spooks Posted November 13, 2009 Share Posted November 13, 2009 The program being targetted is actually called mail.php. No its not, with the hack they can enter any admin page, you just happen to have experienced it in mail.php. You must make the change given for application_top.php, then all admin files are protected (for that hack) Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Richard Cranium Posted November 13, 2009 Share Posted November 13, 2009 I think an even better solution is to go one step further and to re-create a dummy admin directory after you've renamed the real one. The relatively bare-bones dummy one I have contains only a few files... failsafe, You may want to check out this v2.2 contribution: Secure your site with an IP trap David Link to comment Share on other sites More sharing options...
Mort-lemur Posted November 14, 2009 Share Posted November 14, 2009 No its not, with the hack they can enter any admin page, you just happen to have experienced it in mail.php. You must make the change given for application_top.php, then all admin files are protected (for that hack) Hi Sam, Do you mean the change detailed by Sante140 a few posts above ? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Richard Cranium Posted November 15, 2009 Share Posted November 15, 2009 add this to your admin/includes/application_top if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) !== false){ header('Location: /admin/'); } I tried that but it doesn't work. Generates an error everytime I try to access a page in the admin directory. My catalog is in the root dir, but I can't imagine that would cause a problem. Is there more to it than that one line? Perhaps the point at which you enter that line in the application_top file? Link to comment Share on other sites More sharing options...
spooks Posted November 15, 2009 Share Posted November 15, 2009 Hi Sam, Do you mean the change detailed by Sante140 a few posts above ? Thanks I don't think that will work on all servers, a number of people have come up with code snippits for this, try this one first. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
spooks Posted November 15, 2009 Share Posted November 15, 2009 I tried that but it doesn't work. Generates an error everytime I try to access a page in the admin directory. My catalog is in the root dir, but I can't imagine that would cause a problem. Is there more to it than that one line? Perhaps the point at which you enter that line in the application_top file? try this one Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Richard Cranium Posted November 15, 2009 Share Posted November 15, 2009 try this one Sam, Thank you, but I believe you just pointed that link back to this same thread (only to the beginning). Was that your intent? Regardless, perhaps it is a server issue. I have taken other steps already, including some outlined in this thread. Question on my mind is which defenses will protect a shop from this new attack form. That is the essence of what I want to know (and I'm sure that I'm not the only one). For example, does .htaccess prevent this attack? Must one make the application_top.php change suggested above? Is there a straightforward answer or are there some variables dependent on a shop, server config, or some other issue(s)? Regards, David Link to comment Share on other sites More sharing options...
spooks Posted November 15, 2009 Share Posted November 15, 2009 Thank you, but I believe you just pointed that link back to this same thread (only to the beginning). Was that your intent? No, it works for me, odd not for you? Its a link to Java Roasters post in this thread on 20th August, I think his code will work for you, I don't think the code you tried will work on all servers. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Mort-lemur Posted November 15, 2009 Share Posted November 15, 2009 I don't think that will work on all servers, a number of people have come up with code snippits for this, try this one first. Sorry - Im missing something - that link takes me back to the beginning of this thread? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
spooks Posted November 15, 2009 Share Posted November 15, 2009 Sorry - Im missing something - that link takes me back to the beginning of this thread? Thanks It works for me!. Its a link to Java Roasters post in this thread on 20th August Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
jfontes Posted November 17, 2009 Share Posted November 17, 2009 Ditto! I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread? I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head <_< Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain? :blink: Thanks I changed the admin directory name as suggested and after the changes (directory name change and in the configure.php file) I got 404 errors when trying to go to my new "admin" url, but the old url did work. This is what I think happened in my case: I edited the configure.php file locally, and uploaded the file via ftp. During the upload I am prompted as to whether or not I want to overwrite the existing file and I told it to overwrite the file. Everything looked ok, but the file was not actually overwritten. I noticed the file permissions on the configure.php file were set to 444, so I set them to 755 temporarily while I uploaded and overwrote the file again. This time my new "admin" url worked fine. I'm not an expert by any means, but as a newbie to maybe other newbies, this could be some of the problem. BTW, my install was a Fantastico install. Link to comment Share on other sites More sharing options...
Richard Cranium Posted November 17, 2009 Share Posted November 17, 2009 It works for me!. Its a link to Java Roasters post in this thread on 20th August It does not work for me either. I just get Java's profile. Link to comment Share on other sites More sharing options...
Richard Cranium Posted November 17, 2009 Share Posted November 17, 2009 I changed the admin directory name as suggested and after the changes (directory name change and in the configure.php file) I got 404 errors when trying to go to my new "admin" url, but the old url did work. This is what I think happened in my case: I edited the configure.php file locally, and uploaded the file via ftp. During the upload I am prompted as to whether or not I want to overwrite the existing file and I told it to overwrite the file. Everything looked ok, but the file was not actually overwritten. I noticed the file permissions on the configure.php file were set to 444, so I set them to 755 temporarily while I uploaded and overwrote the file again. This time my new "admin" url worked fine. I'm not an expert by any means, but as a newbie to maybe other newbies, this could be some of the problem. BTW, my install was a Fantastico install. I've had something like that happen to me too. I'm not sure if it's a permissions issue or that the FTP prog barfed on it and thought it was copied. Link to comment Share on other sites More sharing options...
Mort-lemur Posted November 21, 2009 Share Posted November 21, 2009 Hi, Have a look to see if you have Includes/Local folders (Admin & Store) If so these may have config files that need amending as well. In my store I had to change all four config files for it to work. Thanks By the way I installed Java Roasters code change to Application_top and everything still works - what does this change actually do ?? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Richard Cranium Posted November 21, 2009 Share Posted November 21, 2009 It works for me!. Its a link to Java Roasters post in this thread on 20th August Sam, I'm not sure what happened the other day. I just logged in and tried your link, and bammo.. works. So, now I see what you're talking about. Thanks. I think I did not have all the code installed before. I'll re-run and test. Regards, David Link to comment Share on other sites More sharing options...
spooks Posted November 21, 2009 Share Posted November 21, 2009 By the way I installed Java Roasters code change to Application_top and everything still works - what does this change actually do ?? Blocks tha admin hack detailed in the op, it may be clearer if you read this thread. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
myforum Posted December 29, 2009 Share Posted December 29, 2009 Hello, I have a security problem in my osc installation. My version of OSC is a older and I use the addon Administration Access Level. Now I have the problem that you can see with the url "...myshop.com/admin/orders.php/login.php" my order view and this without a correct login. So you can see my orders without login. So this is a security problem. A friend told me that under http://svn.oscommerce.com/jira/browse/OSC-1001 is a solution. There is code but I don't know where I add this code. So I hope you can help me with this problem. I want to implemet the other tips (rename admin directory ...). But I hope you can help me with this problem, so that nobody can see my orderlist without login. Thank you. Link to comment Share on other sites More sharing options...
spooks Posted December 29, 2009 Share Posted December 29, 2009 If your finding things here hard to follow,this contrib may help, and see FWR's post on 16th Dec re code to prevent the specific admin hack http://www.oscommerce.com/forums/index.php?showtopic=348589&pid=1467014&start=&st=#entry1467014 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
lanrat Posted December 30, 2009 Share Posted December 30, 2009 Hi All, A cart I adminstrate also got hacked during this Christmas period with spam being emailed to the customers and I found the "<?php /**/eval(base64_decode.... ?>" infecting *all* the php files. The accompanying files of the 'hack-attack' were added to the '/admin/includes/languages/english/images/buttons' directory. I "think" I have it all contained and the site working again (see the steps I've taken below) but I have one troubling question related to 'Step 5' below and a comment on this and other threads about this subject. i.e QUESTION: After password protecting the 'renamed_admin' folder the (extra) pop-up requesting the "folder protection credentials" actually DISPLAYS THE USERNAME required - some security feature hey? Comments/solutions please!!! Steps taken thus far: I've replaced/restored all php files from a backup, deleted the hackers files and.... 1. Deleted '/admin/file_manager.php' and edited '/admin/includes/boxes/tools.php' 2. Set file and folder permissions to 644 and 755 (configure.php files set to 400) 3. Changed all the passwords (Site admin, Cart admin, DB User) 4. Renamed the 'admin' folder and edited the 'renamed_admin/includes/configure.php' file 5. Password protected the 'renamed_admin' folder using the ISP's 'Site Admin/Configuration Panel' - it's not the conventional cPanel Is there anything I've missed? COMMENT: I appreciate the wealth of experience and information provided here but must agree with some postings that sometimes the 'fixes' PRESUME a level of competence that 'NOOBs' (Newbies) like me just don't have - PLEASE, when somebody says they are not a programmer or are newbies lay it out step by step - remember, you had to learn once-upon-a-time too :^) Thanks to all contributers - I plan to work my way through the rest of <spooks> suggestions as time permits. Cheers, Mark Link to comment Share on other sites More sharing options...
spooks Posted January 4, 2010 Share Posted January 4, 2010 DISPLAYS THE USERNAME required Its your browser that remebered the last username u used, try visiting with another browser!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
MattReid Posted January 20, 2010 Share Posted January 20, 2010 In the German forum there is After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php: define('DIR_WS_ADMIN', '/renamed_admin_directory/'); define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/'); Hello, I skimmed the thread and couldn't see this already asked, sorry if I missed it..... I notice in my 2.2RC2a, admin/includes/configure.php reads: define('DIR_WS_ADMIN', '/admin/'); define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN); Presumably this means I only have to change the first line? And nothing else anywhere else? Link to comment Share on other sites More sharing options...
Guest Posted January 20, 2010 Share Posted January 20, 2010 Matt, If, for example you changed your admin folder name to MATT the line would read define('DIR_WS_ADMIN', '/matt/'); When Jan refered to the file as: define('DIR_WS_ADMIN', '/renamed_admin_directory/'); he ment that renamed_admin_directory is whatever you have renamed it to. NOT literally "renamed_admin_directory" Chris Link to comment Share on other sites More sharing options...
Jan Zonjee Posted January 20, 2010 Author Share Posted January 20, 2010 I notice in my 2.2RC2a, admin/includes/configure.php reads: define('DIR_WS_ADMIN', '/admin/'); define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN); Presumably this means I only have to change the first line? And nothing else anywhere else? Yes, indeed. This is in the "default" configure.php that you can change manually, but is overwritten when you do the install with the install script. Link to comment Share on other sites More sharing options...
MattReid Posted January 20, 2010 Share Posted January 20, 2010 Ah, yes that's what I meant Jan, I see now, thanks for the clear reply. (Dank u wel voor uw medewerking, or something close to that :thumbsup: ) Link to comment Share on other sites More sharing options...
MattReid Posted February 15, 2010 Share Posted February 15, 2010 Delete admin/filemanager.php and associated links. Delete admin/define_language.php and associated link in the "Tools" box. Hello again. Please could you tell me where any other link to filemanager.php might be? Apart from in the "Tools" box? Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.