656 replies to this topic

[Taipo]

That will certainly be one method there are more - for instance some servers that did the uploading in the first place, have huge lists sites they infected which are being passed around to others who are levelling the second phase of attacks. You can also search via search strings such as "cookie_usage.php?cookies" for example and many variations of that to find lists of affected sites.

I guess if you want to spend time focusing on preventing google finding infected files then that's your prerogative I suppose. The point though is, attached to that code will be the real dangerous stuff that allows them to do pretty much anything they wish with your site, remove that code and the rest goes with it.

[mr-yellow]

Let me clear up this 777 vrs 755 thing for you.
Most servers will be configured so that 777 is possible and these servers allow users more flexibility.

777 is perfectly safe as long as your code validates files before they're blindly uploaded to a publically accessable path.

osCommerce does not handle this very basic and entry-level validation code correctly.

Why?

Looking into it I discovered osCommerce to be some of the most horrible code I have ever seen in 20+ years of programming.

Solution 1: Stop using osCommerce.

Solution 2a: Add validation to file uploads in the poor osCommerce code.
Solution 2b: Set file upload paths to be below the publicallly accessable area as is standard practice.

Solution 3: Stop using osCommerce.

Edited by Jan Zonjee, 17 April 2011 - 08:06 PM.
thanks for the compliments...

[Taipo]

So are you saying that the file upload code in Oscommerce 2.3.1 is vulnerable to guest uploads?

[jamesP23]

I am a newbie. I was hacked two weeks ago and it has been a huge pain securing the store. I changed the name of the admin folder before I installed site monitor on a 2.2 shop. Now, after following all site monitor read me text and uploading all the necessary files with required changes I do not see site monitor under the "admin" control panel. Any advice on which files of site monitor needs to be changed to reflect my specific "admin" folder name?

[myebooksbuddy]

Hi, I am a non-techie and since yesterday my site has been hacked. If I need help in everything getting cleared and installation of security softwares, where do I post for that ?

Any help?

[offie]

Hi all, I am about to work on the latest version of OSCommerce V 2.3.1.

Does anyone know if all the items listed at the beginning of this post to secure your site are still relevant to this version of
OSCommerce and if all the code would be in the same place?

I have previously created 2 stores with the older version and already implemented the security features/contributions.

I am tempted to go to the previous version which was V 2.2 RC2a and just copy my last site as all the relevant steps have
already been taken to secure that site and this would save a lot of work but I am guessing that this latest version has a lot
of features and security which is enhanced from the previous version.

What a dilema, what should I do? Start from scratch with the latest version or just copy my site from the older version?

Thanks for any advice given

Michael

[Taipo]

If you do decide to go with 2.3.1, it still pays to change the admin directory name or at least use htaccess/htpasswd authorization, not because there are any known vulnerabilities in the base install of 2.3.1 but because there is no guarantee that addons made for 2.3.1 that are installed in the admin directory, are secure.

[chris2041]

I have changed my admin folder as described and applied password protection via cpanel but when I log onto my osc I get a message in administration saying:

Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.

The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:

/home/?????/public_html/osc/?????????????/.htaccess
/home/?????/public_html/osc/?????????????/.htpasswd_oscommerce
Reload this page to confirm if the correct file permissions have been set.

When I look in the directories there is only a .htaccess file and no .htpassed file

Any help anyone?

[cdogstu99]

When I run a PCI compliance scan on my site, the only three issues are Cross Site Scripting errors on my contact pages. Anyone have an easy fix for this?  Thx!

[KerkChzePerng]

Hi, may I know what should I do if this message is shown "my_domain.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." when i try to access it with google chrome. However it works fine with firefox .

[Toasted]

I did everyting recommended on this thread except for 1 minor problem. I'm getting an error when I delete file_manager.php. For some reason its still looking for the file even after delete the line in tools.php.

Error msg:

Not Found
The requested URL /exminion/file_manager.php was not found on this server.

How do I stop this url request?

[Toasted]

Whoops I figured it out... I was on my file manager page before I started deleting the files and when I went back to my browser and hit refresh it kept trying to refresh the file manager page resulting in that error msg. I just changed webpages and its working fine now.

[kenkja]

Hello All

I have a new'ish website using a v2.3.1 install upon which I've added all the proposed security add ons in post 1 of this thread.

I have also added  Fimble's "2.3.1 as an info only site" and kymation's "document manager"

Thanks to all contributors, excellant work.

I now need to add to the site, effectively another v2.3.1 install, which will show other products (ie not those in info site) which are able to be purchased online.

I'm happy with how to do this,

(Install v2.3.1.in "say" root/shop online/)

but do I then need to the security add-ons in post 1, to the new "shop online subsite"


ken

Edited by kenkja, 04 August 2011 - 05:26 PM.

[environs]

Hi Sam, I just want to thank you, this is really important to protect our shops.

Greetings,

[web-seo]

Great topic, spooks! Thanks and from me.  

This topic can be useful also: http://forums.oscommerce.com/topic/379086-how-to-prevent-hackers-in-osc-21-and-osc-22/

Edited by web-seo, 26 August 2011 - 08:54 AM.

[Taipo]

The main two pieces of code that need updating in v2.2RC2 versions of osCommerce are the following:

1 - Administration Tool Log-In Update: The Administration Tool log-in feature introduced in v2.2RC2 can be bypassed by appending login.php to admin files
2 - Update PHP_SELF Value: $PHP_SELF misreports the filename which assists attackers in bypassing the admin too login feature in v2.2RC2.

From the data I have been collecting on the types of attacks being levelled at osCommerce websites, all but two attack vectors, one serious and one medium level (difficult to pull off) attack, involve exploiting the faulty code in early versions of osCommerce that these two code patches fix.

Patching these two pieces of code then would prevent nearly 99% of attacks that are currently still creating havoc with older version users.

The other two attacks outside of this code are:
- a vulnerability in the admin login session that allows for URL poisoning to cause a live session to be exploited by a third party. Difficult to pull off and certainly not something that can be easily mass exploit as is the types of attacks that those two code patches above would prevent.
- a vulnerability in FCKEditor which allows attackers to abitrarily upload files to servers with specific enabled configurations of PHP.

Both of these vulnerabilities can be quickly remedied with apaches user authentication (.htaccess htpasswd) or changing the name of the admin directory.

Edited by Taipo, 02 September 2011 - 09:47 PM.

[Peper]

Ok ok
Need bit of help

How to block the Baidu spider?

At it for a week now and it's driving me crazy. I dont want china to crawl my pages - leads to mass spam

180.76.5.61 - - [18/Sep/2011:16:05:37 +0200] "GET /customer_testimonials.php?page=3&testimonial_id=5 HTTP/1.1" 200 10663 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

What I've done so far:
.htaccess

RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Baidu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
ErrorDocument 404 /blocked.php

added 50 or so ips from them to ip_trapped
added Baidu to user_agents.txt list

Nada, spider keeps coming back for more indexing [img]http://forums.oscommerce.com//public/style_emoticons/default/sick.gif[/img]
Please help

[Taipo]

Add this into your application_top.php files (both of them)

Find:

  Released under the GNU General Public License
*/

On the next line add:

  /**
   * Baiduspider Block
   */
  if ( ( isset( $_SERVER[ "HTTP_USER_AGENT" ] ) )
	 && ( false !== strpos( $_SERVER[ "HTTP_USER_AGENT" ], "Baiduspider" ) ) ) {
	  $header = array( "HTTP/1.1 404 Not Found", "HTTP/1.1 404 Not Found", "Content-Length: 0" );
	  foreach ( $header as $sent ) {
		  header( $sent );
	  }
	  die();
  }

[Taipo]

That will tell bad Baidu that none of those pages exist (returns a 404 page not found header).

[robede]

Thanks Sam
\







robe de