spooks Posted April 3, 2010 Author Posted April 3, 2010 Well. The site was not attacked again until today. I caught it immediately (within 15 minutes of the modification. The reason your advised here to wipe your site is that hackers often leave hidden files & folders on the site, that even if you locate can't be deleted. So without the host wiping the site they can always come back. Also consider if usernames/passwords could be compremised, or e-mail accounts passing same hacked. If you can give a time frame any decent host should be able to provide more info. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
Jitty25 Posted April 7, 2010 Posted April 7, 2010 Hi, thank you for keeping this thread live and helping us with questions we don´t know answer to... I implemented all suggested changes several months ago. Today I watched who is online and saw this: 67.195.113.242 //index.php?url=http://www.dkmajolika.cz/main??? I believe the IP address belongs to Yahoo I asked google and found this: http://dnsbl.abuse.ch/webabusetracker.php?script=3aff45c9a7e67089e42f914ebff0cb93 and I followed this thread: http://www.oscommerce.com/forums/topic/286605-after-3-great-years-im-being-hacked/page__view__findpost__p__1190067 and I added this code to the application_top.php: // redirect attempted remote file include exploits if (strpos(strtolower($_SERVER['QUERY_STRING']),'http:') !== false){ header("Location: http://www.mydomain.com"); exit; } But to tell the truth, I really don´t know if this is enough... I couldn´t find anything new (manually and by site monitor) Thank you very much for your advice.
spooks Posted April 7, 2010 Author Posted April 7, 2010 remote file include exploits If you have security pro, that would clean that string & so nulify the attack, if you wish to add specific protection for that attack (in case you expand the allowed list in security pro or excluded pages are attracked) you can add: RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) RewriteRule ^(.+)$ - [F] to your htacces, or the code you provided is fine, but needs to be expanded to allow for https & ftp Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
Jitty25 Posted April 8, 2010 Posted April 8, 2010 Hello spooks, thank you very much for your reply. I do use security pro. Thanks again.
Lgn.Magic Posted April 9, 2010 Posted April 9, 2010 Hey there, Do any of you know a good app to search mutiple php file at same time.?? I couldn't really find something decent over my google searchs. I'd like to check all my files to know if i missed some files where i need to add cleaning code. i'd rather know wich are the files that got $post and $get var and add code to clean per page rather than "dumbly" cleaning it with 1 code in 1 page for all pages. for now here is what i cleaned, i think i missed some, and don't wanna open file 1 by 1. login.php contact_us.php ask_a_question.php (not in vanilla install) tell_a_friend.php products_review_write.php account_edit.php account_password.php password_forgotten.php adress_book_process.php checkout_shipping.php checkout_payment_adress.php checkout_shipping_adress.php account.php Some files in article manager contrib for exemple need a clean i think,i just wanna search all my files. thank you for answer! Regards, Fabien.
spooks Posted April 9, 2010 Author Posted April 9, 2010 All the default rc2a files using post are covered in Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202 You need to check any pages added by contibutions you've installed, but most pages useing any user input are using post. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
Guest Posted April 9, 2010 Posted April 9, 2010 Hey there, Do any of you know a good app to search mutiple php file at same time.?? Is this something you are looking for? Windows Grep I use it all the time serching for text in my .php files..
Lgn.Magic Posted April 10, 2010 Posted April 10, 2010 @Sam: thank you for your input, i've started from there and watched wich files was cleaned from your contrib. @Stein: Thank you man, this is exactly such program i was looking for. Thanx for posting 1 last question now that i've searched some of my files for $post var. Clean code need to be inserted only in the catalog/root php files, such as creat_account, login etc...and not in other directories such as catalog/includes/.... For exemple order.php from catalog/includes/classes do have post var...or another exemple with html_output.php in includes/functions....or even application_top.php in includes...i don't need to clean there??..only the "standard" pages on my root/catalog directory, right?
spooks Posted April 10, 2010 Author Posted April 10, 2010 Clean code need to be inserted only in the catalog/root php files, such as creat_account, login etc...and not in other directories such as catalog/includes/.... Yes, you only need to look at files in the root as those are the only ones seen directly by your visitors, functions in ancilary files are there for use by the root files and are not directly accessed. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
Lgn.Magic Posted April 10, 2010 Posted April 10, 2010 Ok fine, that confirm what i was thinking. Thank you for your time and answers Sam !!
sarafina Posted April 10, 2010 Posted April 10, 2010 Question about Cross Site anti hacking with XSS... My host doesn't allow me to add Options +FollowSymLinks and has put # in front of it. With this render this addon null and void or should I still add it? Also what exactly does this do? The 2nd part of the instruction is to create an index_error.php file with whatever content you want to be displayed. What does this mean? Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller
sarafina Posted April 10, 2010 Posted April 10, 2010 Also we're instructed to remove filemanager.php from catalog/admin and from open admin/includes/boxes/tools.php We should also remove define_language.php from catalog/admin so should we go to admin/includes/boxes/tools.php and delete this: '<a href="' . tep_href_link(FILENAME_DEFINE_LANGUAGE) . '" class="menuBoxContentLink">' . BOX_TOOLS_DEFINE_LANGUAGE . '</a><br>' Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller
Juto Posted April 20, 2010 Posted April 20, 2010 Hi, I thought I should share this with you: In your admin's folders htaccess try this: # check admissible IP-address # Protect files and directories from prying eyes. <FilesMatch "..."> Order deny,allow Deny from all # allow only your ip address (you could add more if you like): allow from 12.34.56.78 </FilesMatch> # Authentication Top it of with the normal Authentication If you have a dynamic ip-address, change the above allowed ip-address using your ftp-software. Contributions: http://addons.oscommerce.com/info/8010 http://addons.oscommerce.com/info/8204 http://addons.oscommerce.com/info/8681
monere Posted April 23, 2010 Posted April 23, 2010 hi, i followed all the steps provided in the installation guide for Security Pro but when i logged into my admin panel i couldn't find the FWR Security Pro option anywhere, therefore I couldn't turn it on what am I missing?
bjhampe Posted April 29, 2010 Posted April 29, 2010 I have read through all the pages and did not see this mentioned. Will either Security PRO or Sam's Anti-hacker Mods take care of the HTTP Response Splitting that McAfee Secure finds? And are they both compatible with PayPal Payments Standard? Thank you.
Mort-lemur Posted May 1, 2010 Posted May 1, 2010 Hi, This is basically a question for the site security experts (Spooks, Germ etc) I am up to date with all the security fixes (thanks all) but have seen the recent addition in the add-ons section PHP Intrusion Detection System for osCommerce. Would you think this is a worthwhile add-on to include? I don't know enough about php to decide myself, and I have not seen the contributer before. Comments would be appreciated. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.
ehendley Posted May 5, 2010 Posted May 5, 2010 First, let me thank all of you for the many contributions! I am new to osCommerce (I have V2.2 RC2a). I am trying to get my security straight but am having some difficulty following some of the addons. Starting with my directory structure ... I have no catalog folder on my hosted site (dreamdolldesigns DOT com). The root seems to be public_html. Starting with the most basic MUST do fix I am trying to get rid of file_manager.php however, I do not find it where this thread says it should be. I do find english, spanish, german & french versions under admin/includes/languages/ & under cgi-bin/admin/includes/languages/. Do I delete all of them?
ehendley Posted May 5, 2010 Posted May 5, 2010 When I go to You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 the download is an empty zip file! Is it still a valid addon and where do I get it? thanks, ed
BryceJr Posted May 5, 2010 Posted May 5, 2010 When I go to You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 the download is an empty zip file! Is it still a valid addon and where do I get it? thanks, ed Go to the Anti XSS link you provided and click "HISTORY" tab. Expand(+) "Best version to use here". Starting with my directory structure ... I have no catalog folder on my hosted site (dreamdolldesigns DOT com). The root seems to be public_html. If you don't have a catalog folder, most likely your site is installed in root(public_html). If you're installing an addon, for example, that calls to edit catalog/includes/ application_top.php, for you it will be root( "/" public_html)/includes/ application_top.php. Starting with the most basic MUST do fix I am trying to get rid of file_manager.php however, I do not find it where this thread says it should be... Go back to the very first page of this thread and read the first post by Spooks(aka Sam).
mghay Posted May 5, 2010 Posted May 5, 2010 Just thought I'd share my discovery of some strange files on my site: Web site and shop were working fine, no reports of problems. Site has 'normal' security, i.e. nothing really special added (but that will change!); I do all file and db changes on my home server before uploading changed files/folders and data to the 'live' site. Just by chance, I discovered files without extensions containing all manner of rubbish (lists of keywords for dubious sites, links to said sites, lists of ISP address. etc) and gzip compressed php files buried deep in the admin/includes/languages/english/images/buttons folder - not the most obvious place to look! These were on the hosted site only; nothing on my home server so I guess they were not from a rogue contribution. As I said, no obvious effects noticed on the site so I don't know if there was malicious intent or just an attempt to pinch a few underhand links - HOWEVER - I have noticed that on a couple of occassions that when I click on my shop's Google search result the link is hijacked and I get redirected to a nuisance site called 'searcheaven.com'. So, now to investigate some of the suggestions in this thread and concentrate more on site security. Thanks guys, Mike
ehendley Posted May 5, 2010 Posted May 5, 2010 Go to the Anti XSS link you provided and click "HISTORY" tab. Expand(+) "Best version to use here". If you don't have a catalog folder, most likely your site is installed in root(public_html). If you're installing an addon, for example, that calls to edit catalog/includes/ application_top.php, for you it will be root( "/" public_html)/includes/ application_top.php. Go back to the very first page of this thread and read the first post by Spooks(aka Sam). Thanks Bryce ... As for which htaccess file to modify (since it seems all folders have the file) ... would it be the one in public_html ... at the root? As for the file_manager question ... it looks like there was one for osCommerce & others for cPanel. After seeing that v2.2 RC2a release had FMW's Security Pro already included that maybe this version dumped the osCommerce file_manager too. Sound right? Thanks again all, ed
mghay Posted May 8, 2010 Posted May 8, 2010 "Just thought I'd share my discovery of some strange files on my site:" Further to my earlier post, now discovered that the problem is the 'eval(base64_decode hack' as described in another thread - so that's why Google Webmaster Tools kept telling me that 'forex' and other garbage keywords were in my site!! Mike
altermate Posted May 12, 2010 Posted May 12, 2010 Should I download and run all of the recommended security add-ons??
Mort-lemur Posted May 12, 2010 Posted May 12, 2010 Should I download and run all of the recommended security add-ons?? Yes - Before you do anything you need to make your site secure. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.
chadcloman Posted May 20, 2010 Posted May 20, 2010 My host doesn't allow me to add Options +FollowSymLinks and has put # in front of it. With this render this addon null and void or should I still add it? I know this answer is more than a month after the fact, but I also wanted to know why it's necessary. The "Options +FollowSymLinks" statement is required in order for the rewrite rules to work. From the Apache documentation: The rewrite engine may be used in .htaccess files. To enable the rewrite engine for these files you need to set "RewriteEngine On" and "Options FollowSymLinks" must be enabled. If your administrator has disabled override of FollowSymLinks for a user's directory, then you cannot use the rewrite engine. This restriction is required for security reasons. It's possible that your host defaults to FollowSymLinks enabled. You can ask them about that. Check out Chad's News.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.