Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hosting Developers Payment Shipping Accounting Templates Marketing Books

Latest News: (loading..)

geoffreywalton

Member Since 21 Oct 2007
OFFLINE Last Active Yesterday, 07:29 PM

Find content

About Me

I offer the following services and more:

- Cleaning Hacked Sites
- Securing Oscommerce sites
- Product Loading and maintenance
- Oscommerce Customization
- Support - Online, Skype and Contracts
- Oscommerce version upgrades
- Custom coding
- SEO Optimization
- Speed Optimization
- Add-ons/modules installation
- Add-ons/modules customization and modifications
- Migration to oscommerce from other cart software
- Migration to other cart software from oscommerce

To find out more go to http://www.theukwaltons.co.uk and feel free to contact me for a quote on anything you want done, otherwise please post your questions in the forum.

Thanks.

G

The data that was here and has been referred to in my posts since 2007 is slowly being transferred to my web site at http://www.theukwaltons.co.uk, so if you can't find it below, please follow the link.

IMPORTANT SECURITY PATCH FOR EXISTING AND NEW SITES (18/07/90).

If your admin directory is still called admin you really must follow the steps outlined HERE, don't and you will get hacked.

Once you have done that look at the "Security Contributions You Ought to Apply" links lower down in this profile.

They all come with step by step guides that if you are familiar with editing files and ftp you should be able to follow.

What To Do If Your Site Has Been Hacked?

Moved to Basic Installation steps on my web site.

Security Contributions You Ought to Apply

Follow the instruction on How to secure your osCommerce 2.2 site. All the stuff you should to prevent posting 'My Sites Been Hacked

Virus Threat Scanner is designed to run on your web server and scan your public web files for malicious code. It is small, portable and efficient, uses minimal server resources, and provides a full report on what has been discovered.

One of them, Site Monitor can be set up to check your site at regular intervals and email you of suspicious changes, it can also be run as part of the process to disinfect a site.

Try this one as well to sort out a few well known glitches in the registration process.

Hi

You may have noticed I answer quite a lot of questions on the forum, or I did when I wrote this, so first a please, post your questions in the forum or see the comments in my Personal Statement.

Most of the answers I give can be found by searching the forum, so whenever you get stuck, use Google and use a search term like

site:forums.oscommerce.com xxxxxxxxxxxxxxx

in the Google search box. Or read this link A guide to searching the forums/contributions

Here are some links to answers and other info I have found useful to install RC2A sites, credit must go to the authors, all I have done is consolidate them into one place. If you find others let me know and I'll add them in.

Starting Out

Just so you understand how OSC is put together have a read of the roadmap for newbies by lindsayanng, which gives a good overview of OSC.

File relationships diagram [img]http://forums.oscommerce.com//public/style_emoticons/default/whistling.gif[/img] here

If you need to understand a bit more about Linux commands?

And before you start out here are some tips on how people make crap sites using OSC. Then from there are links on how to make an awesome site.

Basic Installation steps

Moved to Basic Installation steps on my web site.

Getting A Basic Understanding

Once you have it installed the first 2 threads in the installation forum covers how to do loads of basic things as does this one [img]http://forums.oscommerce.com//public/style_emoticons/default/whistling.gif[/img]

Also the documentation that comes with the download of your version of OSC will be a good first stop or if it is not on your server, download a new copy of your version and read that

Video Tutorials and a free template editor, not to mention a tutorial about setting up your PC as a (XAMPP) server so you can test your changes before uploading them to your live site.

The knowledgebase on this site can be read on-line or a copy downloaded, unfortunately the screen shots are for the V3 and but most of it still applies to rc2a.

The configuration files are also a dark pit and A guide to the configure.php files sheds some light on them and their contents.

If you want to change colours and box styles the Knowledgebase on stylesheets would have been a good place to start but it has gone. So here it is from my archive:

Some good general FAQscovering alls sorts of things from error messages and SEO by Mr Phil makes good reading.

If you are having problems with email try this link.
=====================================================================================================================

2.3.1 Design http://forums.oscomm...s-the-easy-way/

2.2 and before Catalog Stylesheet Definitions

Moved to 2.2 and before Catalog Stylesheet Definitions on my web site.

More Tips

When you start to get more technical and want to create links, you should read What is the osCsid & why you must not loose it.

And for those wanting to install SSL a little SSL Implementation Guide goes a long way to explaining everything you need to know.

This one explains it a bit more.

And this one is a good all rounder especially if you can't get it to work.

But the code documentation here is very useful, wiki.oscdox.com, once you have drilled down the search tool on the right is invaluable. The rest of the site is not finished but good in parts.

If you like diagrams these UML or ER diagram of OsCommerce database might be of interest.

How to add products to your store.

You can either do this one product at a time through the shop admin or install a contribution to take data from a csv file and upload en-mass. The best contribution to do this is Easy Populate.

Now if you want someone to take a file given to you by your supplier and automate the reformatting it so it can be imported using EP I know just the person to do this ...... (me, if you are a bit slow)

This contribution will get a csv file from your supplier and update existing products and this one an xml file.

If Your Host has Upgraded your Server to use MySQL5.

If your host has recently upgraded to mysql5 then you need to sort out "Left Joins.

The exact changes you need to make to a stock RC2A shop are in the instructions on How to update to RC2A.

If you want to know how to do it everywhere, this explains how to code LEFT JOINS

If Your Host has Upgraded your Server to use MySQL5.3.

And once you have done that 5.2 to 5.3 upgrade.

What to do if your Site Displays Info for Other Users / Sites

This is not always a hack of your site it might be because you are using a shared directory on a shared server. If you use the tmp dir for your cache on a shared server you will get this problem. There are 2 ways to solve it.

1) Create a folder in your root directory(public html) called 5osc9_cache.

Set the permission on this folder to 755.

In your shop admin under cache set the cache directory to

/home/my_site/public_html/5osc9_cache/

Change my_site to your the correct values for your site/server.

2) Personally I prefer to set cache to 'false' in the shop admin.
Then on the last line of both of your configure.php files set STORE SESSIONS to 'mysql'

Images

IStockPhoto
http://us.fotolia.com/.
BigStockPhoto
magictoolbox
colour scheme generator

Buttons/icons

dryicons.com/
qds-team
www.oscbuttons.com/
www.advancewebsoft.com

Templates

How to upgrade a template, good start if you ignore the flame war.

Explanation of Permissions and How They are Used in a Hack - Thanks to Taipo

There is some confusion surrounding the issue of file and folder permissions, and a lot of this is because there has been a change in methods in the last few years and many are not aware of.

There are in general two philosophies with virtual hosts now that have come into play probably because of the escalation in traversal type server intrusions.

Before, the common method which Ill refer to as method 1, the first of the two primary methods, was to use folder and file permissions as a means of controlling the writability of content where the server script, in this case php, needed a file to have a write permission of 666 to be able to write to that file.

The case was the same with folders, which like files of 644, were by default non-writable. In order for php to write to files in that folder, or to create files or delete files or even chmod files, the folders have to have permissions of 777. 777 though meant that the writable folder was prone to an attack from another infected website on the web server, using a directory traversal, an attacker could write into any folder within other websites that were writable.

And because it is possible in method 1 for malicious scripts to execute outside of the virtual host folder, it is possible for affected scripts to be used to read higher up into the server, like to nab the root user and passwords, scan all directories and files, read them, which usually could give an attacker enough information to be able to enter every site on that server (consider for a minute that a configure.php file chmod to 644 is still readable, even chmod to 444 is still 'readable' in this method 1 type configuration. In configure.php are the user and passwords for your mysql server, and in many situations, that user and password is not that different from the cpanel login, and the FTP user and password.

So while this restricted the overwriting attacks (often referred to as defacements) to just writable folders and to writable files on your website, it did allow attacks to span across multiple websites, often referred to as a mass defacement. It allowed attackers to run arbitrary code on non-root services like APACHE and spam assassin and others.

The second method, method 2 which has come into play with several php mods, usually in share hosting configurations, is to assign the owner privileges to the user and the script, thus pretty much making the whole file and folder permissions almost redundant if your web code security is crap. On the plus side, if another site on the shared server is exploited, the attack is not able to spread their attack across virtual hosts, in other words, the attack is restricted to just the site that has the weak security coding.

On the downside of method 2, if your site is the one that has been attacked, every file and folder in that configuration is pretty much vulnerable to be overwritten regardless of the file permissions (if malicious backdoor files have been installed, or code appended into files from the previous admin bypass exploit).

Sure you can chmod a file to 444 via a file manager or FTP client (if allowed), but in this particular configuration which is becoming more and more popular amongst shared hosts, because PHP has user permissions therefore is the owner, it is able to chmod file permissions back to writable.

So all an attacker needs to do is call chmod() a file from 444 to 644 before calling fopen($filename, 'a') to append their code to any file they wish, and if they want to be nice, chmod the appended file back to 444.

Of course it is a waste of time doing this to some files, so they go for the main include files usually, like the language file, application_top and the javascripts.

I think the key indicator in all of this is that if PHP is saying that all files and folders by default (644 for files and 755 for folders) are writable, and in some situations, the webhost has given you your own php.ini to play with, then your site is on one of these configurations.

So therefore that means that the attack has come via a file still resident in your file repository or appended code in your site files somewhere that you must have missed.

The question is not so much about shared hosting, although these type of phase two attacks are more common with shared host configurations, but whether or not a file with a permission of 644 is writable by your server.

So to test this create a file called something like filetester.php and add this code into it:

<?php
if ( is_writable( "index.php" ) ) {
echo "- index.php is writable by the server
";
} else {
echo "- index.php is not writable by the server
";
}
$writeperms = substr( decoct( fileperms( "index.php" ) ),3 );
echo "- the file permissions for index.php are " . $writeperms;
?>

Upload it into your main catalog directory and browse to it.

So that little script above just gives you an indicator that if your index.php file is set to 644 and is writable by PHP, then there is a good chance all the files are the same. And by implication that your site is on a method 2 type configuration, that could mean there is still a rogue file or code somewhere on your site that has been missed somehow, rather than the usual assumption that the attack has been a traversal across from another affected website.

Try this, create a file called whatever you want, test123.php for example. Add this to it:

<?php
$testfile = "testchmod.php";
error_reporting(0);
$i=0;
if ( !chmod( $testfile, 0666 ) ) {
$i++;
} else {
$msg .= "able to chmod
";
}
if ( !$fp = @fopen( $testfile, "w" ) ) {
$i++;
} else {
$msg .= "able to open file
";
}
$contents = file_get_contents( $testfile, true );
if ( fwrite( $fp, $testfile ) === FALSE ) {
$i++;
} else {
$msg .= "able to write to file
";
}
if ( !fclose( $fp ) ) {
$i++;
} else {
$msg .= "able to close file
";
}

if( $i > 0 ) {
echo $testfile . " is Write-Protected";
} else {
echo $msg;
}
?>

and upload it to your shop folder.

Then create a second file called testchmod.php and upload that to your shop, and chmod it to whatever, 444, 600, 644 etc.

Then run test123.php and see what it says.

If PHP can write to it, it will chmod the file to 666 and print out what it is able to do.

!!! Only try this on test files, never on your actual site files.

Long-winded I know, but just hope it gives a better insight into why there are differences in server setups where that same code above on one site would say that index.php is read only, and on another, its writable, yet the file permissions are the same.

How To Run SQL.

Moved to How To Run SQL on my web site.

UK Your Site

For a comprehensive way of changing EVERYTHING to UK(UK-Based: Default osCommerce Installation).

Date formatting: UK-Based osCommerce 2.2 & Date of Birth PullDown

Another couple of threads might be of interest

UK Royal Mail & Overseas Shipping Methods (UK & Overseas Postage Methods).
Single Country on Registration (Only if you plan to post to UK only! Removing Country Selection on Register.)

Payment

Read this link before processing Credit Card data on your site.

Do not allow your customers to enter cc details on any OSC screen unless you are PCI compliant, team up with a card processor such as paypal, protx, or autorize.net and accept cc details on their system.

Use a contribution such as PayPal, Protx etc.

PaypalBasic Guide and PP Guide and PP Standard or another PP Guide or Paypal IPN

Paypal IPN -how to generate your encryption certs

How to secure your site.

Search Engine Optimisation

Google SEO Starter-guide

Comparison of SEO contibutions.

- Header Tags SEO V 3.1.2
- ULTIMATE SEO Urls 5
- Ultimate SEO URLs - 2.1d
- Sitemap SEO
- All Products SEO
- Googlebase
- Updated Spiders file
- Robots file
- SID killer
- SEO Assistant

How to Speed Up Your site.

Apart from upgrade to a faster server [img]http://forums.oscommerce.com//public/style_emoticons/default/whistling.gif[/img])

A Store Speed Optimization in Progress, Step by step from a vanilla install!
An example of how to debug a nasty query problem
Find slow queries
Optimise Categories
Optimize tep_get_tax_rate() method

These could be of help.

http://addons.oscommerce.com/info/4203
http://addons.oscommerce.com/info/4083
http://addons.oscommerce.com/info/4052
http://addons.oscommerce.com/info/4075
Sometimes the images you have on your site are massive and you could do with making the smaller, try this to Reduce Image Size.

2.3.1

CSS and other Links

The look and feel of 2.3.2 is controlled in a different way from 2.2.

The layout uses the 960 Grid method and the style sheet is stored at ext960gsrtl_960_24.css.

The theme is controlled by a theme stylesheet, for the Redmond theme it is in extuiredmondjquery-ui-1.8.6.css. Additionally jquery.fancybox-1.3.4.css controls the fancybox image box on the product pages.

You can create your own theme, start by reading getting started with jquery., then move on to the ThemeRollerpage.

Once you are comfortable with that have a look at and install the Theme Switcher addon

Useful 2.3.1. Links

Real Basic Info
The Grid System
Converting 2.2 add-ons to 2.3

Enjoy

Geoffrey

www.theukwaltons.co.uk

Community Stats

Group Community Sponsor
Active Posts 8,037
Profile Views 85,469
Member Title Contact me for Support
Age 58 years old
Birthday January 1, 1955
Real Name
Geoffrey Walton
Gender
Male
Location
Norfolk, UK (close to the centre of the universe)
Interests
Retrieve price-lists and images from suppliers, applying uplift and importing for use on your site.

Contact Information

Website URL http://www.theukwaltons.co.uk
AIM geoffrey99walton
Skype geoffrey.walton

119 Excellent

Friends

Latest Visitors

akshaydesai92
Yesterday, 06:45 PM
ancla
23 May 2013 - 11:11
arun-jack
20 May 2013 - 07:44
DANMAC
20 May 2013 - 07:05
pirolau
19 May 2013 - 14:03

Topics I've Started

Cron Job does not Run but does Manually

19 May 2013 - 12:27 PM

Here is a tip that may help you keep your hair for a few more years.

You set up a cron job and it gives an error such as

Parse error</b>:  syntax error, unexpected '{' in

Then if you run the same script from the command line it runs perfectly.

Naturally enough you are a little confused!!

Try running a script containing just this code

<?php
echo 'My PHP Version: ' . phpversion();
?>

and then run it manually and using cron.

In my case with a 1and1 server, cron was runnng version 4.4.9 and the site 5.4.14.

The reason for the error, in my case, was that the php command try is not available in the version of php being used by cron.

HTH

G

Skip Shipping Page

01 April 2013 - 10:51 AM

Welcome to the osCommerce Skip Shipping Page add-on.

There are various reasons you might want to skip the shipping page.

This add-on is written to skip the shipping page if the basket total is zero and the total weight is zero. You can amend these rules to reflect your requirements.

Your first shipping method will be "selected" for the order and be shown on the checkout confirmation page but you can add code to hide that if you wish.

You can see this in action at www.theukwaltons.co.uk by adding items in the how to section to your basket and checking out.

Only 1 edit to implement this feature.

The add-on is available at Skip Shipping Page.

You might be interested in another add-on, skip the payments page

Skip Payments Page - Support Page

01 April 2013 - 10:23 AM

Welcome to osCommerce Skip Payments Page.

There are various reasons you might want to skip the payments page.

This add-on is written to skip the payments page if the basket total is zero.

Your first payment method will be "selected" for the order and be shown on the checkout confirmation page but you can add code to hide that if you wish.

You can see this in action at www.theukwaltons.co.uk by adding items in the how to section to your basket and checking out.

Only 1 edit to implement this feature.

Add on is available at:-

http://addons.oscommerce.com/info/8741

PayPal Hack Detector - Support Thread

23 March 2013 - 02:09 PM

Welcome to osCommerce PayPal Hack Detector.

http://addons.oscommerce.com/info/8730

In the ever-decreasing world of Internet security, web servers are fast becoming a target for spammers and authors of malicious code to spread their nasties.

One thing they do on hacked shops is change the Paypal account in the database.

Then all the payments for your shop get paid into their account.

This add-on checks to see if this has happened and disables the payment method if it has.

Just to help you out, it then sends you an email telling you this has occured.

Just 1 file to edit, should take less than 10 minutes to install.

Are All Your Index.php Files Hacked?

12 June 2012 - 08:49 AM

Ran into an interesting little hack on a 2.3.1 site.

The customers site has a shop installed in a sub-directory called shop and all of his index.php files had code added to them. Just a little matter of 15 of the little bu**ers.

Checking the access logs I found this, the real script name has been changed to ascriptname.

91.224.160.132 - - [03/Jun/2012:09:30:36 -0500] "POST /ascriptname.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 82 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.04 Chromium/15.0.871.0 Chrome/15.0.871.0 Safari/535.2"

A file called rytwi.php was created in a download directory at this time.

The next entry in the log was

91.224.160.132 - - [03/Jun/2012:09:30:37 -0500] "POST /downloads/rytwi.php HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"

A little change to the .htaccess in the site root directory should fix it!!

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

So the whole thing looks like this.

ErrorDocument 404 http://www.Customer_site.com/404page.php

Redirect /catalog http://www.Customer_site.com/shop

# Deny domain access to spammers and other scumbags
RewriteEngine on
php_flag register_globals off
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

# Redirect index.php to domain.com
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.Customer_site.com/ [R=301,L]

 
# Redirect domain.com to www.domain.com
RewriteCond %{HTTP_HOST} ^Customer_site.com [NC]
RewriteRule ^(.*)$ http://www.Customer_site.com/$1 [L,R=301]
RewriteBase /

# filter for most common exploits
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} allow_url_include [OR]
RewriteCond %{QUERY_STRING} auto_prepend_file [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

# ban spam bots
RewriteCond %{HTTP_USER_AGENT} almaden [OR]
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR]
RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR]
RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^CICC [OR]
RewriteCond %{HTTP_USER_AGENT} ^Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Copier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DA [OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR]
RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Drip [OR]
RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} email [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^gotit [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR]
RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR]
RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Iria [OR]
RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^JustView [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^lftp [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR]
RewriteCond %{HTTP_USER_AGENT} ^likse [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link [OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR]
RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Memo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]
RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR]
RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Snake [OR]
RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR]
RewriteCond %{HTTP_USER_AGENT} ^sproose [OR]
RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
RewriteCond %{HTTP_REFERER} ^http://www.Customer_site.com$
RewriteRule !^http://[^/.]\.Customer_site.com.* - [F,L]

# stop hotlinking (gif/jpg) and serve alternate content
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?Customer_site\.com/.*$ [NC]
RewriteRule .*\.(gif|jpg)$ http://www.Customer_site.com/images/stolen.gif [R,NC,L]
</ifModule>

# deny most common except .php
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$">
deny from all
</FilesMatch>

# Disable .htaccess viewing from browser
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

# Disable access to config.php
<Files ~ "shop\includes\configure.php$">
deny from all
</Files>


# FORCE TYPE
<Files site>
ForceType application/x-httpd-php
</Files>

# XSS Protection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ 404page.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

osCommerce VTS and Site Monitor can both find the hacked index.php files.

HTH

G