGENT} ^Memo [OR] RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR] RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR] RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR] RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR] RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR] RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR] RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR] RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR] RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR] RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR] RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR] RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR] RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR] RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR] RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR] RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR] RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR] RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] RewriteCond %{HTTP_USER_AGENT} ^Ping [OR] RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR] RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR] RewriteCond %{HTTP_USER_AGENT} ^psbot [OR] RewriteCond %{HTTP_USER_AGENT} ^Pump [OR] RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR] RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR] RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR] RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR] RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR] RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR] RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR] RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR] RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] RewriteCond %{HTTP_USER_AGENT} ^Snake [OR] RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR] RewriteCond %{HTTP_USER_AGENT} ^sproose [OR] RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR] RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR] RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR] RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR] RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR] RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR] RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR] RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR] RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[bb]andit [OR] RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR] RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR] RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR] RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR] RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR] RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR] RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] RewriteCond %{HTTP_USER_AGENT} ^Website [OR] RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR] RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR] RewriteCond %{HTTP_USER_AGENT} ^Webster [OR] RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR] RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] RewriteCond %{HTTP_USER_AGENT} ^Wget [OR] RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR] RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR] RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L] #<Limit GET PUT POST> #order allow,deny #deny from .br.geocities.com #deny from 62.29.0.0/17 #allow from all #</Limit> # deny access to unused filetypes <FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$"> deny from all </FilesMatch> # no access to htaccess files <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> # no access to config files <Files ~ "\config.php$"> deny from all </Files> # FORCE TYPE <Files site> ForceType application/x-httpd-php </Files> The # is for the future, and maybe is better simply "deny from". Could anyone check if is ok or just crap? Thanks. Link to comment Share on other sites More sharing options...
Guest Posted March 11, 2010 Share Posted March 11, 2010 Hi guys, just trying to secure my site, this is the first time I have used osCommerce (so please be gentle ;P) When I try to back up my data base I get this response: Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/bin/gzip) is not within the allowed path(s): (/home/elitegol:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/elitegol/public_html/admin/backup.php on line 443 Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/local/bin/zip) is not within the allowed path(s): (/home/elitegol:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/elitegol/public_html/admin/backup.php on line 444 Any ideas? Link to comment Share on other sites More sharing options...
spooks Posted March 11, 2010 Author Share Posted March 11, 2010 Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/bin/gzip) is not within the allowed path(s): open_basedir restriction on your server, set by your host. This should fix things: admin/includes/application_top.php (42): // Used in the "Backup Manager" to compress backups define('LOCAL_EXE_GZIP', '/usr/bin/gzip'); define('LOCAL_EXE_GUNZIP', '/usr/bin/gunzip'); define('LOCAL_EXE_ZIP', '/usr/local/bin/zip'); define('LOCAL_EXE_UNZIP', '/usr/local/bin/unzip'); replace with: // Used in the "Backup Manager" to compress backups define('LOCAL_EXE_GZIP', 'gzip'); define('LOCAL_EXE_GUNZIP', 'gunzip'); define('LOCAL_EXE_ZIP', 'zip'); define('LOCAL_EXE_UNZIP', 'unzip'); Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted March 12, 2010 Share Posted March 12, 2010 Thank you Soooo much Sam :D Could you help me with another problem I have?? I am going through your steps to secure the Site. I have change all the permissions and deleted the filemanager. However, I am trying to change the admin folders name to somethign else. I have read various other thread on how to do this, but whenever I do I get this error message when logging in: Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mydbpassword'@'localhost' (using password: YES) in /path_to_admin_directory/newadminname/includes/functions/database.php on line 19 Unable to connect to database server! I had a look at line 19 on database.php but wasn't surprised when I realised I had no clue as to what the problem was :P Thanks in advance again ;) Chris Link to comment Share on other sites More sharing options...
spooks Posted March 12, 2010 Author Share Posted March 12, 2010 I am trying to change the admin folders name to somethign else. I have read various other thread on how to do this, but whenever I do I get this error message when logging in: It would help if you said exactly what you have done, ie have you set configure.php correctly. You would be best posting in Jan's thread on this, as that's where most solutions for this issue are found. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted March 12, 2010 Share Posted March 12, 2010 It would help if you said exactly what you have done, ie have you set configure.php correctly. You would be best posting in Jan's thread on this, as that's where most solutions for this issue are found. Hi Sam, I did leave a post in another thread related to this but no one got back to me. And you seem pretty active, and good at this :D Just incase you can help me this is what I have done. I changed my configure.php folder so that the lines: define('DIR_WS_ADMIN', '/.//admin/'); define('DIR_FS_ADMIN', '/home/my_site/public_html/.//admin/'); read define('DIR_WS_ADMIN', '/.//new_name/'); define('DIR_FS_ADMIN', '/home/my_site/public_html/.//new_name/'); I then saved and uploaded the new configure.php file to my server. I then accessed my server (i use cPanel to do this) and renamed the admin file to the new_name. Then when I tried to log back into my admin section I got that error Cheers Chris (really do appreciate your help) Link to comment Share on other sites More sharing options...
spooks Posted March 12, 2010 Author Share Posted March 12, 2010 I changed my configure.php folder so that the lines: define('DIR_WS_ADMIN', '/.//admin/'); define('DIR_FS_ADMIN', '/home/my_site/public_html/.//admin/'); read define('DIR_WS_ADMIN', '/.//new_name/'); define('DIR_FS_ADMIN', '/home/my_site/public_html/.//new_name/'); Those look wrong. CATALOG/ADMIN/INCLUDES/CONFIGURE.PHP define('HTTP_SERVER', 'http://www.my-site.co.uk'); define('HTTP_CATALOG_SERVER', 'http://www.my-site.co.uk'); define('HTTPS_CATALOG_SERVER', 'http://www.my-site.co.uk'); define('DIR_WS_HTTP_CATALOG', '/servername/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/'); define('ENABLE_SSL_CATALOG', 'false'); define('DIR_FS_DOCUMENT_ROOT', '/home/servername/public_html/catalog/'); define('DIR_WS_ADMIN', '/catalog/admin/'); define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/admin/'); define('DIR_WS_CATALOG', '/catalog/'); define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/'); define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/'); define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/'); The other thing is did you check you were editing your current configure file, remember in the install osc sets the dbase setting in the file, so your file version will differ to your site one unless you download it after install. If you have overwritten the old dbase setting like that, just get them from the client side configure file. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted March 12, 2010 Share Posted March 12, 2010 When I installed osCommerce I did i through cPanel because my host provides it in their software tab. All I did then was compress the files, download them and edit them in my text editor. I just did a fresh install (on my test site) and downloaded the configure.php file from my admin/includes folder this is whats in it <?php define('HTTP_SERVER', 'http://my_site.co.uk'); define('HTTP_CATALOG_SERVER', 'http://my_site.co.uk'); define('HTTPS_CATALOG_SERVER', 'http://my_site.co.uk'); define('ENABLE_SSL_CATALOG', 'false'); define('DIR_FS_DOCUMENT_ROOT', '/home/my_site/public_html/osc'); define('DIR_WS_ADMIN', '/osc/admin/'); define('DIR_FS_ADMIN', '/home/my_site/public_html/osc/admin/'); define('DIR_WS_CATALOG', '/osc/'); define('DIR_FS_CATALOG', '/home/my_site/public_html/osc/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/'); define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/'); define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/'); define('DB_SERVER', 'localhost'); define('DB_SERVER_USERNAME', 'my_site_osc1'); define('DB_SERVER_PASSWORD', 'xxxxxxxx'); define('DB_DATABASE', 'my_site_osc1'); define('USE_PCONNECT', 'false'); define('STORE_SESSIONS', 'mysql'); ?> Am I correct in thinking that until I get this sorted my site is at risk?? Link to comment Share on other sites More sharing options...
kenkja Posted March 13, 2010 Share Posted March 13, 2010 Hello I'm a newbie to os commerce, I have just read this thread & have a few questions. 1. Is there a specific order that the add ons mentioned in post 1 should be added. 2. I intend to use Paypal & netbanx as my checkout methods, should their add ons be uploaded pre or post the security add ons. 3. I've not yet chosen a webserver and many of the posts refer to issues with the server & also that windows servers appear to be more difficult. Obviously I will choose a server which claims to be os commerce compatible, but are some more compatible than others. 4. I've set up os-commerce through xampp on pc acting as a local server, with the aim of trying to build site before uploading to server. If I add security add ons to local install, will it have to be done again to suit the server finally chosen. I don't mind if it does - just trying to give myself a timescale/workplan 5. I've struggled to find how to change permissions as the majority of posts on this and other threads assume I'll have a server c/panel. Pc runs Vista 32 home edition, so I know I can change attributes to read only & have done so but os commerce still sees files as writeable - any clues ? thanks in advance ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
spooks Posted March 15, 2010 Author Share Posted March 15, 2010 Hello I'm a newbie to os commerce, I have just read this thread & have a few questions. 1. Is there a specific order that the add ons mentioned in post 1 should be added. 2. I intend to use Paypal & netbanx as my checkout methods, should their add ons be uploaded pre or post the security add ons. 3. I've not yet chosen a webserver and many of the posts refer to issues with the server & also that windows servers appear to be more difficult. Obviously I will choose a server which claims to be os commerce compatible, but are some more compatible than others. 4. I've set up os-commerce through xampp on pc acting as a local server, with the aim of trying to build site before uploading to server. If I add security add ons to local install, will it have to be done again to suit the server finally chosen. I don't mind if it does - just trying to give myself a timescale/workplan 5. I've struggled to find how to change permissions as the majority of posts on this and other threads assume I'll have a server c/panel. Pc runs Vista 32 home edition, so I know I can change attributes to read only & have done so but os commerce still sees files as writeable - any clues ? thanks in advance ken 1. The most important security issues to address are admin access protection and vunerability removal, input sanitising (cleaning) with security pro & methods for the post vars , htaccess & XSS prevention, then the rest. 2. Don't matter 3. Do not use a windows server, use unix/linux, some things used in osC (with add-ons) wont work in windows. 4. No, just copy across. 5. Windows issue (same for windows server) you cannot do that under windows, like quite a few other things!!. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
kenkja Posted March 16, 2010 Share Posted March 16, 2010 1. The most important security issues to address are admin access protection and vunerability removal, input sanitising (cleaning) with security pro & methods for the post vars , htaccess & XSS prevention, then the rest. 2. Don't matter 3. Do not use a windows server, use unix/linux, some things used in osC (with add-ons) wont work in windows. 4. No, just copy across. 5. Windows issue (same for windows server) you cannot do that under windows, like quite a few other things!!. Spooks, thank you Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Mick160310 Posted March 19, 2010 Share Posted March 19, 2010 open_basedir restriction on your server, set by your host. This should fix things: admin/includes/application_top.php (42): // Used in the "Backup Manager" to compress backups define('LOCAL_EXE_GZIP', '/usr/bin/gzip'); define('LOCAL_EXE_GUNZIP', '/usr/bin/gunzip'); define('LOCAL_EXE_ZIP', '/usr/local/bin/zip'); define('LOCAL_EXE_UNZIP', '/usr/local/bin/unzip'); replace with: // Used in the "Backup Manager" to compress backups define('LOCAL_EXE_GZIP', 'gzip'); define('LOCAL_EXE_GUNZIP', 'gunzip'); define('LOCAL_EXE_ZIP', 'zip'); define('LOCAL_EXE_UNZIP', 'unzip'); I just want to add my thanks to "spooks" for the above fix, -worked brilliantly on my database backup. Link to comment Share on other sites More sharing options...
johnnybebad Posted March 21, 2010 Share Posted March 21, 2010 Maybe i need to up my security has I have had several attempts, or at least I belive so. The following ips I caught a few moments ago:- according to whois:- 91.213.174.123 //admin/file_manager.php/login.php?action=save 222.240.224.43 this one trying to install myphpadmin or something cant remember the exact path(trying to get at my database I think). how easy is it to go through and check attempts, i only potted these two as I was logged on the computer at the time. Thanks Getting better with mods but no programmer am I. Link to comment Share on other sites More sharing options...
spooks Posted March 21, 2010 Author Share Posted March 21, 2010 Maybe i need to up my security has I have had several attempts, or at least I belive so. The following ips I caught a few moments ago:- according to whois:- 91.213.174.123 //admin/file_manager.php/login.php?action=save 222.240.224.43 this one trying to install myphpadmin or something cant remember the exact path(trying to get at my database I think). how easy is it to go through and check attempts, i only potted these two as I was logged on the computer at the time. Thanks I would shut your site now, looks like someone is intending on the base64hack (nasty) thier trying access phpadmin to see you dbase. Why have you not deleted file_manager.php already, renamed admin. Once hacked (if not already) the work is massive compared to whats was required to secure b4!! Have you backed up!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
johnnybebad Posted March 22, 2010 Share Posted March 22, 2010 I would shut your site now, looks like someone is intending on the base64hack (nasty) thier trying access phpadmin to see you dbase. Why have you not deleted file_manager.php already, renamed admin. Once hacked (if not already) the work is massive compared to whats was required to secure b4!! Have you backed up!! LOL I have implimented many of the security mods hence why they werent succesful, renamed admin that is and the htaccess, site security pro last night and previously site monitor etc, didnt delete the file manager and the define language until I saw the attempt, which have now been removed, thats the first time I have seen an attack on that particular domain being attempted and its been around a while. I am guessing the attempt was made as they knew it was an osc site and know about the vunerability. Dont know what I was doing at the time in admin, but I occassionally look at whosonline, and thats when i saw the attempts from different ips going to places they shouldnt be going/ dont even exist yet, was aware of the admin/filemanager issue and became concerned about whether other urls where attempts to exploit my osc installation. However if I can isolate these attempts it may highlight security issues with ceratin mods I have not yet installed but the hacker is aware of and trying to exploit. I want to make sure I have all the necessary security features now as its obvious that attacks are going to be more frequent than they used to be. Thanks Getting better with mods but no programmer am I. Link to comment Share on other sites More sharing options...
spooks Posted March 23, 2010 Author Share Posted March 23, 2010 I want to make sure I have all the necessary security features now as its obvious that attacks are going to be more frequent than they used to be. The OP details the steps, for the admin hack read jan's post, but FWR's fix is best to close the specific vunerability your hacker used (as well as rename, hataccess pw etc etc) FWR code change: In admin/includes/application_top.php find this code beginning around line 124: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($PHP_SELF); and change to: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($_SERVER['SCRIPT_NAME']); for the post issue the best option is now: Anti-hacker Account Mods http://addons.oscommerce.com/info/7202 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.