ppworks Posted February 17, 2011 Share Posted February 17, 2011 Server logs show excessive access to /tell_a_friend.php I don't use the tell a friend feature. It appears when /tell_a_friend.php is called directly the user is redirected to: /product_info.php?products_id=0 where an access denied message is displayed. Providing a valid product id: /tell_a_friend.php?action=process&products_id=[Product_id#] as a guest user can bypass the restriction and send unsolicited mails from the system. Is it safe to remove /tell_a_friend.php without breaking anything? Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted February 20, 2011 Share Posted February 20, 2011 If there is an option to "turn off" tell a friend in your shop admin I'd do that first. HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
hamsaya Posted March 17, 2011 Share Posted March 17, 2011 Most people here had issue with renaming directory, I had the same issue but I was able to fix it. the issue is when you are making a copy of admin directory or rename your admin directory the directory permissions change, depends on your domain provider. What you have to do is temporary set the permissions a to either 777 or something for admin/include/configure.php file. Once the configure admin name is changed to new directory name you are good to go. hopefully this is helpful. Oh don't forget to change the permission on configure back. Thanks Hamsaya Link to comment Share on other sites More sharing options...
Sohgave Posted April 13, 2011 Share Posted April 13, 2011 Sorry folks, but the instructions to change the admin folder name did not work for me. I've attempted 4 different times being sure to follow the instructions (from Jan's post) to the letter, but I always end up with "500 The server encountered an internal error or misconfiguration and was unable to complete your request." As a recap, here is just one of the attempted scenarios: 1.) I had the "admin" folder working fine. I could login and browse the back office; no problems... 2.) I changed the folder name on the server side from "admin" to "mynewname" 3.) I changed the folder name on my local side from "admin" to "mynewname" 4.) I modified the configure.php found in "mynewname/includes/" directory on my local side to be: define('DIR_WS_ADMIN', '/mynewname/'); //and as according to Jan's instructions. This step seemed a bit weird as the original syntax for the first define line reads : "define('DIR_WS_ADMIN', 'catalog/mynewname/');" define('DIR_FS_ADMIN', '/your/path/to/directory/mynewname/'); 5.) I uploaded the changes to the server 6.) Cleared my cache 7.) Attempted to login to back office at url: https://shopname.domain.com/catalog/mynewname/ I can get to the first login window but 500 Internal Server Error on second login window... Any help?? Thanks Thanks, Shawn "Surface the ship! Prepare to muster all personnel to escape hatches. Break out the rafts. Lash them to the deck. We'll use them as shelters until the fleet arrives." Link to comment Share on other sites More sharing options...
Emilytw88 Posted April 21, 2011 Share Posted April 21, 2011 Hi Chris, Can you show us by steps on how to change the config.php file from 444 or to 604? Thanks. -Emily Link to comment Share on other sites More sharing options...
rfwoolf Posted June 15, 2011 Share Posted June 15, 2011 4.) I modified the configure.php found in "mynewname/includes/" directory on my local side to be: define('DIR_WS_ADMIN', '/mynewname/'); //and as according to Jan's instructions. This step seemed a bit weird as the original syntax for the first define line reads : "define('DIR_WS_ADMIN', 'catalog/mynewname/');" define('DIR_FS_ADMIN', '/your/path/to/directory/mynewname/'); Sohgave, did you ever come right? I think the problem is that you left out 'catalog'. Normally, installations of oscommerce go into a 'catalog' folder, which is annoying because there's no good reason for it, and if you don't know how to point your domain properly, your site's URL will be www.mysite.com/catalog/ -- so most of us get rid of the 'catalog' part during the installation by putting everything that *was* inside catalog up 1 folder. Therefore, yours probably needs the 'catalog' part, and you will need to use this logic when following the instructions. Unfortunately this is just one of those things that weren't told to you and you had to learn from experience :P Link to comment Share on other sites More sharing options...
Guest Posted June 20, 2011 Share Posted June 20, 2011 I have searched and searched on these forums, but can't find a solution to my problem. I uploaded my new store to my website, changed the admin directory, and did the password protect with cpanel. I can log into my renamed_admin directory without the .htaccess file, but when it is there, and the htpasswd file is where it is supposed to be (whether I used the cpanel, or wrote my own), it comes up with 404 file not found. It never asks for the user/pw. I am using osC2.3.1. If I don't have the .htaccess file in the renamed_admin directory, it comes up with the warning that the renamed_admin directory is not password protected. What am I doing wrong???? I have been fighting this for days, and am running out of patience. I no longer know what to change. Marianne Link to comment Share on other sites More sharing options...
staunts Posted July 9, 2011 Share Posted July 9, 2011 Hi there, I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not. Is there anything I can do to fix this ? cheers, Adam Link to comment Share on other sites More sharing options...
♥altoid Posted July 9, 2011 Share Posted July 9, 2011 Hi there, I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not. Is there anything I can do to fix this ? cheers, Adam Perhaps the username and password are still associated with the old admin name and not the new admin name? I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
germ Posted July 9, 2011 Share Posted July 9, 2011 Hi there, I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not. Is there anything I can do to fix this ? cheers, Adam You mention a "popup asking for username and password" so I assume the admin is being secured by a .htaccess file. The .htaccess file contains a line that locates the password file containing the usernames/passwords that work for it, usually located deeper in the folder. If you change the admin name or path and the password file is deeper in the same folder you have to modify the line in the .htaccess file to relocate it as well. An example. Your original admin folder name was "admin" and the password file is in admin/safedir/.htpasswd The line in the .htaccess file that locates it might look like this: AuthUserFile /usr/local/www/admin/safedir/.htpasswd Say you rename the admin folder to admin90210. So now the code that locates the password file becomes: AuthUserFile /usr/local/www/admin90210/safedir/.htpasswd HTH :) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
staunts Posted July 9, 2011 Share Posted July 9, 2011 Brilliant, thanks guys. That was it , all working now ! Link to comment Share on other sites More sharing options...
KerkChzePerng Posted July 22, 2011 Share Posted July 22, 2011 Hi, if this message "xxx.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." is shown , what should I do to fix it ? Link to comment Share on other sites More sharing options...
Guest Posted July 22, 2011 Share Posted July 22, 2011 Hi, if this message "xxx.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." is shown , what should I do to fix it ? You will need to clean all malicious code from each file on your server and then remove any anomalous files. One that is done, secure your website using the contributions mentioned at the beginning of this thread. Chris Link to comment Share on other sites More sharing options...
KerkChzePerng Posted July 22, 2011 Share Posted July 22, 2011 You will need to clean all malicious code from each file on your server and then remove any anomalous files. One that is done, secure your website using the contributions mentioned at the beginning of this thread. Chris Thanks first. But how to detect the malicious code from the files ? I'm newbie actually ... Link to comment Share on other sites More sharing options...
♥14steve14 Posted September 25, 2011 Share Posted September 25, 2011 Why not restore a good working copy of your site from your backup. That would be the easiest way. REMEMBER BACKUP, BACKUP AND BACKUP Link to comment Share on other sites More sharing options...
Guest Posted December 1, 2011 Share Posted December 1, 2011 I am getting this UGH! Parse error: syntax error, unexpected T_STRING, expecting T_CONSTANT_ENCAPSED_STRING or '(' in/home/content/12/8659812/html/oscommerce/index.php on line 9 HELP [email protected] Link to comment Share on other sites More sharing options...
Guest Posted December 1, 2011 Share Posted December 1, 2011 I am getting this UGH! Parse error: syntax error, unexpected T_STRING, expecting T_CONSTANT_ENCAPSED_STRING or '(' in/home/content/12/8659812/html/oscommerce/index.php on line 9 HELP Maceo, The change you just made to the index.php was incorrect. You will need to check the code edits and correct the syntax. Chris Link to comment Share on other sites More sharing options...
Adamanto75 Posted January 18, 2012 Share Posted January 18, 2012 Hello, I am coming into problems when I change my admin filename, I change it to whatever I wanted and changed the code in configure.php uploaded it and when I navigate to www.mystore.com/admin_name it gives me an internal server error. Is there something I am doing wrong? Thank you in advance Adamanto75 Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted January 18, 2012 Share Posted January 18, 2012 Check in the .htaccess file in your newly named admin directoryand see if it refers to your old admin directory. HTH H Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Adamanto75 Posted January 19, 2012 Share Posted January 19, 2012 Check in the .htaccess file in your newly named admin directoryand see if it refers to your old admin directory. HTH H I checked my admin/.htacess file and it says this: # $Id$ # # This is used with Apache WebServers # The following blocks direct HTTP requests in this directory recursively # # For this to work, you must include the parameter 'Limit' to the AllowOverride configuration # # Example: # #<Directory "/usr/local/apache/htdocs"> # AllowOverride Limit # # 'All' with also work. (This configuration is in your apache/conf/httpd.conf file) # # This does not affect PHP include/require functions # # Example: http://server/catalog/admin/includes/application_top.php will not work <Files *.php> Order Deny,Allow Deny from all </Files> I don't see it calling for my old admin? Unless I'm missing something. Is there anything else I can do? Thanks Adamanto75 Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted January 19, 2012 Share Posted January 19, 2012 Thanks first. But how to detect the malicious code from the files ? I'm newbie actually ... Really this is a case of expeience. You need to check all files to see if certain known words occur in any file and then look and see if they are malicious. VTS and site monitor will help you do this. There are also some tips on cleansing a site in my profile. HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted January 19, 2012 Share Posted January 19, 2012 <Files *.php> Order Deny,Allow Deny from all </Files> Is there a reason you have deny from all? Cheers G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Adamanto75 Posted January 19, 2012 Share Posted January 19, 2012 @@geoffreywalton Idk that's how the .htaccess file was written when I downloaded it (I didn't touch it at all). Link to comment Share on other sites More sharing options...
patrickluursema Posted January 22, 2012 Share Posted January 22, 2012 Thanks, this thread helped me out a lot. Kind regards, Patrick Luursema Link to comment Share on other sites More sharing options...
ski holidays Posted January 26, 2012 Share Posted January 26, 2012 Hi All, my installation of Oscommerce RC2.2 was hacked even though I renamed admin folder and applied htaccess. Does anybody know if any other possible vulnerability that could of allowed the hackers in? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.