Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Persistent Hacking


Measha06

Recommended Posts

Hi Guys,

 

I am having a problem with my oscommerce developed sites. One of the sites which ws built in an earlier version of oscommerce is persistently getting hacked. I have applied the security suggestions and this makes no difference the site still gets hijacked again. I have contacted the hosts who say their security and firewalls are exemploray and have no problems at all and that the problems lie within the oscommerce coding allowing hijacks. Can you please advise what I should be looking at doing, the site is highly customised and dont envy the thought of having to rebuild from scratch. I think the version of oscommerce used to build this site is RC1! The site is www.naturesnaturalbeauty.com.

 

Last week I over wrote all the files from a copy created before problems occured and within 5 days it was hacked again.

 

I would appreciate advice of what and how to resolve this issue, but no offers of paid for advice as I cannot afford to employ anybody to resolve the issue.

 

Waiting in anticipation of some sound advice.

 

Regards

 

Liz

Liz

 

A very appreciative member still attempting to climb the steep learning curve!

Link to comment
Share on other sites

Liz,

 

Over writing will not get rid of any extra files that the hackers have managed to install - it is these that you MUST get rid of.

 

It sounds like you have a (hopefully clean) back up of your store files so in order to remove extra files you need to delete ALL your store files and folders before reloading your clean copy - overwriting a file is not enough.

 

Don't be tempted to leave your image folder either as this is one place that hacker hide their files - bring it down to your desk top if you need the images but only re-upload images that you are sure of (one would hope you had a full backup of images anyway.

 

Make sure you remove any hidden files (.htaccess) and install new as advised in the security patches.

 

Remove and replace the php.ini file (You should be able to create a new one from your cPanel)

 

Change your username and password for your database

 

Make sure, if you have an administrator table, it doesn't contain any unknown administrators - get rid of any you don't know

 

Finally consider upgrading to at least 2.2RC2a and the latest versions of any add-ons you may have, but preferably 2.3 (certainly get a 2.3 to look and have the add-ons that you already have)

 

Make sure that you have installed all security patches (not needed for 2.3) and extra security (needed for 2.3 as well)

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites

Hi Julian thanks for your advice. On my last 'repair' I did remove and delete the entire folder holding all the website and then uploaded my clean copy from last year and it was back to square one within a few days.

 

Make sure you remove any hidden files (.htaccess) and install new as advised in the security patches

 

Don't think I did this part the last time but had done it previously.

 

Remove and replace the php.ini file (You should be able to create a new one from your cPanel)

 

Not sure how to do this bit, can you give me further advice?

 

Change your username and password for your database

 

How do I do this bit and why?

 

I did add all security patches and it made no difference. What is the extra security to 2.3 needed? Am I correct if I download a version of 2.3 then I will have to do each and every customisation separately again? WOuld I have to download new instructions for the customisation as the new coding will be different to my original coding so bits where you are told to add delete code would be different wouldn't they?

 

I really appreciate this advice as obviously google getting cross with me and customers cant access the site to buy things so cash flow non existant!

 

If I take out all the code and replace with new what will happen tot he sunchronisation of the SSL licence as my host did that part for more 4 years ago when I built the site and I do not know what to do with it?

 

Looking forward to your response.

 

Liz

Liz

 

A very appreciative member still attempting to climb the steep learning curve!

Link to comment
Share on other sites

Hi Julian thanks for your advice. On my last 'repair' I did remove and delete the entire folder holding all the website and then uploaded my clean copy from last year and it was back to square one within a few days.

 

 

 

Don't think I did this part the last time but had done it previously.

 

 

 

Not sure how to do this bit, can you give me further advice?

 

 

In your cPanel somewhere will be an option to create a default php.ini - if you can't find it ask your host for help

 

 

How do I do this bit and why?

 

 

Go to your databases, create new user and password, now you need to link this new user to your osC database

 

Before you upload your new files alter this where marked:

// define our database connection
 define('DB_SERVER', ''); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', ''); //put new user here
 define('DB_SERVER_PASSWORD', ''); //put new password here
 define('DB_DATABASE', 'osCommerce');
 define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'
?>

on BOTH configure.php file

 

Now delete your old user and password

 

You are doing this because the hacker may have managed to get these from your configure file and is accessing your database remotely

 

 

I did add all security patches and it made no difference. What is the extra security to 2.3 needed? Am I correct if I download a version of 2.3 then I will have to do each and every customisation separately again? WOuld I have to download new instructions for the customisation as the new coding will be different to my original coding so bits where you are told to add delete code would be different wouldn't they?

 

 

Security patches stop hackers getting in they can't do anything about hackers that are already in, hackers leave files or snippets of code in your files which allow them to access your site from inside - some of these can be time delayed so an earlier (seemingly clean) backup may just have some dormant script in it which is activated just after you upload it.

 

With 2.3 you will (and it would be best to) add new customisations separately again use new downloads of contributions rather than what you already have - some 2.2 add-ons will work without problems, some will need minor alteration, a few will need major recoding. Bear in mind that a basic version of 2.3 right out of the box will be more secure and earn you more money than what you have at the moment.

 

The extra security I talk about for 2.3 are thing like security pro and filesafe from FWR media Bad Behavior from Debs which is an anti cross scripting program - little bits that stop hackers accessing your files to start with Oh and don't forget to rename your admin and protect that folder with a .htaccess password

 

 

I really appreciate this advice as obviously google getting cross with me and customers cant access the site to buy things so cash flow non existant!

 

If I take out all the code and replace with new what will happen tot he sunchronisation of the SSL licence as my host did that part for more 4 years ago when I built the site and I do not know what to do with it?

 

Looking forward to your response.

 

Liz

 

Your SSL is separate to osC - all you have to do is make sure that the following in your configure.php are set correctly:

 

 define('HTTP_SERVER', 'http://your_store.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://your_store.com'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?

 

NOTE the use of https in the second define

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites

Thanks Julian for all this advice. I think I will have to take it one step at a time as it all seems a bot overwhelming and there was weeks of work when I first altered all the files for the initial launch of the website so it seems a daunting task! Woould I be better to remove all the site including hacking and somehow orgainse a message to the URL that the site is under work or something?

 

Thanks again

 

Liz

Liz

 

A very appreciative member still attempting to climb the steep learning curve!

Link to comment
Share on other sites

Mel sorry for the long wait for a reply - I have to do real work sometimes as well :rolleyes:

 

It always sounds a daunting task before you start - just take it one step at a time - there are a number of ways to sort the problem one of which is as you suggest.

 

I'd be tempted, though, to put up an "out of the box" 2.3 site with an explanation on the index page that you are upgrading but you are still open for business - with a little work you can use your old database converted to run with 2.3

 

Having done that I would install 2.3 either on my computer using XAMPP or WAMP or in another folder on my site with a separate database and work on this to add contributions to - then with each successful add- on I would transfer the new pages to my main store (after backing it up of course.

 

In this way the store can be kept running bringing in money :thumbsup:

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites

That sounds a good plan but I havent the faintest how to adapt the database to work with 2.3 :'( ! Shame you have to do some real work :rolleyes:

Liz

 

A very appreciative member still attempting to climb the steep learning curve!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...