Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security anyone got a simple road to stop hacking, Site Lock? Rename admin


surrfman

Recommended Posts

My 2.3.1 store was hacked, my anti-virus called the hack "web injection 5" when trying to pull-up in browser. Restored from back-up so problem is stable at this time. Started reading the dizzying amount of info on securing, not sure what to do first, and even next? My host offers the "Site Lock" brand of scanning for changed files, is this a good road to travel? Also I see changing the admin folder name. Other than just changing name, is there any other files that need to have tweaks to understand admins' new name? I have htaccess and htpassword running.

 

Seems the hacker, mostly looked at files as I compared the hacked files ( shown by date and time file was looked at or attempted to be changed,) with a bone stocker from clean 2.3.1 files. Found one file that had extra code inserted in admin.

 

Also, I see talk about having a hack redirect paypal payment. I found a 2.2 add-on, is there an add-on or a procedure for 2.3.1 to secure this. I tried add-on that gave an email to store owner extra email that a hack has taken place, but it seems to have stopped the extra order email from coming through when order is placed. It only notifies, doesn't stop or block.

 

Any Input would be appreciated.

 

Timmy C

Link to comment
Share on other sites

Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Link to comment
Share on other sites

@@surrfman

 

To date I have never seen a v2.3.x site hacked from injection or insertion. I have come across hacked sites because the hosting provider allowed the server to be hacked. But, never from the osCommerce code of a v2.3.x site.

 

 

 

Chris

Link to comment
Share on other sites

Chris.. that what is displayed as browser tries to access store, by my norton 360.. this must be the first case! If this could be a deal with the host provider, what would I do with the host guys to make sure doesn't happen again?

Link to comment
Share on other sites

Kenkja... I had been there, how much of that older info applies to 2.3.x stores?

 

The admin folder, if the name is changed, is there any other changes required thoughout the store's files, so it knows the new admin name?

Link to comment
Share on other sites

@@DunWeb.. I ran a scan from a site called whynopadlock. came back that I had no issues. If I understand correctly, a deal like Site Lock Is what I need to do that?

 

Bigger question: will re-naming the admin folder cause any other issues with other files looking for admin files?

 

Thanks a bunch,

 

Timmy C

Link to comment
Share on other sites

Don't forget to scan your PC (used to administrate the site) for spyware and malware. If anything is found and cleaned up, immediately change all the passwords you can think of -- site access, osC ID and password, FTP password, etc. Check not only your osC files, but also for the existence of any files you can't account for. Do you run any other applications on your site? Perhaps one of them has a security hole that lets the bad guys in. At a minimum, make sure they are fully up to date, and investigate if they have known security problems. Talk with your host about how to record and find the IP address of the last person to sign on to your site as administrator. That can at least tell you if someone is getting in that way.

 

All osC functions that need to know about admin look in the admin's configure.php to pick up the current admin path name. Make sure you change that if you need to change the admin directory name. Did you ever password protect the admin directory?

Link to comment
Share on other sites

@@MrPhil.. thanks for the straightforward info! Not sure on the admin password protect, ho wis it accomplished?

 

I'm wondering if this Site Lock product my host offers is what I need to keep on top of the game?

 

 

best regards,

 

Timmy C

Link to comment
Share on other sites

@@surrfman

 

I personally wouldn't use a product like site lock. The use of proper passwords and and a secure server would make the use of such products redundant.

 

 

 

Chris

Link to comment
Share on other sites

Probably the easiest way to password protect your admin directory is to see if your hosting control panel offers a button to "password protect directory". It's very common, at least on Linux-based servers. I would imagine that Windows-based servers could well have something similar. If you're on a Linux-based system and there is no button to do this, it may be possible to manually edit and add some .htpasswd and other files to set up such protection. Ask your host for the details on how to do it, as it can vary from system to system.

 

Password protecting your admin directory adds another layer of protection from hackers trying to get in and look around or run scripts that they shouldn't, or worst of all, plant bad code.

Link to comment
Share on other sites

@@MrPhil, @@DunWeb.. Thanks guys, that makes life much easier.! sounds like the adding all the extras is not the way to go, but get with my host and get the server locked-up tightly!

 

Chris, ever run across a Taso Lakas in Toronto, he was a local TV producer a couple decades ago?

 

Timmy C

Link to comment
Share on other sites

@@surrfman

 

I am a stones throw away from Detroit and only go to the GTA for seminars and client conferences, unfortunately I do not know Taso Lakas.

 

Just out of curiosity, is your cart an upgrade from v2.2 ? I am just trying to think of all possibilities that could have lead to the cart being compromised.

 

 

 

Chris

Link to comment
Share on other sites

2.3.1 has a known vulnerability that was solved in 2.3.2. Update to at least 2.3.2 today.

 

If you run an osCommerce shop it is important to;

 

1. ensure you are at least at 2.3.2

2. rename the admin area from something other than "admin".

3. use an email and password that is easy for you to remember but hard for someone else to guess

4. use the htaccess system provided in the install to further protect the admin

5. use a VPS or your own server - in other words "ringfence" your shop from others

6. do not install ANY other software (eg, a blog) *see below

7. ensure you keep on top of updates to the core software AND to any addons you may have installed

8. only access your shop admin / FTP / Hosting from a computer that you know is clean, and is not used for ANY other browsing (in other words a second computer)

9. when accessing your shop admin, always wear a tin foil hat

10. never give your access details to anyone, unless you trust them 110%

 

Regards #6, let's say you have your shop: myshop.com on your own VPS. Now you want to add a blog. www.myblog.com - get yourself a hosting account elsewhere for this. Do not pollute your VPS with anything other than the needed files for your money site (aka your shop).

Link to comment
Share on other sites

@@burt.. Thanks for the infomation. What problems are encountred trying to upgrade to the next version with a heavily modified shop? My host provider states that upgrading may break the shop..... they offer 2.3.3. My shop is at wwww.discountegauges.com

 

Best regards,

 

Timmy C

Link to comment
Share on other sites

@@burt... When installing the upgrade do you end up with a stock-vanilla shop? Is there a way to add just the code required to make the shop upgrade? What happens to the data base does it carry over, along with add-ons and other tweeks or are those lost in the upgrade?

 

Thanks a bunch,

 

Timmy C

Link to comment
Share on other sites

@@surrfman - done correctly by someone who is able, you would not lose any data or any of your site at all - uou would end up with your exact site as it is now running 2.3.3 (which solves a security flaw and adds in some extra good stuff).

 

Bear in mind that your host (like any host) wants as little hassle as possible so they will tell you to upgrade to 2.3.3 (when in fact they probably mean "nuke your 2.3.1 and install a new 2.3.3").

Link to comment
Share on other sites

@@joli1811... thanks for the info! I tried the one-pagers wasn't happy, and that one "simple checkout" was a real bust. Reverted back to the standard checkout with a modification that got rid of some info customer did not need. I listehned to the experts like burt and jack-mcs, they both advise that customers get confused with the huge amount of info one-pagers present.. so far, only problem is customers don't undserstand why an item has to be shipped to address on their credit card.

 

Best regards,

 

Timmy C

Link to comment
Share on other sites

Well :D

 

you can please some of the people all of the time and all of the people some of the time but you can't please all of the people all of the time?

 

Regards

Joli

To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

@@DunWeb Chris, I missed your question if this was a 2.2 upgrade; I started with 2.3.1.

 

Looks like maybe the way to go is to upgrade to 2.3.3. Need to find info on setting up oscommerce on a local computer, build new shop and install. Looked over the manual upgrade in the forums, looks like there are too many changes to not make a small mistake, screwing up the shop.

Link to comment
Share on other sites

6. do not install ANY other software (eg, a blog) *see below

 

Regards #6, let's say you have your shop: myshop.com on your own VPS. Now you want to add a blog. www.myblog.com - get yourself a hosting account elsewhere for this. Do not pollute your VPS with anything other than the needed files for your money site (aka your shop).

 

I'm not sure I'd go that far, but it goes bring up a legitimate point. If there are security vulnerabilities in other applications you install on the account that has your store, hackers may get in through one of them and use it as an infection vector to hit your other applications. And vice-versa. At the very least, you need to be vigilant about keeping ALL your installed applications at their very latest versions, and keeping up to date on reports about security problems. It would be nice if hosting companies offered some sort of VM (virtual machine) within a shared server account or a VPS or dedicated server, so that one application could not possibly see or mess with another application sharing the same hardware. Maybe some day.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...