wakerider017 Posted May 12, 2006 Share Posted May 12, 2006 I thought I would share how to secure the "admin" folder by means of changing the folders name. 1. Open your FTP client and locate the file >catalog>admin>includes>configure.php 2. Download configure.php and open it with a text editor 3. Next locate the following lines: define('DIR_WS_ADMIN', '/admin/'); // absolute path required define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required NOTE the X's are just place holders. 4. In the two lines above replace admin with the new SECRET file name. Like below: define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required 5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php 6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name. In this case the file admin would be changed to secret_file_name_here 7. You are done! Link to comment Share on other sites More sharing options...
grayfriar2001 Posted May 14, 2006 Share Posted May 14, 2006 Wakerider, Hey, I went to secure my admin like you said above but could never locate the line "define (DIR_WS or DIR_FS) either one? I am suppose to use the configure.php file in /catalog/admin, right? Thanks in advance, Gray~ Link to comment Share on other sites More sharing options...
grayfriar2001 Posted May 14, 2006 Share Posted May 14, 2006 (continued from above....) Or is it the one that is in /catalog/admin/includes/configure.php? This file has the following code: <?php /* $Id: configure.php,v 1.14 2003/02/21 16:55:24 dgw_ Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2002 osCommerce Released under the GNU General Public License */ // define our webserver variables // FS = Filesystem (physical) // WS = Webserver (virtual) define('HTTP_SERVER', 'http://phunpillows.com/OSCommerce/'); // eg, http://localhost or - https://localhost should not be NULL for productive servers define('HTTP_CATALOG_SERVER', ''); define('HTTPS_CATALOG_SERVER', 'https://phunpillows.com/OSCommerce/'); define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs) define('DIR_WS_ADMIN', '/catalog/admin/'); define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN); define('DIR_WS_CATALOG', '/OSCommerce/catalog/'); define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/'); define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/'); define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/'); define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/'); // define our database connection define('DB_SERVER', '*****'); // eg, localhost - should not be empty for productive servers define('DB_SERVER_USERNAME', '*****'); define('DB_SERVER_PASSWORD', '*****'); define('DB_DATABASE', '*****'); define('USE_PCONNECT', 'false'); define('STORE_SESSIONS', ''); ?> Thanks in advance, Gray~ Link to comment Share on other sites More sharing options...
Davefromcornwall Posted May 14, 2008 Share Posted May 14, 2008 I thought I would share how to secure the "admin" folder by means of changing the folders name.1. Open your FTP client and locate the file >catalog>admin>includes>configure.php 2. Download configure.php and open it with a text editor 3. Next locate the following lines: define('DIR_WS_ADMIN', '/admin/'); // absolute path required define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required NOTE the X's are just place holders. 4. In the two lines above replace admin with the new SECRET file name. Like below: define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required 5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php 6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name. In this case the file admin would be changed to secret_file_name_here 7. You are done! Thanks for this tip. It works great, and it seems like a good idea to make it as difficult as possible for people to access the admin area. Link to comment Share on other sites More sharing options...
mme Posted May 19, 2008 Share Posted May 19, 2008 Also you might want to secure it by adding .httaccess to the admin folder. If you are using CPanel: Link to comment Share on other sites More sharing options...
jay2xra Posted June 9, 2008 Share Posted June 9, 2008 Also you might want to secure it by adding .httaccess to the admin folder. If you are using CPanel: why not add an htaccess file and restrict just your IP address. <LIMIT GET HEAD POST> order allow,deny allow from my_ip </LIMIT> Link to comment Share on other sites More sharing options...
SirHarryFlashman Posted July 17, 2008 Share Posted July 17, 2008 Actually, in addition to moving your live admin folder, you should leave a "honeypot" admin folder as well. A nice little .htaccess for the wanna-be hackers: AuthUserFile /xxxxx/xxxxx/xxxxx/html/catalog/admin/.htpasswd AuthGroupFile /dev/null AuthName "Username:" AuthType Basic <limit GET POST> require valid-user </limit> Of course your .htpasswd looks like this: . (yes, an empty .htpasswd file) And just to make things more interesting, an empty index.htm will complete the "honeypot" Have fun!! Link to comment Share on other sites More sharing options...
palswithtails Posted July 27, 2009 Share Posted July 27, 2009 Hi WakeRider, My DIR_FS_ADMIN line looks like this originally: define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN); What should it be changed to? Link to comment Share on other sites More sharing options...
♥ecartz Posted July 27, 2009 Share Posted July 27, 2009 My DIR_FS_ADMIN line looks like this originally:define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN); What should it be changed to? That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect. Always back up before making changes. Link to comment Share on other sites More sharing options...
palswithtails Posted July 27, 2009 Share Posted July 27, 2009 That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect. Yes, they are incorrect because I changed the ADMIN file name. Maybe I should start at the beginning. My website got hacked so I wanted to change my ADMIN folder. Lets say I changed it to NEWadmin. I was told to go into my config file and change the path which still said ADMIN. So I changed 'DIR_WS_ADMIN' like the 1st poster said, but my DIR_FS_ADMIN is different than mentioned above. I tried leaving it as-is. So, now when I log-in to mywebsite.com/NEWadmin, I am redirected here: http://mywebsite.com/NEWadmin/login.php?os...inID=XXXXXXXXXX I type in my login info and then I get an error saying: Error 404 - Not found Your browser can't find the document corresponding to the URL you typed in. http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX Link to comment Share on other sites More sharing options...
♥ecartz Posted July 28, 2009 Share Posted July 28, 2009 Error 404 - Not foundYour browser can't find the document corresponding to the URL you typed in. http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX First, I don't see how DIR_FS_ADMIN would affect that situation. You wouldn't be using it in generating a link. When you change DIR_WS_ADMIN, DIR_FS_ADMIN should change automatically in that code (since is composed by concatenating DIR_FS_DOCUMENT_ROOT and DIR_WS_ADMIN). Therefore, if all you did was rename admin, all you should have to do is update DIR_WS_ADMIN and DIR_FS_ADMIN will update automatically. The first thing that I would try (to solve the 404 problem) would be clearing cookies. It's possible that you are picking up bad session information somewhere. If that doesn't work, the next thing I would try would be using LiveHTTPHeaders (Firefox plugin) to track what redirects it's doing. You'd go to your login page in the normal way. Turn on LiveHTTPHeaders in the sidebar. Submit your login info. Read the headers to see where it thinks it is going. Another thing that you could try (if you don't want to install LiveHTTPHeaders) is when you get the 404 error, edit the URL in the browser. I.e. change http://palswithtails.com/NEWadmin/login.php?action=process&osCAdminID=XXXXXXXXXX to http://palswithtails.com/NEWadmin/index.php?osCAdminID=XXXXXXXXXX and see if that works. You need to keep the osCAdminID the same so it know about your login. Always back up before making changes. Link to comment Share on other sites More sharing options...
palswithtails Posted July 31, 2009 Share Posted July 31, 2009 Hmm not of that seemed to work. I wonder if my Admin ID is somehow wrong. Is that stored in my DB somewhere? Link to comment Share on other sites More sharing options...
dancer123 Posted August 8, 2009 Share Posted August 8, 2009 I have the exact same problem. I renamed my admin folder. I went into the configuration file and changed the required admins into my new folder. Now when i type in mysite.com/newadmin/login.php it takes me to my correct login page but when i enter my user and pass I get redirected to a 404 page that doesnt exist. It looks like the program does an auto redirect to the OLD admin folder. What to do? Link to comment Share on other sites More sharing options...
Jan Zonjee Posted August 8, 2009 Share Posted August 8, 2009 I went into the configuration file and changed the required admins into my new folder. Both DIR_WS_ADMIN and DIR_FS_ADMIN? From catalog/admin/includes/configure.php: define('DIR_WS_ADMIN', '/catalog/admin/'); define('DIR_FS_ADMIN', '/Library/WebServer/Documents/catalog/admin/'); Link to comment Share on other sites More sharing options...
dancer123 Posted August 9, 2009 Share Posted August 9, 2009 Yep. Both DIR_WS_ADMIN and DIR_FS_ADMIN From catalog/admin/includes/configure.php: mysite.com/admin/login.php?action=process&osCAdminID=4d02951f65cd6684f9ec69f285902fdd that's what i get redirected to (with 404 error) when i try to put in my login info. Here's what's in the php. define('DIR_WS_HTTP_ADMIN', '/gooba/'); define('DIR_WS_HTTPS_ADMIN', '/gooba/'); define('DIR_FS_ADMIN', '/home/thename/public_html/gooba/'); // absolute path required my admin folder has been renamed to gooba. please help me solve this. thank you so much:) Link to comment Share on other sites More sharing options...
♥kymation Posted August 9, 2009 Share Posted August 9, 2009 Does catalog/admin/includes/local/configure.php exist? If it does, make the same changes there. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
blr044 Posted August 22, 2009 Share Posted August 22, 2009 After changing admin name to newname, all is fine, except for one issue. This error message appears at top of page: Error, Backup Directory Does Not Exist, please create it or run "auto_backup_setup.php" Backups dir is located in folder of newname(admin). After running auto_backp_setup.php, I receive this error: Warning: mkdir() [function.mkdir]: No such file or directory in /xxxx/xxxxxxx/public_html/newname/auto_backup_setup.php on line 7 Bennett Link to comment Share on other sites More sharing options...
spooks Posted August 24, 2009 Share Posted August 24, 2009 Check your ADMIN/INCLUDES/CONFIGURE.PHP file: define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/newadminname/'); define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/'); I suspect u forgot one!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted March 11, 2010 Share Posted March 11, 2010 Hi, I am new to osCommerce. I've been trying to secure my admin folder. When I follow your instructions and try to login to my newly renamed admin section, all I get is this Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mydbpassword'@'localhost' (using password: YES) in /path_to_admin_directory/newadminname/includes/functions/database.php on line 19 Unable to connect to database server! Thanks in advance Link to comment Share on other sites More sharing options...
tonybrasunas Posted March 28, 2011 Share Posted March 28, 2011 I found that after making the changes to catalog/admin/includes/configure.php, and then renaming the directory, I also had to edit the [new admin directory name]/.htaccess file, as it had a hard-wired AuthUserFile line that also specified the admin directory. One other thing I had to do was rewrite a hard-wired link to the Admin panel that the site has on its public navigation bar. Now the renamed directory is working smoothly. Just hoping to keep all the @#$%@#$ hackers out. I came in late to a nightmare of a site and am trying to regain control of it. Link to comment Share on other sites More sharing options...
matrix2223 Posted April 29, 2011 Share Posted April 29, 2011 After you get done changing the admin folders name I recommend using this in your .htaccess file. Unless someone knows your ip and clones it, or some other hacking method. It wont let anyone in but the one who holds the correct ip, you presumably. AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all # IP address of my home computer allow from 00.000.000.000 # IP addresses of my two work computers # allow from 00.000.000.000 # allow from 000.000.00.000 # IP address at my uncle's house # allow from 000.000.0.00 More can be found on this thread Installing admin in a Subdomain Link to comment Share on other sites More sharing options...
KomplikatedOne Posted September 7, 2011 Share Posted September 7, 2011 ive followed these instructions step by step, also ammending the htaccess file but now my left hand admin menu has gone to S**t the java menu is no longer working and the text is hanging off the left hand side of the browser window? [see attached] any ideas why its done this? cheers Link to comment Share on other sites More sharing options...
KomplikatedOne Posted September 7, 2011 Share Posted September 7, 2011 hmm not only the left hand menu thats gone screwy, buw appears most of the buttons in the admin section have reverted to text? still no nearer working out why Link to comment Share on other sites More sharing options...
KomplikatedOne Posted September 7, 2011 Share Posted September 7, 2011 ok ignore the above, turned out to be a totally different issue someone had removed a jquery file used by the redmond theme i would remove the above if i could, but i cant Link to comment Share on other sites More sharing options...
jaspervdz Posted January 31, 2012 Share Posted January 31, 2012 Actually, in addition to moving your live admin folder, you should leave a "honeypot" admin folder as well. A nice little .htaccess for the wanna-be hackers: AuthUserFile /xxxxx/xxxxx/xxxxx/html/catalog/admin/.htpasswd AuthGroupFile /dev/null AuthName "Username:" AuthType Basic require valid-user Of course your .htpasswd looks like this: . (yes, an empty .htpasswd file) And just to make things more interesting, an empty index.htm will complete the "honeypot" Have fun!! Sir Harry Flashman, That sounds like a neat trick - can you please tell me how to do this - bit confused on where to insert the code. Running OSC version 2.3 and already renamed the admin folder and works great - just looking for sum extra security and throwing off anyone trying to hack my site.. Many thanks! Jasper~ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.