Security problems

[Kosmo 0]

Hello! My web store OSC 2.2 is exist about 8 years. Week ago I have moved to new hosting and found 2 problems:

 

1. I can see files and browse in folders inside of main catalog directory (excluding admin folder). For example, if I put in browser this address http://mywebsite.com/includes, I can see all files and browse folders inside it. Files content I can't see. All this folders have permissions 0755.

2. Yesterday I saw in "who's online" strange queries from 5 different IP's, like this:

 

/index.php?osCsid=8919253b58391519a47714fb514b66e5&cPath=82_330_259%20and%28select%201%20from%28select%20count%28*%29%2Cconcat%28%28select%20%28select%20%28SELECT%20distinct%20concat%28file_priv%2C0x27%2C0x7e%29%20FROM%20mysql.user%20%20LIMIT%200,1%29%29%20from%20information_schema.tables%20limit%200%2C1%29%2Cfloor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201%3D1

 

/index.php?osCsid=8919253b58391519a47714fb514b66e5&cPath=82_330_259%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1

 

/index.php?osCsid=8919253b58391519a47714fb514b66e5&cPath=82_330_2591111111111111%22%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45),CHAR(45,120,50,52,45,81,45),CHAR(45,120,50,53,45,81,45)%20--%20/*%20order%20by%20%22as%20/*

 

Can you help me with this please?

[Taipo 36]

You may need to add an .htaccess file to your includes directory with the following code in it:

Options -Indexes

The rest of the URL request strings are blind database injection attempts probably from an automated attack server that trolls the net looking for osCommerce sites. Decodes to the following:
 

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(file_priv,0x27,0x7e) FROM mysql.user  LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

You can either ignore these database injection attempts, or install osC_Sec ( link is in my signature ) which will easily block these requests.

[Kosmo 0]

Taipo, thank you, after adding Options -Indexes I can't browse them. This code I need to add to all directories inside main catalog, like /cache, /tmp ?

Ok, I will install this module.

[MrPhil 648]

Your .htaccess settings (e.g., Options -Indexes) apply to all lower level (child) directories beneath the .htaccess file's directory, so there's no need to add more .htaccess files. A couple of things to note:

1. More and more hosts are banning the use of Options, as a security problem. If your host should do this, you will probably see "500" errors on your site, and you will have to remove the Options -Indexes and do something else (such as putting an empty index.html file in every directory which does not already have an "index" file).
2. If you have a Windows server (IIS, etc.), not an Apache ("Linux") server, .htaccess files are normally ignored.

Another thing: osC 2.2 is really ancient, and hackers know how to exploit it. Your site probably already has been hacked. You should be immediately moving towards 2.3.4, which is the current version, and make an effort to stay reasonably current.