203 replies to this topic

[spooks]

Richard Cranium, on 15 November 2009, 00:25, said:

I tried that but it doesn't work. Generates an error everytime I try to access a page in the admin directory. My catalog is in the root dir, but I can't imagine that would cause a problem. Is there more to it than that one line? Perhaps the point at which you enter that line in the application_top file?

try this one

Edited by Jan Zonjee, 15 November 2009, 13:01.
changed the link to the new v3 format

[Richard Cranium]

spooks, on 15 November 2009, 02:01, said:

try this one

Sam,

Thank you, but I believe you just pointed that link back to this same thread (only to the beginning). Was that your intent?

Regardless, perhaps it is a server issue. I have taken other steps already, including some outlined in this thread. Question on my mind is which defenses will protect a shop from this new attack form. That is the essence of what I want to know (and I'm sure that I'm not the only one). For example, does .htaccess prevent this attack? Must one make the application_top.php change suggested above?

Is there a straightforward answer or are there some variables dependent on a shop, server config, or some other issue(s)?

Regards,
David

Edited by Jan Zonjee, 15 November 2009, 13:03.
edited the link to the v3 format

[spooks]

Richard Cranium, on 15 November 2009, 06:08, said:

Thank you, but I believe you just pointed that link back to this same thread (only to the beginning). Was that your intent?

No, it works for me, odd not for you? Its a link to Java Roasters post in this thread on 20th August, I think his code will work for you, I don't think the code you tried will work on all servers.

[Mort-lemur]

spooks, on 15 November 2009, 01:58, said:

I don't think that will work on all servers, a number of people have come up with code snippits for this, try this one first.

Sorry - Im missing something - that link takes me back to the beginning of this thread?

Thanks

[spooks]

Mort-lemur, on 15 November 2009, 12:16, said:

Sorry - Im missing something - that link takes me back to the beginning of this thread?

Thanks

It works for me!. Its a link to Java Roasters post in this thread on 20th August [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

[jfontes]

mrpointy, on 21 July 2009, 15:44, said:

Ditto!

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain?

Thanks

I changed the admin directory name as suggested and after the changes (directory name change and in the configure.php file) I got 404 errors when trying to go to my new "admin" url, but the old url did work. This is what I think happened in my case: I edited the configure.php file locally, and uploaded the file via ftp. During the upload I am prompted as to whether or not I want to overwrite the existing file and I told it to overwrite the file. Everything looked ok, but the file was not actually overwritten. I noticed the file permissions on the configure.php file were set to 444, so I set them to 755 temporarily while I uploaded and overwrote the file again. This time my new "admin" url worked fine. I'm not an expert by any means, but as a newbie to maybe other newbies, this could be some of the problem.

BTW, my install was a Fantastico install.

[Richard Cranium]

spooks, on 15 November 2009, 12:20, said:

It works for me!. Its a link to Java Roasters post in this thread on 20th August [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

It does not work for me either. I just get Java's profile.

[Richard Cranium]

jfontes, on 17 November 2009, 00:16, said:

I changed the admin directory name as suggested and after the changes (directory name change and in the configure.php file) I got 404 errors when trying to go to my new "admin" url, but the old url did work. This is what I think happened in my case: I edited the configure.php file locally, and uploaded the file via ftp. During the upload I am prompted as to whether or not I want to overwrite the existing file and I told it to overwrite the file. Everything looked ok, but the file was not actually overwritten. I noticed the file permissions on the configure.php file were set to 444, so I set them to 755 temporarily while I uploaded and overwrote the file again. This time my new "admin" url worked fine. I'm not an expert by any means, but as a newbie to maybe other newbies, this could be some of the problem.

BTW, my install was a Fantastico install.

I've had something like that happen to me too. I'm not sure if it's a permissions issue or that the FTP prog barfed on it and thought it was copied.

[Mort-lemur]

Hi,

Have a look to see if you have Includes/Local folders (Admin & Store)

If so these may have config files that need amending as well.

In my store I had to change all four config files for it to work.

Thanks

By the way I installed Java Roasters code change to Application_top and everything still works - what does this change actually do ??

Thanks

Edited by Mort-lemur, 21 November 2009, 16:51.

[Richard Cranium]

spooks, on 15 November 2009, 12:20, said:

It works for me!. Its a link to Java Roasters post in this thread on 20th August [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

Sam,

I'm not sure what happened the other day. I just logged in and tried your link, and bammo.. works. So, now I see what you're talking about. Thanks. I think I did not have all the code installed before. I'll re-run and test.

Regards,
David

[spooks]

Mort-lemur, on 21 November 2009, 16:39, said:

By the way I installed Java Roasters code change to Application_top and everything still works - what does this change actually do ??

Blocks tha admin hack detailed in the op, it may be clearer if you read this thread.

[myforum]

Hello,

I have a security problem in my osc installation. My version of OSC is a older and I use the addon Administration Access Level. Now I have the problem that you can see with the url "...myshop.com/admin/orders.php/login.php" my order view and this without a correct login. So you can see my orders without login. So this is a security problem. A friend told me that under http://svn.oscommerce.com/jira/browse/OSC-1001 is a solution. There is code but I don't know where I add this code.

So I hope you can help me with this problem. I want to implemet the other tips (rename admin directory ...). But I hope you can help me with this problem, so that nobody can see my orderlist without login.

Thank you.

[spooks]

myforum, on 29 December 2009, 14:10, said:

If your finding things here hard to follow,this contrib may help, and see FWR's post on 16th Dec re code to prevent the specific admin hack http://forums.oscommerce.com/index.php?showtopic=348589&pid=1467014&start=&st=#entry1467014

[lanrat]

Hi All,

A cart I adminstrate also got hacked during this Christmas period with spam being emailed to the customers and I found the "<?php /**/eval(base64_decode.... ?>" infecting *all* the php files.

The accompanying files of the 'hack-attack' were added to the '/admin/includes/languages/english/images/buttons' directory.

I "think" I have it all contained and the site working again (see the steps I've taken below) but I have one troubling question related to 'Step 5' below and a comment on this and other threads about this subject. i.e

QUESTION: After password protecting the 'renamed_admin' folder the (extra) pop-up requesting the "folder protection credentials" actually DISPLAYS THE USERNAME required - some security feature hey? Comments/solutions please!!!

Steps taken thus far:
I've replaced/restored all php files from a backup, deleted the hackers files and....
1. Deleted '/admin/file_manager.php' and edited '/admin/includes/boxes/tools.php'
2. Set file and folder permissions to 644 and 755 (configure.php files set to 400)
3. Changed all the passwords (Site admin, Cart admin, DB User)
4. Renamed the 'admin' folder and edited the 'renamed_admin/includes/configure.php' file
5. Password protected the 'renamed_admin' folder using the ISP's 'Site Admin/Configuration Panel' - it's not the conventional cPanel

Is there anything I've missed?

COMMENT: I appreciate the wealth of experience and information provided here but must agree with some postings that sometimes the 'fixes' PRESUME a level of competence that 'NOOBs' (Newbies) like me just don't have - PLEASE, when somebody says they are not a programmer or are newbies lay it out step by step - remember, you had to learn once-upon-a-time too :^)

Thanks to all contributers - I plan to work my way through the rest of <spooks> suggestions as time permits.

Cheers, Mark

[spooks]

lanrat, on 30 December 2009, 17:59, said:

DISPLAYS THE USERNAME required

Its your browser that remebered the last username u used, try visiting with another browser!!

[MattReid]

Jan Zonjee, on 18 July 2009, 07:23, said:

In the German forum there is [url="http://forums.oscommerce.de/index.php?showtopic=70425"]After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

Hello, I skimmed the thread and couldn't see this already asked, sorry if I missed it.....


I notice in my 2.2RC2a, admin/includes/configure.php reads:

define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

Presumably this means I only have to change the first line? And nothing else anywhere else?

Edited by MattReid, 20 January 2010, 21:26.

[DunWeb]

Matt,

If, for example you changed your admin folder name to MATT

the line would read

define('DIR_WS_ADMIN', '/matt/');

When Jan refered to the file as: define('DIR_WS_ADMIN', '/renamed_admin_directory/'); he ment that renamed_admin_directory is whatever you have renamed it to. NOT literally "renamed_admin_directory"


Chris

[Jan Zonjee]

Quote

I notice in my 2.2RC2a, admin/includes/configure.php reads:

define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

Presumably this means I only have to change the first line? And nothing else anywhere else?

Yes, indeed. This is in the "default" configure.php that you can change manually, but is overwritten when you do the install with the install script.

[MattReid]

Ah, yes that's what I meant Jan, I see now, thanks for the clear reply. (Dank u wel voor uw medewerking, or something close to that )

[MattReid]

Jan Zonjee, on 18 July 2009, 07:23, said:

Delete admin/filemanager.php and associated links.
Delete admin/define_language.php and associated link in the "Tools" box.

Hello again. Please could you tell me where any other link to filemanager.php might be? Apart from in the "Tools" box? Thanks.

Edited by MattReid, 15 February 2010, 11:36.