24 replies to this topic

[wakerider017]

I thought I would share how to secure the "admin" folder by means of changing the folders name.


1. Open your FTP client and locate the file >catalog>admin>includes>configure.php

2. Download configure.php and open it with a text editor

3. Next locate the following lines:

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required

NOTE the X's are just place holders.

4. In the two lines above replace admin with the new SECRET file name. Like below:

define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required

5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php

6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name.


In this case the file admin would be changed to secret_file_name_here



7. You are done!

[grayfriar2001]

Wakerider,
Hey, I went to secure my admin like you said above but could never locate the line "define (DIR_WS or DIR_FS) either one? I am suppose to use the configure.php file in /catalog/admin, right?

Thanks in advance,

Gray~

[grayfriar2001]

(continued from above....)

Or is it the one that is in /catalog/admin/includes/configure.php?

This file has the following code:

<?php
/*
  $Id: configure.php,v 1.14 2003/02/21 16:55:24 dgw_ Exp $

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2002 osCommerce

  Released under the GNU General Public License
*/

// define our webserver variables
// FS = Filesystem (physical)
// WS = Webserver (virtual)
  define('HTTP_SERVER', 'http://phunpillows.com/OSCommerce/'); // eg, http://localhost or - https://localhost should not be NULL for productive servers
  define('HTTP_CATALOG_SERVER', '');
  define('HTTPS_CATALOG_SERVER', 'https://phunpillows.com/OSCommerce/');
  define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module
  define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
  define('DIR_WS_ADMIN', '/catalog/admin/');
  define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
  define('DIR_WS_CATALOG', '/OSCommerce/catalog/');
  define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);
  define('DIR_WS_IMAGES', 'images/');
  define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
  define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
  define('DIR_WS_INCLUDES', 'includes/');
  define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
  define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
  define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
  define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
  define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
  define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
  define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
  define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
  define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

// define our database connection
define('DB_SERVER', '*****'); // eg, localhost - should not be empty for productive servers
  define('DB_SERVER_USERNAME', '*****');
  define('DB_SERVER_PASSWORD', '*****');
  define('DB_DATABASE', '*****');
  define('USE_PCONNECT', 'false');
  define('STORE_SESSIONS', '');
?>

Thanks in advance,

Gray~

Edited by The_Bear, 14 May 2006, 12:34.

[Davefromcornwall]

wakerider017, on May 12 2006, 04:50 AM, said:

I thought I would share how to secure the "admin" folder by means of changing the folders name.
1. Open your FTP client and locate the file >catalog>admin>includes>configure.php

2. Download configure.php and open it with a text editor

3. Next locate the following lines:

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required

NOTE the X's are just place holders.

4. In the two lines above replace admin with the new SECRET file name. Like below:

define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required

5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php

6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name.
In this case the file admin would be changed to secret_file_name_here
7. You are done!

Thanks for this tip.

It works great, and it seems like a good idea to make it as difficult as possible for people to access the admin area.

[mme]

Also you might want to secure it by adding .httaccess to the admin folder.

If you are using CPanel:

[img]http://img216.imageshack.us/img216/6906/cpanelzt4.jpg[/img]

[jay2xra]

mme, on May 19 2008, 04:04 AM, said:

Also you might want to secure it by adding .httaccess to the admin folder.

If you are using CPanel:

[img]http://img216.imageshack.us/img216/6906/cpanelzt4.jpg[/img]

why not add an htaccess file and restrict just your IP address.

<LIMIT GET HEAD POST>
order allow,deny
allow from my_ip
</LIMIT>

[SirHarryFlashman]

Actually, in addition to moving your live admin folder, you should leave a "honeypot" admin folder as well.

A nice little .htaccess for the wanna-be hackers:

AuthUserFile /xxxxx/xxxxx/xxxxx/html/catalog/admin/.htpasswd
AuthGroupFile /dev/null
AuthName "Username:"
AuthType Basic

<limit GET POST>
require valid-user
</limit>

Of course your .htpasswd looks like this:

.

(yes, an empty .htpasswd file)


And just to make things more interesting, an empty index.htm will complete the "honeypot"


Have fun!!

Edited by SirHarryFlashman, 17 July 2008, 14:53.

[palswithtails]

Hi WakeRider,
My DIR_FS_ADMIN line looks like this originally:
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

What should it be changed to?

[ecartz]

palswithtails, on Jul 27 2009, 09:24 AM, said:

My DIR_FS_ADMIN line looks like this originally:
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

What should it be changed to?

That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect.

[palswithtails]

ecartz, on Jul 27 2009, 09:34 PM, said:

That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect.

Yes, they are incorrect because I changed the ADMIN file name. Maybe I should start at the beginning. My website got hacked so I wanted to change my ADMIN folder. Lets say I changed it to NEWadmin. I was told to go into my config file and change the path which still said ADMIN. So I changed 'DIR_WS_ADMIN' like the 1st poster said, but my DIR_FS_ADMIN is different than mentioned above. I tried leaving it as-is.

So, now when I log-in to mywebsite.com/NEWadmin, I am redirected here:
http://mywebsite.com/NEWadmin/login.php?os...inID=XXXXXXXXXX

I type in my login info and then I get an error saying:

Error 404 - Not found
Your browser can't find the document corresponding to the URL you typed in.
http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX

[ecartz]

palswithtails, on Jul 27 2009, 05:00 PM, said:

Error 404 - Not found
Your browser can't find the document corresponding to the URL you typed in.
http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX

First, I don't see how DIR_FS_ADMIN would affect that situation. You wouldn't be using it in generating a link. When you change DIR_WS_ADMIN, DIR_FS_ADMIN should change automatically in that code (since is composed by concatenating DIR_FS_DOCUMENT_ROOT and DIR_WS_ADMIN). Therefore, if all you did was rename admin, all you should have to do is update DIR_WS_ADMIN and DIR_FS_ADMIN will update automatically.

The first thing that I would try (to solve the 404 problem) would be clearing cookies. It's possible that you are picking up bad session information somewhere. If that doesn't work, the next thing I would try would be using LiveHTTPHeaders (Firefox plugin) to track what redirects it's doing. You'd go to your login page in the normal way. Turn on LiveHTTPHeaders in the sidebar. Submit your login info. Read the headers to see where it thinks it is going.

Another thing that you could try (if you don't want to install LiveHTTPHeaders) is when you get the 404 error, edit the URL in the browser. I.e. change

http://palswithtails.com/NEWadmin/login.php?action=process&osCAdminID=XXXXXXXXXX

to

http://palswithtails.com/NEWadmin/index.php?osCAdminID=XXXXXXXXXX

and see if that works. You need to keep the osCAdminID the same so it know about your login.

[palswithtails]

Hmm not of that seemed to work. I wonder if my Admin ID is somehow wrong. Is that stored in my DB somewhere?

[dancer123]

I have the exact same problem. I renamed my admin folder. I went into the configuration file and changed the required admins into my new folder.

Now when i type in mysite.com/newadmin/login.php it takes me to my correct login page but when i enter my user and pass I get redirected to a 404 page that doesnt exist.

It looks like the program does an auto redirect to the OLD admin folder. What to do?

[Jan Zonjee]

dancer123, on Aug 8 2009, 05:31 AM, said:

I went into the configuration file and changed the required admins into my new folder.

Both DIR_WS_ADMIN and DIR_FS_ADMIN?
From catalog/admin/includes/configure.php:

  define('DIR_WS_ADMIN', '/catalog/admin/');
  define('DIR_FS_ADMIN', '/Library/WebServer/Documents/catalog/admin/');

[dancer123]

Yep.

Both DIR_WS_ADMIN and DIR_FS_ADMIN
From catalog/admin/includes/configure.php:

mysite.com/admin/login.php?action=process&osCAdminID=4d02951f65cd6684f9ec69f285902fdd

that's what i get redirected to (with 404 error) when i try to put in my login info.


Here's what's in the php.

define('DIR_WS_HTTP_ADMIN', '/gooba/');
define('DIR_WS_HTTPS_ADMIN', '/gooba/');

define('DIR_FS_ADMIN', '/home/thename/public_html/gooba/'); // absolute path required


my admin folder has been renamed to gooba. please help me solve this. thank you so much:)

[kymation]

Does catalog/admin/includes/local/configure.php exist? If it does, make the same changes there.

Regards
Jim

[blr044]

After changing admin name to newname, all is fine, except for one issue. This error message appears at top of page:

Quote

Error, Backup Directory Does Not Exist, please create it or run "auto_backup_setup.php"

Backups dir is located in folder of newname(admin). After running auto_backp_setup.php, I receive this error:

Quote

Warning: mkdir() [function.mkdir]: No such file or directory in /xxxx/xxxxxxx/public_html/newname/auto_backup_setup.php on line 7

Bennett

[spooks]

Check your ADMIN/INCLUDES/CONFIGURE.PHP file:

define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/newadminname/');
define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

I suspect u forgot one!!

[Greeny]

Hi, I am new to osCommerce.

I've been trying to secure my admin folder.

When I follow your instructions and try to login to my newly renamed admin section, all I get is this


Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mydbpassword'@'localhost' (using password: YES) in /path_to_admin_directory/newadminname/includes/functions/database.php on line 19
Unable to connect to database server!

Thanks in advance

Edited by Jan Zonjee, 11 March 2010, 11:18.

[tonybrasunas]

I found that after making the changes to catalog/admin/includes/configure.php, and then renaming the directory, I also had to edit the [new admin directory name]/.htaccess file, as it had a hard-wired AuthUserFile line that also specified the admin directory.

One other thing I had to do was rewrite a hard-wired link to the Admin panel that the site has on its public navigation bar.

Now the renamed directory is working smoothly.

Just hoping to keep all the @#$%@#$ hackers out. I came in late to a nightmare of a site and am trying to regain control of it.