Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

getting tired of hackers


vajjas1

Recommended Posts

I am a web developer and i am getitng tired of my clients sites being hacked. Not once not twice not three times, its LOT of times, sending junk emails from admin account, hijacking sites to capture bank account details of users, putting .htaccess redirect, adding junk code as iframes, COME ON!!! will this ever stop or be controlled? i am getting tired of scum bags

 

I saw the pinned post about security measures, if they are that crucial why cant you guys do something take offensie action on security of the oscommerce pacakge?, include security essentials as part of the basic installations, what am i supposed to do? get away from oscommerce? my clients are loosing my trust and i am loosing refferal business, is something being done?

Link to comment
Share on other sites

The next release 2.2RC3 should have some security improvements.

 

But as a web developer you should definitely be able to advice and help your clients secure their sites.

Link to comment
Share on other sites

Don,

 

If you are a developer, you should keep your clients informed about security measures and suggest they implement them. I have clients on maintenance contracts and I AUTOMATICALLY make changes to their sites to ensure they have the latest proven security changes. Those clients who do not have maintenance contracts with me are emailed and informed of the suggested changes and what it will cost to implement them.

 

As a developer, this is my job. All new sites I install have ALL of the required security changes already in place (so I guess I am installing V2.2 RC3).

 

So, in my humble opinion, I am suggesting that it is YOUR job to ensure the security of your clients site, or at least suggest they have the site updated to include the latest security.

 

Chris

Link to comment
Share on other sites

No offense intended, but it may be partially your fault for repeated hacks. When a client tells me that they have been hacked their site gets wiped clean. No attempts to repair it. None. Nada. It gets wiped clean. Then a new install with the most recent updates before it goes live again.

 

Attempts to repair only leaves doubt and a high probability that something was missed, and the hack will just reoccur. If you are repairing the sites you are likely missing things. Your policy should be 'Hacked sites get wiped. No exceptions.'

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

No offense intended, but it may be partially your fault for repeated hacks. When a client tells me that they have been hacked their site gets wiped clean. No attempts to repair it. None. Nada. It gets wiped clean. Then a new install with the most recent updates before it goes live again.

 

Attempts to repair only leaves doubt and a high probability that something was missed, and the hack will just reoccur. If you are repairing the sites you are likely missing things. Your policy should be 'Hacked sites get wiped. No exceptions.'

 

Can you explain what wiped involves? delete the entire site and reupload it?

 

DunWeb: I can inform clients of security measures but the sites hacking is out of their hands as we develop them and they just use them, hacks happen from backend not by shared passwords. So not sure warnign clients will help them or me. It's nice to ahve maintenance contracts, but i also got the other end of it. If you developed a website i would expect to be secure, i dont ahve to pay you to secure it every 6 months. :-)

Link to comment
Share on other sites

Can you explain what wiped involves? delete the entire site and reupload it?

Yeah. rm -R *

Or in windows terms, erase *.*

Delete everything, every file, every directory.

 

Put a password on the root directory. Reinstall. Apply security updates. Test. Remove password protection from root but leave on renamed admin directory.

 

DunWeb: I can inform clients of security measures but the sites hacking is out of their hands as we develop them and they just use them, hacks happen from backend not by shared passwords. So not sure warnign clients will help them or me. It's nice to ahve maintenance contracts, but i also got the other end of it. If you developed a website i would expect to be secure, i dont ahve to pay you to secure it every 6 months. :-)

 

Also, hacks occur from not using SSH instead of telnet, sftp instead of ftp, shadow passwords, ssl on admin directory, and many other standard security items.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

DunWeb: I can inform clients of security measures but the sites hacking is out of their hands as we develop them and they just use them, hacks happen from backend not by shared passwords. So not sure warnign clients will help them or me. It's nice to ahve maintenance contracts, but i also got the other end of it. If you developed a website i would expect to be secure, i dont ahve to pay you to secure it every 6 months. :-)

 

Unfortunately I don't agree. Although the site being hacked is out of the customers control, it is NOT supposed to be out of your control. It is your job to secure those sites to the best of your ability and/or at least inform your clients of the security changes. If they choose not to have update the site, then the onus of responsibility for their customers information falls back onto your client. There are states/provinces where failing to secure the information collected on your website is a criminal offense, that in itself should be motivation enough for YOU and YOUR clients to maintain and upgrade the site as necessary.

 

Having a website is costly and does not end at the completion of setup. There are domain name renewal fee's, hosting costs and upgrade costs all associated with owning a website so when you say ' i dont ahve to pay you to secure it every 6 months. :-)' you are dead wrong, unless you can secure it yourself.

 

Perhaps you would like to post your complete name and business name (if you are registered) so everyone here will know who NOT to hire to do their site ? Probably not eh ? well, I asked anyway.

 

Chris

Link to comment
Share on other sites

I think you got it wrong, the comment is from client not from me. I would love if they pay to monitor their site and keep it up to date, not everyone is willing to roll out the dollars, lucky for you. Hopefully you read this right this time.

Link to comment
Share on other sites

Don,

 

I think I did read it correctly and I am sorry you felt the need to give me negative feedback on my comments, however my personal opinion on your business practices remains the same.

 

 

Chris

Link to comment
Share on other sites

Actually, I see you disagree with all the responses to your post as you have clicked a negative feedback on ALL of them. Sometimes criticism is is hard to hear, but what you have received is honest replies.

 

 

 

Chris

Link to comment
Share on other sites

I think you got it wrong, the comment is from client not from me. I would love if they pay to monitor their site and keep it up to date, not everyone is willing to roll out the dollars, lucky for you. Hopefully you read this right this time.

 

I agree with you, but you have to offer them a security package and to investigate how you can secure their site if they wish (by reading many topics like the topic of Spooks, and yes that takes a lot of time all to understand, but once you understand you know and can help your customers per offer NOT FOR FREE of course).

I am also a developer but that does not mean I control the whole website for free. I work for small businesses and doing things for a low money (e.g. writing complete new programs; not for a hourly rate) so I have always a lot of work to do (making many many hours, no other choice sometimes when you getting older and not of interest anymore for a fixed job because of your age). And if a customer is not interested to secure their website because of the money (working hours), is that my responcebility (if I write sometimes a new program or changing an existing program)? I don't think so for 100%! But I warn them with a fixed text in my emails, the rest is up to them ...

 

I have still a customer who is being attacked every day but after the security package (he had to pay for my time because he was seriously hacked, my first time to experience that) they don't come in anymore. But I think it has also to do with your provider, because even without an extra security package they don't come in at one provider and easily at another provider. I think offer the package of Spooks (first topic) and taking care you have a provider who implements the su functions in php (so 755 is the highest authorization for a directory).

Link to comment
Share on other sites

And if they have an old release of oscommerce with register_globals on, use the seo solution (find on the internet) and you can change the release to register_globals off in very few steps.

Link to comment
Share on other sites

Don,

 

I think I did read it correctly and I am sorry you felt the need to give me negative feedback on my comments, however my personal opinion on your business practices remains the same.

 

 

Chris

 

And what made you think i care for your opinion about my business?, i am here to express my concerns and get feedback on securing the site, not to hear from canadian hippies and hill billies who think he knows it all.

Link to comment
Share on other sites

I agree with you, but you have to offer them a security package and to investigate how you can secure their site if they wish (by reading many topics like the topic of Spooks, and yes that takes a lot of time all to understand, but once you understand you know and can help your customers per offer NOT FOR FREE of course).

I am also a developer but that does not mean I control the whole website for free. I work for small businesses and doing things for a low money (e.g. writing complete new programs; not for a hourly rate) so I have always a lot of work to do (making many many hours, no other choice sometimes when you getting older and not of interest anymore for a fixed job because of your age). And if a customer is not interested to secure their website because of the money (working hours), is that my responcebility (if I write sometimes a new program or changing an existing program)? I don't think so for 100%! But I warn them with a fixed text in my emails, the rest is up to them ...

 

I have still a customer who is being attacked every day but after the security package (he had to pay for my time because he was seriously hacked, my first time to experience that) they don't come in anymore. But I think it has also to do with your provider, because even without an extra security package they don't come in at one provider and easily at another provider. I think offer the package of Spooks (first topic) and taking care you have a provider who implements the su functions in php (so 755 is the highest authorization for a directory).

 

hmm i guess, i need to relook on how to provide support for them, which will cover the costs of security updates. Thanks All

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...