Guest Posted March 19, 2003 Share Posted March 19, 2003 One of my OsC carts was hacked into last night, all prices & admin password changed. I'm not thinking too clearly right now... I need to know if there's anything in OsC that logs an IP address so I can nail whoever did it. Also where I can change the Admin passwords if possible. I can access the files, but can't get into admin itself. Should be easy enough to catch the idiot, they went and placed a few orders right after it was done. thanks, Violet Link to comment Share on other sites More sharing options...
mattice Posted March 19, 2003 Share Posted March 19, 2003 Look at your httpd logfiles. They will show the ip addresses of whoever asked which url when. HTH Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
dreamscape Posted March 19, 2003 Share Posted March 19, 2003 how were u password proecting your admin? with .htaccess and .htpasswd? or were you using something like the administrators contribution? The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
Guest Posted March 19, 2003 Share Posted March 19, 2003 Thanks to both of you for the replies. Yes, using .htaccess & .htpasswd. Violet Link to comment Share on other sites More sharing options...
mattice Posted March 19, 2003 Share Posted March 19, 2003 Did you use obvious names? A lot of people use the actual login NAME as the REALM as well, which makes it 50% less work to hack the account. They might have just guessed it if it was too easy...? A good tip is to use a sleep() of a couple of seconds on the requested index page, that way brute force crackers will get slowed down severely. Use like 10 seconds or so. HTH Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Druide Posted March 19, 2003 Share Posted March 19, 2003 if your IP doesn't change like on cable modems etc.. then you can build in an extra check like: place in admin/includes/application_top.php at the TOP after <?php if( getenv('REMOTE_ADDR') != 'put your ip here') { echo 'Goto DisneyWorld if you want to have fun !'; exit; } just build it in myself while i did see your post NOTE: USE WITH CAUTION ! If you are not sure if your IP stays the same then DON'T do this ! Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
mattice Posted March 19, 2003 Share Posted March 19, 2003 To see if you have a static IP address in Windows you can do the following: 1) connect to the internet 2) START -> RUN 3) Type winipcfg in the text box 4) hit enter Now you get a popup screen that shows you all devices that are connected on the network (modems, ethernet cards, isdn adapters) and their respective IP address. Check the IP of your device, disconnect and go through the steps again to see if the ip is the same. Note that you will have multiple devices in the box, it's NOT the PPP one. Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Guest Posted March 19, 2003 Share Posted March 19, 2003 Thanks to all of you for the info. The username/passwords I used on the cart were definately not easily guessed, and different than their site (hosting, email) username & passwords. I did however, find out where the changed prices happened... the currency values were all changed. This cart's been running since last November with no currency issues. All usernames/passwords have now been changed, and I'm double-checking on the chmod for everything (although I did check, check, and double check when I built the cart). I have a feeling that as the client saves the username and password on his computer, and he is on high-speed with no firewall (and has had problems before with worms & such), that this is how it happened. Needless to say, I've told him not to save those passwords, and to get a firewall. Now... my mind is fried, and for the life of me I can't remember how to change the username/password in the MySQL database... can any of you tell me? Thanks again for all your help, Violet Link to comment Share on other sites More sharing options...
Druide Posted March 19, 2003 Share Posted March 19, 2003 LOL then nobody hacked your shopping cart that is an error with the currency update !!! Since yesterday the currency update (cron or by manual pressing button update currencies) is not working right !!! There is another post about this bug... I think xe.com or the other one have changed their values (strings) to read Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
Guest Posted March 19, 2003 Share Posted March 19, 2003 You've got to be kidding!!! Well, I know you're not, but I feel like an idiot. Still confused as to how the username/password got changed, but maybe it was a server glitch, and darn bad timing. That and 3 false orders in a row overnight (which happens pretty rarely)... it all seemed to add up to a hack. K I am going to take the cron job off for now... and go crawl under a rock. I honestly did do a quick search for currency before I posted, but didn't see anything current and didn't dig any deeper as I was in a panic. Sorry :( Violet Link to comment Share on other sites More sharing options...
Druide Posted March 19, 2003 Share Posted March 19, 2003 Well Violet, you don't have to say sorry, maybe someone DID get into your ADMIN area (check your logfiles) at the same time, i hope not for you. But one thing is for sure, you did wake up a whole bunch of people :shock: Take care Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
Guest Posted March 19, 2003 Share Posted March 19, 2003 Woke me up I tell ya... nothing like being woken at 6:30 am with a call about this, and having to actually think fast! :shock: I am still checking those logfiles, just too many coincidences for one night... and it sure won't hurt. Thanks again, Violet Link to comment Share on other sites More sharing options...
Druide Posted March 19, 2003 Share Posted March 19, 2003 i have a few Italians on dial-up trying to get into my admin area, but no luck for them...lol you can always change the ADMIN directory name every week or so, but that is not what we want...lol But when you do such a thing, do not forget to protect the directory again Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
Guest Posted March 19, 2003 Share Posted March 19, 2003 agreed - it is always a good idea to change names occassionally to keep people offguard and stop them from trying to probe around Link to comment Share on other sites More sharing options...
mattice Posted March 19, 2003 Share Posted March 19, 2003 Apart from the code & ideas posted you can also temporarily BAN a specific IP address / range that tries to (unsuccessfully) access the admin folder. I've seen a few code fragments on Hotscripts.com that do this, shouldn't be too hard to implement; if ip fails insert into db / match those 'banned' ip's before showing a page / delete if record is older then nn hours. Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Ramesh Posted March 19, 2003 Share Posted March 19, 2003 Another way to check your IP Address . Open two web browser windows (press Ctrl-N with IE) visit your osc store home page and log in as if you were a customer. http://www.my-store.com/catalog in the other browser window log into your OSC ADMIN . http://www.my-store.com/catalog/admin Go to Tools > Who's Online WOW ! Your IP ADDRESS is there next to your account name ! Write this down then disconnect from the net. Re-connect and repeat the steps and find the IP address. If it is the same as before then you have a static IP ! COOL ! :-) Special Effects / 3d + Flash Link to comment Share on other sites More sharing options...
GF Posted March 19, 2003 Share Posted March 19, 2003 Apart from the code & ideas posted you can also temporarily BAN a specific IP address / range that tries to (unsuccessfully) access the admin folder.I've seen a few code fragments on Hotscripts.com that do this, shouldn't be too hard to implement; if ip fails insert into db / match those 'banned' ip's before showing a page / delete if record is older then nn hours. Mattice Check out the blacklist filters feature here http://www.xav.com/scripts/guardian/ Link to comment Share on other sites More sharing options...
Guest Posted March 20, 2003 Share Posted March 20, 2003 To see if you have a static IP address in Windows you can do the following: 1) connect to the internet 2) START -> RUN 3) Type winipcfg in the text box 4) hit enter Now you get a popup screen that shows you all devices that are connected on the network (modems, ethernet cards, isdn adapters) and their respective IP address. Check the IP of your device, disconnect and go through the steps again to see if the ip is the same. Note that you will have multiple devices in the box, it's NOT the PPP one. Mattice On Windows NT, 2000 and XP, you need to go to a command prompt and use ipconfig... so the procedure would be: 1) Connect to the Internet 2) Start -> Run 3) Enter "cmd" and click OK. 4) Type "ipconfig /all and hit enter. 5) Repeat to see if it changes. Link to comment Share on other sites More sharing options...
Guest Posted March 20, 2003 Share Posted March 20, 2003 http://www.snert.com/Software/mod_require_...ost/index.shtml This is a great mod that you can use if you have access to (and knowledge of) your apache httpd.con file. It will deny persistent attacks, make logs, and allow you to easily (and automatically) block offending IP's Also, read this thread, it might be of interest: http://www.oscommerce.com/forums/viewtopic.php?t=37140 --gabe Link to comment Share on other sites More sharing options...
johnglobal Posted March 21, 2003 Share Posted March 21, 2003 I noticed an easy way to hack into some Osc sites If you are using the different level admins module it comes with a default username and password. What people do is setup new users and passwords, leaving the default intact. Anyone that knows osc will know the default username and password then they are in.... John Link to comment Share on other sites More sharing options...
mattice Posted March 21, 2003 Share Posted March 21, 2003 I noticed an easy way to hack into some Osc sites... This is, like securing your Admin with .htaccess or something else, the sole responsibility of the site owner / hoster. Like mentioned by Druide in this thread before: My advise to ANYBODY is to ask your ISP for a static IP address if you do not have one allready. Once you've obtained the static ip address leave your .htaccess / Administrators mod / whatever in place and add a check to the application_top.php for that IP; match - or die(); This is not foolproof (ip spoofing) but it will filter 95% of the wannabee attempts out. Combine this with a delay on your .htaccess index page. Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Guest Posted March 21, 2003 Share Posted March 21, 2003 the FIRST thing every OSC user should do is to change the name of the admin and catalog folders before running the install script and then enter those new names into the install script (or manually into the configure.php files if doing a manual installation) Link to comment Share on other sites More sharing options...
mattice Posted March 21, 2003 Share Posted March 21, 2003 the FIRST thing every OSC user should do is to change the name of the admin and catalog folders before running the install script Why catalog? "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Guest Posted March 21, 2003 Share Posted March 21, 2003 sorry :oops: you are correct mattice - just rename the admin folder to something else that will teach me to respond to a question when i first wake up.... :lol: Link to comment Share on other sites More sharing options...
mattice Posted March 21, 2003 Share Posted March 21, 2003 Goodmorning ... :D LOL "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.