Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Regarding Hacks


DMDgo

Recommended Posts

I have 4 OSCommerce sites which are hacked constantly. I'm able to deter the hackers at time but eventually they get in. Someone mentioned using HTACCESS to protect the admin panel. Does anyone know of this? Where can I find the info? or other fixes?

 

The hacks seem to always be php file injection into firstories that accept uploads. i.e, images, etc.

Link to comment
Share on other sites

Read This: How To Secure Your Site

You can use this site to help create a .htacces and .htpasswd file: Oscommerce-Solutions

 

That said:

Get rid of Filemanager.php and Define_languages.php files. They are nothing but security holes.

Rename your Admin folder to something else and update your configuration.php file to reflect the new name

Add htaccess and htpasswd for your new admin directory.

Add Fwr Security Pro

 

 

If your site has already been hacked there is a good chance they already stuck in a back door. So doing the steps above may not be enough. You need to evaluate every file to see if its a legit file. I have seen sites have very cleverly named back doors like account_history_full.php, or google_sitemap_feeder.php at first glance you think you need it after looking at the code you can see its a hack file.

 

Additionally most hosting providers are going to use shared servers so there is also the possibility that any public file you have can get hacked through somebody elses security holes. Make sure all permissions are never higher then 755.

Link to comment
Share on other sites

Also you should add this .httaccess file to your images directory to prevent scripts from being run:

# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

Link to comment
Share on other sites

Also you should add this .httaccess file to your images directory to prevent scripts from being run:

# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

 

 

Thanks I've done this.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...