Taipo Posted March 29, 2011 Share Posted March 29, 2011 Is there a way to tell php not to change permission via htaccess? The point I think is that what this shows you is that there are uploader files still resident on your site. None of the security fixes can prevent these files being accessed except for in a few situations, osc_sec.php a contrib that I wrote can catch some of the attempts to access these uploader files if the code has been included into current oscommerce files that are linked to application_top.php, other than that if it is a standalone file there is not much that can be done to protect your site if you miss one of these files. So its not so much an issue of site permissions, but that there are still trojan horse type files resident on your server that allow an attacker to change file permissions, upload files and add to current files. Not only that, they can and will be uploading more of this code every day your site is online. The hard advice and one that a lot do not want to hear is that it is by far the better choice to build a new site with the new oscommerce 2.3.1 code, including all the security fixes. A clean start and import your database of products and customers across to that. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
birdrockdesigns Posted March 29, 2011 Share Posted March 29, 2011 I agree. I'm in charge of several stores that were built quite a while ago, and I suggested upgrading them. The bosses were not keen on the idea, hopefully this new string of hacks will change their minds. Thanks for all the info. Very much appreciated! Dave Link to comment Share on other sites More sharing options...
Taipo Posted March 29, 2011 Share Posted March 29, 2011 Good luck, and if you do install the new version it is still probably a good idea to go with all the security fixes like htaccess, and osc_sec.php Once most oscommerce sites move to the new code, the attackers will then move their focus to the new code in which there are still a number of security issues, but are much more difficult to exploit, well, in a mass exploitation sense as is the case with 2.2.x versions of Oscommerce. Osc_Sec.php goes a long way to mitigating these though. Even ULTIMATE Seo Urls 5 have a number of solutions in it that make life a misery for the mass exploiters out there. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.