Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

interesting blog post


longhorn1999

Recommended Posts

http://www.practicalecommerce.com/blogs/post/864-osCommerce-2-2-Websites-Targeted-by-Mass-Injection-Attack-143-000-Pages-Hit

 

i wonder how many visitors to this forum were affected? i think that upgrading to 2.3 (a lot of work for existing stores) is unnecessary, but it's all the more reason to do all the recommended security upgrades for 2.2.

Link to comment
Share on other sites

Misinformation like that is an attempt 'scare' store owners into paying for upgrades that MAY not be necessary. Although the post does mention the additional needed security measures, it mentions nothing about NOT updating and opting to clean (if infected) and secure the present version of osCommerce.

 

I posted a long comment about that post to the author but I doubt it will be approved.

 

 

 

 

 

Chris

Link to comment
Share on other sites

Here is a walk through of their recommendations:

 

Assuming that you have been running a 2.2 website without patching it, you must first take your site offline and clean out the files of rogue code that will have been added. Completing any of the following without doing so would be a great waste of time and resources.

 

1 Start with a free site scan from a site like http://sitecheck.sucuri.net/scanner/ - be sure it is a reputable site and not a hacker posing as a good guy.

 

Nice security checker. But if you have not patched your 2.2 version of osCommerce there should be no doubt in your mind that your site has been hacked.

 

2 Change your Admin password to a long, random password or pass phrase: a string of words and numbers that only you can remember.

 

This is the standard requirement today of any content management system, that it should demand a strong password rather than making it optional and depending on users to create a strong one.

 

3 Change your Admin username from "admin" to something not easily guessable. Or create a completely new Admin account and delete the original Admin.

 

This is a good thing as a general practice, but will not help you one bit in preventing the types of attacks that osCommerce 2.2 is facing.

 

4 Back up your database and site files immediately if you have not already done so.

 

Just remember backing up an already exploited database will not help you one bit. But it is best practice to have a recent backup on file. The best backup to have though is the one that is not exploited already, because that is what you will have to revert to if your site has been hacked.

 

5 Check your site for proper "write permissions" on your files - no higher than 644 for most files, 755 for folders, and the lowest possible for configuation files: 644 444 or 400.

 

Read this discussion here about file permissions and whether or not this applies to your server configuration or not.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

6 Remove File Manager from your osCommerce Admin (not the cPanel File Manager)

 

Good call, the file manager in osCommerce is generally crap, but while it was blamed in the past for being exploitable, on the whole it is another security hole in osCommerce that allows the majority of the exploits to take place. Having htpasswd protection on your admin directory will prevent any exploiting of any weak code in the admin directory.

 

7 Remove Define Language from your osCommerce Admin

Having htpasswd protection on your admin directory will prevent any exploiting of any weak code in the admin directory.

 

8 Set up a CHRON automatic scheduled backup for daily and weekly backups. Ask your web host for help.

Good call as a general practice, but again, if your database has already been affected then all you are backing up is the infected content.

 

9 Add HTACCESS protection. Ask your web host for help.

This should have been number 2 on the list, right under patching the faulty code in osCommerce which is not covered in these recommendations

 

10 Install SSL secure encryption on your website Administration and checkout.

A waste of time unless you have written a secure credit card addon. SSL will not prevent your 2.2 site from being exploited.

 

11 Change the name of your Admin folder from "admin" so it is not easily guessable, and edit your two configuration files with the new name.

This is not necessary if you are employing htpasswd protection, either way, employ htpasswd protection whether you change the admin directory name or not

 

12 There are also a number of osCommerce Contributions you should consider for security -

 

Security Pro http://addons.oscommerce.com/info/5752

 

SiteMonitor http://addons.oscommerce.com/info/4441

 

IP trap http://addons.oscommerce.com/info/5914

 

Anti XSS http://addons.oscommerce.com/info/6044

 

Except for Anti XSS, none of the other addons above will prevent the types of attacks that unpatched users of osCommerce 2.2 are experiencing.

 

Need I mention osC_Sec which will prevent all of the attacks that osCommerce 2.2 users are facing because it not only includes the actual patch to the faulty code but also directly addresses the attack types and vectors that are being levelled, and stops them in their tracks.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Misinformation like that is an attempt 'scare' store owners into paying for upgrades that MAY not be necessary. Although the post does mention the additional needed security measures, it mentions nothing about NOT updating and opting to clean (if infected) and secure the present version of osCommerce.

 

Probably right. Certainly sensationalist and the author seems to depend on google search results to prove their point.

 

osCommerce 2.2 was voted the most exploited web system last year due to the admin bypass exploit and many web providers have not updated the versions of osCommerce that they offer via the control panels, so this will result in the numbers of vulnerable sites still being high. But the attack vectors have not changed in months, and those iframe injections have been doing the rounds for years.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...