Guest Posted January 26, 2012 Share Posted January 26, 2012 oops Chris Link to comment Share on other sites More sharing options...
♥altoid Posted January 26, 2012 Share Posted January 26, 2012 Hi All, my installation of Oscommerce RC2.2 was hacked even though I renamed admin folder and applied htaccess. Does anybody know if any other possible vulnerability that could of allowed the hackers in? Hello there, for the 2.2 Osc there's a bunch of securty recommendations. See the very first post in this topic by Jan; he provides info there on more security measures. I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
ski holidays Posted January 27, 2012 Share Posted January 27, 2012 D'Oh, I missed that. Thanks I will look that up. I read your signature, feels like I am at the beginning of the journey that you took, sheesh! Link to comment Share on other sites More sharing options...
Taipo Posted January 27, 2012 Share Posted January 27, 2012 There is a known security issue with the 2.2 range of osCommerce versions that offer an admin login. It is possible that attackers were able to add rogue shell files into your sites directories, often in the images directory, which are used to exploit your website. So along with following the security recommendations here, make sure you go through all your website directories and remove any php files that should not be there. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
vampirehunter Posted April 11, 2012 Share Posted April 11, 2012 Hi can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation? which addons, things i should change? i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem. I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again Please advise of the 2.3.1 security procedures to make it strong and safe from hackers. thanks Link to comment Share on other sites More sharing options...
Guest Posted April 11, 2012 Share Posted April 11, 2012 @@vampirehunter There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://www.oscommerce.com/forums/topic/375288-updated-security-thread/page__hl__security%20231 Also, the installation of contributions has not changed, there are still manual code edits when applying changes. Chris Link to comment Share on other sites More sharing options...
vampirehunter Posted April 11, 2012 Share Posted April 11, 2012 @@vampirehunter There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://www.oscommerce.com/forums/topic/375288-updated-security-thread/page__hl__security%20231 Also, the installation of contributions has not changed, there are still manual code edits when applying changes. Chris ok thanks i read the page, it says for the ones in 2.31 i should install these particular ones? is this right? 1. Security Pro from FWR Media { 2.3.1 and lower. a. Addon b. Support } 3. Filesafe from FWR Media { 2.3.1 and lower a. Addon b. Support Filesafe replaces "Site Monitor". Site Monitor is old and tired. } 5. Rename /admin/ and htpasswd it { 2.3.1 and lower a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/ b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!) } 6. Remove references to (newly renamed) admin area in outgoing emails { 2.3.1 and lower a. renaming your admin area is great, but it is still possible to find out where it is, by placing an order, as outgoing emails contain the admin address. More. } 7. Add extra login parameter (JanZ) { 2.3.1 and lower a. link - scroll down to "admin/includes/application_top.php Line 146-151" and start reading. } Link to comment Share on other sites More sharing options...
Taipo Posted April 13, 2012 Share Posted April 13, 2012 Its all optional for version 2.3.1 So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
spooks Posted April 13, 2012 Share Posted April 13, 2012 6. Remove references to (newly renamed) admin area in outgoing emails { The fix you linked to often no longer works, see my post in the linked thread Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
zefeena Posted June 17, 2012 Share Posted June 17, 2012 I have looked at sorting this out and can't even find the file i need! I do not have cpanel, when i go to file manager I have various directories at the same level, including one called FTP and another VAR. The var has a directory path var/www/vhosts/apattern.co.uk but i have no files in it! I thought my files were supposed to go there, but the host said it needed to go in httpdocs, which is on the same level below FTP. When i auto installed Wordpress all the files are in FTP/httpdocs and my store is at FTP/httpdocs/catalog. I link from wordpress to my store, and therefore this can be problematic so i have been advised to carry out the following, but i cannot find a file called .htaccess!!!:- How do I get password-protected directories (with .htaccess) to co-exist with textpattern? QUESTION: Using .htaccess authentication makes the directory inaccessible. HTTP Basic Authentication with the webserver redirects everything to textpattern’s index page. Using HTTP Auth with Apache results in 404 error pages. ANSWER: Please add the following lines to your .htaccess file: ErrorDocument 401 /[path_to_file]/myerror.html ErrorDocument 403 /[path_to_file]/myerror.html Make sure you point to existing, static html files. Running a botched up version of osCommerce Online Merchant v2.3.4 bootstrap with the dresscode theme installed, numerous add-ons, terrible coding, terrible website, but will have to make do until I have made up for my losses and can risk shutting down for a couple of weeks while I start all over again. - I did not install my program but am endeavouring to fix it with your help. Link to comment Share on other sites More sharing options...
zefeena Posted June 17, 2012 Share Posted June 17, 2012 Its all optional for version 2.3.1 So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches. The version i have just downloaded is 2.3.1, so do i not have to do the re-naming thing?? and will i still have the other problem? How do I get password-protected directories (with .htaccess) to co-exist with textpattern? Running a botched up version of osCommerce Online Merchant v2.3.4 bootstrap with the dresscode theme installed, numerous add-ons, terrible coding, terrible website, but will have to make do until I have made up for my losses and can risk shutting down for a couple of weeks while I start all over again. - I did not install my program but am endeavouring to fix it with your help. Link to comment Share on other sites More sharing options...
Jack_mcs Posted June 17, 2012 Share Posted June 17, 2012 The version i have just downloaded is 2.3.1, so do i not have to do the re-naming thing?? and will i still have the other problem? How do I get password-protected directories (with .htaccess) to co-exist with textpattern? I don't know what you mean by "re-naming thing" but if you are asking if you should rename the admin directory, the answer is yes. I don't know what "textpattern" is so I can't comment on that but Plesk, which is the name of your control panel, has an option that will let you password protect directories. If you don't know how to find it, your host should be able to provide help with it. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
bensuba Posted July 29, 2012 Share Posted July 29, 2012 Hi, im really new to this, but i want to share what i have done. i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters. And i was moving all file to root path/directorry and come 500 internal server... What i ve done is: go to admin/includes and find .htaccess and open/edit it scroll down until you see AuthType Basic AuthName "osCommerce Admin Access" AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd Require valid-user and delete /catalog or rename it with /youradminfolder whatever you name it My profile Link to comment Share on other sites More sharing options...
bensuba Posted July 29, 2012 Share Posted July 29, 2012 Hi, im really new to this, but i want to share what i have done. i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters. And i was moving all file to root path/directorry and come 500 internal server... What i ve done is: go to admin/includes and find .htaccess and open/edit it scroll down until you see AuthType Basic AuthName "osCommerce Admin Access" AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd Require valid-user and delete /catalog or rename it with /youradminfolder whatever you name it sorry it was in /admin directory My profile Link to comment Share on other sites More sharing options...
germ Posted July 29, 2012 Share Posted July 29, 2012 Previously mentioned here If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
jolly34 Posted September 7, 2012 Share Posted September 7, 2012 I believe that giving a new name to the admin folder amounts to advising site operators that they should not print their url on invoices pertaining to executed orders Link to comment Share on other sites More sharing options...
suzgems1 Posted April 14, 2013 Share Posted April 14, 2013 I just did an install of 2.3.3. I am bringing over my store from 2.2 I am now suddenly unable to log-in to my administration panel. The username and password that I am putting in are the same that I had set them up to be. Is this to do with the additional security that I was asked to set up in the post-installation interactions? I simply can't log-in and am told 'maximum number of log-in's attempted, please try again in 5 minutes'. However that's not working either. I would like to just by pass this now, so as to get my store up and running again. www.gouletdesigns.com/catalog/admin. Thank you! Link to comment Share on other sites More sharing options...
Guest Posted April 15, 2013 Share Posted April 15, 2013 @@suzgems1 You may need to reset your admin password by truncating the administrators table in your database. Then, create a new username and password when prompted when you access your admin area. Also, If you had previously set up .htaccess protection on the /admin directory, you will also need to reset those files as well by replacing them with new files from the original osCommerce download Chris Link to comment Share on other sites More sharing options...
suzgems1 Posted April 15, 2013 Share Posted April 15, 2013 Thanks Chris. How do I "truncating the administrators table in your database". Don't know how to do that. I can replace the admin files as you're asking. Do both actions need to take place in order for me to get in? Thank you! Suzanne Link to comment Share on other sites More sharing options...
Demitry Posted September 10, 2013 Share Posted September 10, 2013 Hi, I have version 2.2-MS2 with several security measures installed. I was thinking of adding the following code to the main .htaccess file in order to deny access to all IP's except for mine to the (already renamed) admin folder. RewriteCond %{REMOTE_ADDR} !^XX\.XXX\.XX\.XXX$ RewriteRule ^admin_directory(.*)$ http:// w w w.m y s i t e.com/ [R,L] Does anyone know of any negative implications of doing this? ..such as system generated emails, or user tracking, or some other aspect of the admin directory? Thanks in advance for any help on this. osCommerce: made for programmers, ...because store owners do not want to be programmers. https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce Link to comment Share on other sites More sharing options...
Demitry Posted September 11, 2013 Share Posted September 11, 2013 Taking this a step further and using the IP Trap contribution, I added "admin/" to the url in the aforementioned code so that anyone who tries to access the already renamed admin directory, will get their IP banned. RewriteCond %{REMOTE_ADDR} !^XX\.XXX\.XX\.XXX$ RewriteRule ^admin_directory(.*)$ http://www . mysite . com/admin/ [R,L] Trouble is to remember to change my IP address in the .htaccess file in the case that I have work remotely so as not to have to unblock my remote IP. ;O) Still looking to find out if there are any negative implications of adding this code to the .htaccess file. Does anyone know? osCommerce: made for programmers, ...because store owners do not want to be programmers. https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce Link to comment Share on other sites More sharing options...
wealthcreation Posted October 3, 2013 Share Posted October 3, 2013 Dear Authors i am having problem secureing my website with .htaccess and .htpasswd_oscommerce. please someone to educate me. Link to comment Share on other sites More sharing options...
♥altoid Posted October 3, 2013 Share Posted October 3, 2013 Dear Authors i am having problem secureing my website with .htaccess and .htpasswd_oscommerce. please someone to educate me. if you mean securing the admin side of your site and if you're version is the 2.3 series go to admin>configuration>administrators. I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Guest Posted March 4, 2014 Share Posted March 4, 2014 Hi I am trying to rename the admin area in oscommerce 2.3.3.4 its so simple, yet I can't get it to work. 3 Change admin name Change configure.php in 2 places. Done, But doesn't work. My question is. Does the admin folder in 2.3.3.4 need to be renamed and if so exactly how. Its always been so simple Ive tried changing the name of the admin file then changing in the 2 places in admin>configure.php. Please don't shoot me. Kind regards grandpa Link to comment Share on other sites More sharing options...
♥joli1811 Posted March 4, 2014 Share Posted March 4, 2014 Hi It is the yellow admin folder where you want to change the name then in admin/includes/configure.php in x 2 places to reflect the new admin name It is possible that the permissions on your configure.php are set to non writable 444 or something similar (this is how they should be) so you may have to change the permissions first to 666 to be able to overwrite in your control panel file manager remember to change back when you are finished (444) John PS: one of the best things you can do to protect your admin To improve is to change; to be perfect is to change often. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.