Chris
Edited by DunWeb, 26 January 2012 - 02:54 PM.
Latest News: (loading..)
2
218 replies to this topic
#201
DunWeb
-
- Members
- 12,730 posts
The Censored One
- Real Name:Chris
- Gender:Male
- Location:Ontario, Canada
Posted 26 January 2012 - 02:54 PM
oops
Chris
Chris
#202 ONLINE
altoid
-
- Community Sponsor
-
- 743 posts
- Real Name:Steve
- Gender:Male
- Location:Hollidaysburg, Pennsylvania
Posted 26 January 2012 - 05:15 PM
ski holidays, on 26 January 2012 - 02:05 PM, said:
Hi All, my installation of Oscommerce RC2.2 was hacked even though I renamed admin folder and applied htaccess. Does anybody know if any other possible vulnerability that could of allowed the hackers in?
Hello there, for the 2.2 Osc there's a bunch of securty recommendations. See the very first post in this topic by Jan; he provides info there on more security measures.
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.
#204
Posted 27 January 2012 - 06:59 PM
There is a known security issue with the 2.2 range of osCommerce versions that offer an admin login. It is possible that attackers were able to add rogue shell files into your sites directories, often in the images directory, which are used to exploit your website. So along with following the security recommendations here, make sure you go through all your website directories and remove any php files that should not be there.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Aegis Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Aegis Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
#205
Posted 11 April 2012 - 08:59 PM
Hi
can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?
which addons, things i should change?
i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.
I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again
Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.
thanks
can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?
which addons, things i should change?
i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.
I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again
Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.
thanks
#206
DunWeb
-
- Members
- 12,730 posts
The Censored One
- Real Name:Chris
- Gender:Male
- Location:Ontario, Canada
Posted 11 April 2012 - 09:06 PM
@vampirehunter
There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://forums.oscommerce.com/topic/375288-updated-security-thread/page__hl__security%20231
Also, the installation of contributions has not changed, there are still manual code edits when applying changes.
Chris
There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://forums.oscommerce.com/topic/375288-updated-security-thread/page__hl__security%20231
Also, the installation of contributions has not changed, there are still manual code edits when applying changes.
Chris
#207
Posted 11 April 2012 - 09:13 PM
DunWeb, on 11 April 2012 - 09:06 PM, said:
@vampirehunter
There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://forums.oscommerce.com/topic/375288-updated-security-thread/page__hl__security%20231
Also, the installation of contributions has not changed, there are still manual code edits when applying changes.
Chris
There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://forums.oscommerce.com/topic/375288-updated-security-thread/page__hl__security%20231
Also, the installation of contributions has not changed, there are still manual code edits when applying changes.
Chris
ok thanks
i read the page, it says for the ones in 2.31 i should install these particular ones? is this right?
1. Security Pro from FWR Media {
2.3.1 and lower.
a. Addon
b. Support
}
3. Filesafe from FWR Media {
2.3.1 and lower
a. Addon
b. Support
Filesafe replaces "Site Monitor". Site Monitor is old and tired.
}
5. Rename /admin/ and htpasswd it {
2.3.1 and lower
a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/
b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)
}
6. Remove references to (newly renamed) admin area in outgoing emails {
2.3.1 and lower
a. renaming your admin area is great, but it is still possible to find out where it is, by placing an order, as outgoing emails contain the admin address. More.
}
7. Add extra login parameter (JanZ) {
2.3.1 and lower
a. link - scroll down to "admin/includes/application_top.php Line 146-151" and start reading.
}
#208
Posted 13 April 2012 - 10:16 PM
Its all optional for version 2.3.1
So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches.
So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Aegis Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Ignore this link - just a honeypot site to test my ideas out for osC_Sec and allow the site to be picked up by attackers.
- Fix the admin login bypass exploit here
- Aegis Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
#209
Posted 13 April 2012 - 10:44 PM
Quote
6. Remove references to (newly renamed) admin area in outgoing emails {
The fix you linked to often no longer works, see my post in the linked thread
Sam
Remember, What you think I ment may not be what I thought I ment when I said it.
Contributions:
Auto Backup your Database, Easy way
Multi Images with Fancy Pop-ups, Easy way
Products in columns with multi buy etc etc
Disable any Category or Product, Easy way
Secure & Improve your account pages et al.
Remember, What you think I ment may not be what I thought I ment when I said it.
Contributions:
Auto Backup your Database, Easy way
Multi Images with Fancy Pop-ups, Easy way
Products in columns with multi buy etc etc
Disable any Category or Product, Easy way
Secure & Improve your account pages et al.
#210
Posted 17 June 2012 - 05:44 PM
I have looked at sorting this out and can't even find the file i need! I do not have cpanel, when i go to file manager I have various directories at the same level, including one called FTP and another VAR. The var has a directory path var/www/vhosts/apattern.co.uk but i have no files in it! I thought my files were supposed to go there, but the host said it needed to go in httpdocs, which is on the same level below FTP. When i auto installed Wordpress all the files are in FTP/httpdocs and my store is at FTP/httpdocs/catalog. I link from wordpress to my store, and therefore this can be problematic so i have been advised to carry out the following, but i cannot find a file called .htaccess!!!
How do I get password-protected directories (with .htaccess) to co-exist with textpattern? QUESTION: Using .htaccess authentication makes the directory inaccessible. HTTP Basic Authentication with the webserver redirects everything to textpattern’s index page. Using HTTP Auth with Apache results in 404 error pages. ANSWER: Please add the following lines to your .htaccess file: ErrorDocument 401 /[path_to_file]/myerror.html ErrorDocument 403 /[path_to_file]/myerror.html Make sure you point to existing, static html files.
How do I get password-protected directories (with .htaccess) to co-exist with textpattern? QUESTION: Using .htaccess authentication makes the directory inaccessible. HTTP Basic Authentication with the webserver redirects everything to textpattern’s index page. Using HTTP Auth with Apache results in 404 error pages. ANSWER: Please add the following lines to your .htaccess file: ErrorDocument 401 /[path_to_file]/myerror.html ErrorDocument 403 /[path_to_file]/myerror.html Make sure you point to existing, static html files.
Edited by zefeena, 17 June 2012 - 05:45 PM.
#211
Posted 17 June 2012 - 05:52 PM
Taipo, on 13 April 2012 - 10:16 PM, said:
Its all optional for version 2.3.1 So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches.
The version i have just downloaded is 2.3.1, so do i not have to do the re-naming thing?? and will i still have the other problem?
How do I get password-protected directories (with .htaccess) to co-exist with textpattern?
#212
Posted 17 June 2012 - 06:26 PM
zefeena, on 17 June 2012 - 05:52 PM, said:
The version i have just downloaded is 2.3.1, so do i not have to do the re-naming thing?? and will i still have the other problem?
How do I get password-protected directories (with .htaccess) to co-exist with textpattern?
How do I get password-protected directories (with .htaccess) to co-exist with textpattern?
Recommended SEO Addons:
Most Important: Header Tags SEO - Ultimate SEO V 2.2d
All SEO Addons: Recommended SEO Addons
Support Links:
Finding relevant link exchanges - Headers Already Sent - What does it cost? -What's my version? - How to change titles? - Preventing HotLinking
Most Important: Header Tags SEO - Ultimate SEO V 2.2d
All SEO Addons: Recommended SEO Addons
Support Links:
Finding relevant link exchanges - Headers Already Sent - What does it cost? -What's my version? - How to change titles? - Preventing HotLinking
#213
Posted 29 July 2012 - 01:18 AM
Hi, im really new to this, but i want to share what i have done.
i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters.
And i was moving all file to root path/directorry and come 500 internal server...
What i ve done is:
go to admin/includes and find .htaccess and open/edit it
scroll down until you see
AuthType Basic
AuthName "osCommerce Admin Access"
AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd
Require valid-user
and delete /catalog or rename it with /youradminfolder whatever you name it
i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters.
And i was moving all file to root path/directorry and come 500 internal server...
What i ve done is:
go to admin/includes and find .htaccess and open/edit it
scroll down until you see
AuthType Basic
AuthName "osCommerce Admin Access"
AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd
Require valid-user
and delete /catalog or rename it with /youradminfolder whatever you name it
#214
Posted 29 July 2012 - 01:19 AM
bensuba, on 29 July 2012 - 01:18 AM, said:
Hi, im really new to this, but i want to share what i have done.
i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters.
And i was moving all file to root path/directorry and come 500 internal server...
What i ve done is:
go to admin/includes and find .htaccess and open/edit it
scroll down until you see
AuthType Basic
AuthName "osCommerce Admin Access"
AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd
Require valid-user
and delete /catalog or rename it with /youradminfolder whatever you name it
i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters.
And i was moving all file to root path/directorry and come 500 internal server...
What i ve done is:
go to admin/includes and find .htaccess and open/edit it
scroll down until you see
AuthType Basic
AuthName "osCommerce Admin Access"
AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd
Require valid-user
and delete /catalog or rename it with /youradminfolder whatever you name it
sorry it was in /admin directory
#215
Posted 29 July 2012 - 02:05 AM
Previously mentioned here
If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.
"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."
- Me -
"Headers already sent" - The definitive help
"Cannot redeclare ..." - How to find/fix it
SSL Implementation Help
Like this post? "Like" it again over there >
#217
Posted 14 April 2013 - 10:38 PM
I just did an install of 2.3.3. I am bringing over my store from 2.2
I am now suddenly unable to log-in to my administration panel.
The username and password that I am putting in are the same that I had set them up to be.
Is this to do with the additional security that I was asked to set up in the post-installation interactions?
I simply can't log-in and am told 'maximum number of log-in's attempted, please try again in 5 minutes'.
However that's not working either.
I would like to just by pass this now, so as to get my store up and running again.
www.gouletdesigns.com/catalog/admin.
Thank you!
I am now suddenly unable to log-in to my administration panel.
The username and password that I am putting in are the same that I had set them up to be.
Is this to do with the additional security that I was asked to set up in the post-installation interactions?
I simply can't log-in and am told 'maximum number of log-in's attempted, please try again in 5 minutes'.
However that's not working either.
I would like to just by pass this now, so as to get my store up and running again.
www.gouletdesigns.com/catalog/admin.
Thank you!
#218
DunWeb
-
- Members
- 12,730 posts
The Censored One
- Real Name:Chris
- Gender:Male
- Location:Ontario, Canada
Posted 15 April 2013 - 03:26 AM
@suzgems1
You may need to reset your admin password by truncating the administrators table in your database. Then, create a new username and password when prompted when you access your admin area.
Also, If you had previously set up .htaccess protection on the /admin directory, you will also need to reset those files as well by replacing them with new files from the original osCommerce download
Chris
You may need to reset your admin password by truncating the administrators table in your database. Then, create a new username and password when prompted when you access your admin area.
Also, If you had previously set up .htaccess protection on the /admin directory, you will also need to reset those files as well by replacing them with new files from the original osCommerce download
Chris
#219
Posted 15 April 2013 - 05:36 PM
Thanks Chris.
How do I
"truncating the administrators table in your database". Don't know how to do that.
I can replace the admin files as you're asking. Do both actions need to take place in order for me to get in?
Thank you!
Suzanne
How do I
"truncating the administrators table in your database". Don't know how to do that.
I can replace the admin files as you're asking. Do both actions need to take place in order for me to get in?
Thank you!
Suzanne
