Jump to content



* * * * * 5 votes

Security issue with admin directory


  • Please log in to reply
227 replies to this topic

#181   rfwoolf

rfwoolf
  • Members
  • 65 posts
  • Real Name:Richard

Posted 15 June 2011 - 05:20 PM

View PostSohgave, on 13 April 2011 - 10:06 PM, said:

4.) I modified the configure.php found in "mynewname/includes/" directory on my local side to be:
    define('DIR_WS_ADMIN', '/mynewname/'); //and as according to Jan's instructions. This step seemed a bit weird as the original syntax for the first define line reads : "define('DIR_WS_ADMIN', 'catalog/mynewname/');"
    define('DIR_FS_ADMIN', '/your/path/to/directory/mynewname/');
Sohgave, did you ever come right?
I think the problem is that you left out 'catalog'.
Normally, installations of oscommerce go into a 'catalog' folder, which is annoying because there's no good reason for it, and if you don't know how to point your domain properly, your site's URL will be www.mysite.com/catalog/ -- so most of us get rid of the 'catalog' part during the installation by putting everything that *was* inside catalog up 1 folder.

Therefore, yours probably needs the 'catalog' part, and you will need to use this logic when following the instructions.
Unfortunately this is just one of those things that weren't told to you and you had to learn from experience :P

#182   dollcreator

dollcreator
  • Members
  • 20 posts
  • Real Name:Marianne

Posted 20 June 2011 - 12:05 AM

I have searched and searched on these forums, but can't find a solution to my problem.
I uploaded my new store to my website, changed the admin directory, and did the password protect with cpanel.
I can log into my renamed_admin directory without the .htaccess file, but when it is there, and the htpasswd file is where it is supposed to be (whether I used the cpanel, or wrote my own), it comes up with 404 file not found. It never asks for the user/pw. I am using osC2.3.1.
If I don't have the .htaccess file in the renamed_admin directory, it comes up with the warning that the renamed_admin directory is not password protected.
What am I doing wrong???? I have been fighting this for days, and am running out of patience. I no longer know what to change.

Marianne

#183   staunts

staunts
  • Members
  • 14 posts
  • Real Name:Adam

Posted 09 July 2011 - 12:09 AM

Hi there,

I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not.

Is there anything I can do to fix this ?

cheers,

Adam

#184   altoid

altoid
  • Community Sponsor
  • 959 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 09 July 2011 - 01:15 AM

View Poststaunts, on 09 July 2011 - 12:09 AM, said:

Hi there,

I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not.

Is there anything I can do to fix this ?

cheers,

Adam

Perhaps the username and password are still associated with the old admin name and not the new admin name?
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC.  It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce.  Look around, you'll figure out who they are.

#185   germ

germ
  • Members
  • 13,921 posts
  • Real Name:Jim
  • Gender:Male
  • Location:USA (GMT-6)

Posted 09 July 2011 - 02:32 AM

View Poststaunts, on 09 July 2011 - 12:09 AM, said:

Hi there,

I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not.

Is there anything I can do to fix this ?

cheers,

Adam
You mention a "popup asking for username and password" so I assume the admin is being secured by a .htaccess file.

The .htaccess file contains a line that locates the password file containing the usernames/passwords that work for it, usually located deeper in the folder.

If you change the admin name or path and the password file is deeper in the same folder you have to modify the line in the .htaccess file to relocate it as well.

An example.

Your original admin folder name was "admin" and the password file is in admin/safedir/.htpasswd

The line in the .htaccess file that locates it might look like this:

AuthUserFile /usr/local/www/admin/safedir/.htpasswd
Say you rename the admin folder to admin90210.

So now the code that locates the password file becomes:

AuthUserFile /usr/local/www/admin90210/safedir/.htpasswd
HTH
:)
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -

"Headers already sent" - The definitive help

"Cannot redeclare ..." - How to find/fix it

SSL Implementation Help

Like this post? "Like" it again over there >

#186   staunts

staunts
  • Members
  • 14 posts
  • Real Name:Adam

Posted 09 July 2011 - 10:26 PM

Brilliant, thanks guys. That was it , all working now !

#187   KerkChzePerng

KerkChzePerng
  • Members
  • 13 posts

Posted 22 July 2011 - 01:33 AM

Hi, if this message "xxx.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." is shown , what should I do to fix it ?

#188   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts
  • Real Name:Chris
  • Gender:Male
  • Location:Ontario, Canada

Posted 22 July 2011 - 01:58 AM

View PostKerkChzePerng, on 22 July 2011 - 01:33 AM, said:

Hi, if this message "xxx.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." is shown , what should I do to fix it ?


You will need to clean all malicious code from each file on your server and then remove any anomalous files.  One that is done, secure your website using the contributions mentioned at the beginning of this thread.




Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#189   KerkChzePerng

KerkChzePerng
  • Members
  • 13 posts

Posted 22 July 2011 - 02:11 AM

View PostDunWeb, on 22 July 2011 - 01:58 AM, said:

You will need to clean all malicious code from each file on your server and then remove any anomalous files.  One that is done, secure your website using the contributions mentioned at the beginning of this thread.




Chris

Thanks first. But how to detect the malicious code from the files ? I'm newbie actually ...

#190   14steve14

14steve14

    STORE OWNER NOT CODER

  • Members
  • 3,436 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Dorset UK

Posted 25 September 2011 - 10:57 AM

Why not restore a good working copy of your site from your backup.  That would be the easiest way.
REMEMBER BACKUP, BACKUP AND BACKUP
I am not a coder, so dont bother sending PMs asking for help as you wont get any.


The pessimist sees difficulty in every opportunity. The optimist sees the opportunity in every difficulty

#191   the99brand

the99brand
  • Members
  • 3 posts
  • Real Name:Maceo

Posted 01 December 2011 - 03:10 PM

I am getting this UGH! Parse error: syntax error, unexpected T_STRING, expecting T_CONSTANT_ENCAPSED_STRING or '(' in/home/content/12/8659812/html/oscommerce/index.php on line 9

HELP

IT@the99brand.com

Edited by the99brand, 01 December 2011 - 03:25 PM.


#192   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts
  • Real Name:Chris
  • Gender:Male
  • Location:Ontario, Canada

Posted 01 December 2011 - 03:12 PM

View Postthe99brand, on 01 December 2011 - 03:10 PM, said:

I am getting this UGH! Parse error: syntax error, unexpected T_STRING, expecting T_CONSTANT_ENCAPSED_STRING or '(' in/home/content/12/8659812/html/oscommerce/index.php on line 9

HELP


Maceo,

The change you just made to the index.php was incorrect.  You will need to check the code edits and correct the syntax.



Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#193   Adamanto75

Adamanto75
  • Members
  • 72 posts

Posted 18 January 2012 - 02:32 AM

Hello,

I am coming into problems when I change my admin filename, I change it to whatever I wanted and changed the code in configure.php uploaded it and when I navigate to www.mystore.com/admin_name it gives me an internal server error.

Is there something I am doing wrong?

Thank you in advance

Adamanto75

#194   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,123 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 18 January 2012 - 10:35 AM

Check in the .htaccess file in your newly named admin directoryand see if it refers to your old admin directory.

HTH

H
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#195   Adamanto75

Adamanto75
  • Members
  • 72 posts

Posted 19 January 2012 - 06:21 AM

View Postgeoffreywalton, on 18 January 2012 - 10:35 AM, said:

Check in the .htaccess file in your newly named admin directoryand see if it refers to your old admin directory.

HTH

H

I checked my admin/.htacess file and it says this:


# $Id$
#
# This is used with Apache WebServers
# The following blocks direct HTTP requests in this directory recursively
#
# For this to work, you must include the parameter 'Limit' to the AllowOverride configuration
#
# Example:
#
#<Directory "/usr/local/apache/htdocs">
#  AllowOverride Limit
#
# 'All' with also work. (This configuration is in your apache/conf/httpd.conf file)
#
# This does not affect PHP include/require functions
#
# Example: http://server/catalog/admin/includes/application_top.php will not work

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

I don't see it calling for my old admin? Unless I'm missing something.

Is there anything else I can do?

Thanks

Adamanto75

#196   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,123 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 19 January 2012 - 08:46 AM

View PostKerkChzePerng, on 22 July 2011 - 02:11 AM, said:

Thanks first. But how to detect the malicious code from the files ? I'm newbie actually ...

Really this is a case of expeience.

You need to check all files to see if certain known words occur in any file and then look and see if they are malicious.

VTS and site monitor will help you do this.

There are also some tips on cleansing a site in my profile.

HTH

G

Edited by geoffreywalton, 19 January 2012 - 08:47 AM.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#197   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,123 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 19 January 2012 - 08:51 AM

View PostAdamanto75, on 19 January 2012 - 06:21 AM, said:

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

Is there a reason you have deny from all?

Cheers

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#198   Adamanto75

Adamanto75
  • Members
  • 72 posts

Posted 19 January 2012 - 09:55 AM

@geoffreywalton

Idk that's how the .htaccess file was written when I downloaded it (I didn't touch it at all).

#199   patrickluursema

patrickluursema
  • Members
  • 41 posts
  • Real Name:Patrick Luursema

Posted 22 January 2012 - 11:23 AM

Thanks, this thread helped me out a lot.
Kind regards,

Patrick Luursema

#200   ski holidays

ski holidays
  • Members
  • 2 posts
  • Real Name:Brandon kane
  • Gender:Male
  • Location:London

Posted 26 January 2012 - 02:05 PM

Hi All, my installation of Oscommerce RC2.2 was hacked even though I renamed admin folder and applied htaccess. Does anybody know if any other possible vulnerability that could of allowed the hackers in?