Taipo Posted March 30, 2011 Share Posted March 30, 2011 That will certainly be one method there are more - for instance some servers that did the uploading in the first place, have huge lists sites they infected which are being passed around to others who are levelling the second phase of attacks. You can also search via search strings such as "cookie_usage.php?cookies" for example and many variations of that to find lists of affected sites. I guess if you want to spend time focusing on preventing google finding infected files then that's your prerogative I suppose. The point though is, attached to that code will be the real dangerous stuff that allows them to do pretty much anything they wish with your site, remove that code and the rest goes with it. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr-yellow Posted April 17, 2011 Share Posted April 17, 2011 Let me clear up this 777 vrs 755 thing for you. Most servers will be configured so that 777 is possible and these servers allow users more flexibility. 777 is perfectly safe as long as your code validates files before they're blindly uploaded to a publically accessable path. osCommerce does not handle this very basic and entry-level validation code correctly. Why? Looking into it I discovered osCommerce to be some of the most horrible code I have ever seen in 20+ years of programming. Solution 1: Stop using osCommerce. Solution 2a: Add validation to file uploads in the poor osCommerce code. Solution 2b: Set file upload paths to be below the publicallly accessable area as is standard practice. Solution 3: Stop using osCommerce. Link to comment Share on other sites More sharing options...
Taipo Posted April 17, 2011 Share Posted April 17, 2011 So are you saying that the file upload code in Oscommerce 2.3.1 is vulnerable to guest uploads? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Guest Posted April 19, 2011 Share Posted April 19, 2011 I am a newbie. I was hacked two weeks ago and it has been a huge pain securing the store. I changed the name of the admin folder before I installed site monitor on a 2.2 shop. Now, after following all site monitor read me text and uploading all the necessary files with required changes I do not see site monitor under the "admin" control panel. Any advice on which files of site monitor needs to be changed to reflect my specific "admin" folder name? Link to comment Share on other sites More sharing options...
myebooksbuddy Posted May 1, 2011 Share Posted May 1, 2011 Hi, I am a non-techie and since yesterday my site has been hacked. If I need help in everything getting cleared and installation of security softwares, where do I post for that ? Any help? Link to comment Share on other sites More sharing options...
offie Posted May 23, 2011 Share Posted May 23, 2011 Hi all, I am about to work on the latest version of OSCommerce V 2.3.1. Does anyone know if all the items listed at the beginning of this post to secure your site are still relevant to this version of OSCommerce and if all the code would be in the same place? I have previously created 2 stores with the older version and already implemented the security features/contributions. I am tempted to go to the previous version which was V 2.2 RC2a and just copy my last site as all the relevant steps have already been taken to secure that site and this would save a lot of work but I am guessing that this latest version has a lot of features and security which is enhanced from the previous version. What a dilema, what should I do? Start from scratch with the latest version or just copy my site from the older version? Thanks for any advice given Michael Link to comment Share on other sites More sharing options...
Taipo Posted May 23, 2011 Share Posted May 23, 2011 If you do decide to go with 2.3.1, it still pays to change the admin directory name or at least use htaccess/htpasswd authorization, not because there are any known vulnerabilities in the base install of 2.3.1 but because there is no guarantee that addons made for 2.3.1 that are installed in the admin directory, are secure. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
chris2041 Posted July 6, 2011 Share Posted July 6, 2011 I have changed my admin folder as described and applied password protection via cpanel but when I log onto my osc I get a message in administration saying: Additional Protection With htaccess/htpasswd This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means. The following files need to be writable by the web server to enable the htaccess/htpasswd security layer: /home/?????/public_html/osc/?????????????/.htaccess /home/?????/public_html/osc/?????????????/.htpasswd_oscommerce Reload this page to confirm if the correct file permissions have been set. When I look in the directories there is only a .htaccess file and no .htpassed file Any help anyone? Link to comment Share on other sites More sharing options...
cdogstu99 Posted July 11, 2011 Share Posted July 11, 2011 When I run a PCI compliance scan on my site, the only three issues are Cross Site Scripting errors on my contact pages. Anyone have an easy fix for this? Thx! Link to comment Share on other sites More sharing options...
KerkChzePerng Posted July 21, 2011 Share Posted July 21, 2011 Hi, may I know what should I do if this message is shown "my_domain.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." when i try to access it with google chrome. However it works fine with firefox . Link to comment Share on other sites More sharing options...
Toasted Posted July 28, 2011 Share Posted July 28, 2011 I did everyting recommended on this thread except for 1 minor problem. I'm getting an error when I delete file_manager.php. For some reason its still looking for the file even after delete the line in tools.php. Error msg: Not Found The requested URL /exminion/file_manager.php was not found on this server. How do I stop this url request? Link to comment Share on other sites More sharing options...
Toasted Posted July 28, 2011 Share Posted July 28, 2011 Whoops I figured it out... I was on my file manager page before I started deleting the files and when I went back to my browser and hit refresh it kept trying to refresh the file manager page resulting in that error msg. I just changed webpages and its working fine now. Link to comment Share on other sites More sharing options...
kenkja Posted August 4, 2011 Share Posted August 4, 2011 Hello All I have a new'ish website using a v2.3.1 install upon which I've added all the proposed security add ons in post 1 of this thread. I have also added Fimble's "2.3.1 as an info only site" and kymation's "document manager" Thanks to all contributors, excellant work. I now need to add to the site, effectively another v2.3.1 install, which will show other products (ie not those in info site) which are able to be purchased online. I'm happy with how to do this, (Install v2.3.1.in "say" root/shop online/) but do I then need to the security add-ons in post 1, to the new "shop online subsite" ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
environs Posted August 20, 2011 Share Posted August 20, 2011 Hi Sam, I just want to thank you, this is really important to protect our shops. Greetings, Link to comment Share on other sites More sharing options...
web-seo Posted August 26, 2011 Share Posted August 26, 2011 Great topic, spooks! Thanks and from me. :thumbsup: This topic can be useful also: http://www.oscommerce.com/forums/topic/379086-how-to-prevent-hackers-in-osc-21-and-osc-22/ Link to comment Share on other sites More sharing options...
Taipo Posted September 2, 2011 Share Posted September 2, 2011 The main two pieces of code that need updating in v2.2RC2 versions of osCommerce are the following: 1 - Administration Tool Log-In Update: The Administration Tool log-in feature introduced in v2.2RC2 can be bypassed by appending login.php to admin files 2 - Update PHP_SELF Value: $PHP_SELF misreports the filename which assists attackers in bypassing the admin too login feature in v2.2RC2. From the data I have been collecting on the types of attacks being levelled at osCommerce websites, all but two attack vectors, one serious and one medium level (difficult to pull off) attack, involve exploiting the faulty code in early versions of osCommerce that these two code patches fix. Patching these two pieces of code then would prevent nearly 99% of attacks that are currently still creating havoc with older version users. The other two attacks outside of this code are: - a vulnerability in the admin login session that allows for URL poisoning to cause a live session to be exploited by a third party. Difficult to pull off and certainly not something that can be easily mass exploit as is the types of attacks that those two code patches above would prevent. - a vulnerability in FCKEditor which allows attackers to abitrarily upload files to servers with specific enabled configurations of PHP. Both of these vulnerabilities can be quickly remedied with apaches user authentication (.htaccess htpasswd) or changing the name of the admin directory. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Peper Posted September 18, 2011 Share Posted September 18, 2011 Ok ok Need bit of help How to block the Baidu spider? At it for a week now and it's driving me crazy. I dont want china to crawl my pages - leads to mass spam 180.76.5.61 - - [18/Sep/2011:16:05:37 +0200] "GET /customer_testimonials.php?page=3&testimonial_id=5 HTTP/1.1" 200 10663 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" What I've done so far: .htaccess RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR] RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] RewriteCond %{HTTP_USER_AGENT} ^Baidu [OR] RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L] ErrorDocument 404 /blocked.php added 50 or so ips from them to ip_trapped added Baidu to user_agents.txt list Nada, spider keeps coming back for more indexing Please help Getting the Phoenix off the ground Link to comment Share on other sites More sharing options...
Taipo Posted September 21, 2011 Share Posted September 21, 2011 Add this into your application_top.php files (both of them) Find: Released under the GNU General Public License */ On the next line add: /** * Baiduspider Block */ if ( ( isset( $_SERVER[ "HTTP_USER_AGENT" ] ) ) && ( false !== strpos( $_SERVER[ "HTTP_USER_AGENT" ], "Baiduspider" ) ) ) { $header = array( "HTTP/1.1 404 Not Found", "HTTP/1.1 404 Not Found", "Content-Length: 0" ); foreach ( $header as $sent ) { header( $sent ); } die(); } - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted September 21, 2011 Share Posted September 21, 2011 That will tell bad Baidu that none of those pages exist (returns a 404 page not found header). - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
robede Posted September 21, 2011 Share Posted September 21, 2011 Thanks Sam \ robe de Link to comment Share on other sites More sharing options...
Peper Posted September 22, 2011 Share Posted September 22, 2011 That will tell bad Baidu that none of those pages exist (returns a 404 page not found header). Thanks for reply Taipo Jeepers, in .htaccess I added Note the last part of ip is not there - blocking whole ending range and server log tells me its blocking - client denied by server configuration This is a bad bad bot with many hundreds of IP's ignoring robots.txt files deny from 119.63.192. deny from 119.63.193. deny from 119.63.194. deny from 119.63.195. deny from 119.63.196. deny from 119.63.197. deny from 119.63.198 deny from 119.63.199. deny from 180.76.5. Which now would be best - yours or mine? With your code, how to block 2nd or 3rd bad spider? && ( false !== strpos( $_SERVER[ "HTTP_USER_AGENT" ], "Baiduspider" ) ) ) { Getting the Phoenix off the ground Link to comment Share on other sites More sharing options...
Taipo Posted September 22, 2011 Share Posted September 22, 2011 Try something like this: /** * Baiduspider Block */ if ( isset( $_SERVER[ "HTTP_USER_AGENT" ] ) ) { $badagentlist = array( "Baiduspider", "WebStripper" ); $lcUserAgent = strtolower( $_SERVER[ "HTTP_USER_AGENT" ] ); foreach ( $badagentlist as $badagent ) { $badagent = strtolower( $badagent ); if ( false !== strpos( $lcUserAgent, $badagent ) ) { $header = array( "HTTP/1.1 404 Not Found", "HTTP/1.1 404 Not Found", "Content-Length: 0" ); foreach ( $header as $sent ) { header( $sent ); } die(); } } } Edit this list below to add or edit the user-agent keywords $badagentlist = array( "Baiduspider", "WebStripper" ); For Example: $badagentlist = array( "Baiduspider", "WebLeacher", "WebWhacker", "MSProxy" ); Preferably though you want to do this type of thing via the root .htaccess file, but if for some reason that is not functioning correctly then use this piece of php code. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
kenkja Posted October 5, 2011 Share Posted October 5, 2011 Hello, I thought I'd share this with you. It's simple but strong... If you have ftp access to your site, in the root folders htaccess add: #Instead of showing access denied redirect to index.php #ErrorDocument 403 /access_error.php?id=403 #Like so ErrorDocument 403 /index.php?id=403 #Below add (use your renamed admin) RewriteRule ^admin\/?$ - [F] In the admin folder add this to your htaccess: # check admissible IP-address # Protect files and directories from prying eyes. <FilesMatch "..."> Order deny,allow Deny from all # allow your ip address: allow from 12.34.56.78 </FilesMatch> NB: This means that you have to edit the above before you can access admin. Sara Hi Sara, Thanks again for all you help I'm working on a site which requires access to the admin from two different users at different IP's, at present we are changing the allowed IP, when either of us requires to access the admin. If I add a second "allow from 'IP address' ", will this allow both of us to access the admin. thanks ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Juto Posted October 5, 2011 Share Posted October 5, 2011 Hi Ken, yes you can. Further you can add a snippet to your admin/login which email you when, and who, somebody logged in or off. Sara Contributions: http://addons.oscommerce.com/info/8010 http://addons.oscommerce.com/info/8204 http://addons.oscommerce.com/info/8681 Link to comment Share on other sites More sharing options...
kenkja Posted October 6, 2011 Share Posted October 6, 2011 Thanks Sara Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.