chrishamblin Posted August 16, 2010 Share Posted August 16, 2010 Hi All. I've got an odd problem with one of my stores. Somehow someone or something has got into the database and deleted the Administrators, and replaced these users with a new one. I've created a bit of code that checks the database and if a specific adimn is removed it emails me , but this I know that this isn't the best answer. The best answer is to know why... I've got a bunch of security measures in place, but for some reason this has happened more than once. I've made sure that all the files are at most 644, and folders 755. I've applied SiteMonitor so I know if any of the files have changed. I seem to remember applying more than just these, but I can't remember off the top of my head. As of yet I've not renamed the admin folder, or removed the file_manager or Defime_language files (but they are on my list of things to do). Any ideas how they are getting in to change the users in the Administrators table? This is the code I created to check the admin folder for a specific username. I've added a hourly cron job pointing to this php file, so it gets checked every hour. It may not be the best way of doing it, but it works... Thanks for your help. Chris. [code] <?PHP //databse user name $user_name = " "; //database password $password = " "; //address of the database server $server = " "; //admin username to check for $username_to_check = " "; //Number of sites you need to check $number_of_databases = 3; //list of the databases you need to check $databases = array("shop1","shop2","shop3") ; //Where you want the email to come from $mail_from = "Oscommerce Store<[email protected]>>"; //Where you want the mail to be sent to $mail_to = "You<[email protected]>"; //Your name $YOUR_name = " "; $username_string = ""; $database_hacked = ""; $file_name = $_SERVER['SCRIPT_FILENAME']; $db_number = 0; //Check the database for the specified username. $number_of_databases -= 1; while($db_number <= $number_of_databases) { $database = $databases[$db_number]; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database, $db_handle); $SQL = "SELECT user_name FROM administrators"; $result = mysql_query($SQL); while ($db_field = mysql_fetch_assoc($result)) { $username_string = $username_string . $db_field['user_name']; } if (stristr($username_string,$username_to_check) != ""){ //echo 'The usernames are still there, so the database is probably OK.<br>'; } else { $database_hacked .= $database. "\n"; //echo 'The specified username is MISSING. Time to do some work I feel.<br>'; } $SQL = ""; mysql_close($db_handle); $db_number++; $username_string = ""; } //send the email if something is wrong. if ($database_hacked != ""){ $subject = "The Database files have been hacked again"; $body = "Hi " .$YOUR_name.". \n\n It looks like the following database files have been played around with again: \n\n ".$database_hacked."\n\nYour username (" . $username_to_check . ") at least is missing from the list of Administrators.\n\n Time to revert from a backup.\n\n Annoying I know.\n\n Best of luck.\n\n Your WebServer.\n\nThis mail was generated by ". $file_name ; mail($mail_to, $subject, $body, "From: $mail_from"); //echo 'mail sent'; } ?> Link to comment Share on other sites More sharing options...
KjellAa Posted August 16, 2010 Share Posted August 16, 2010 "Any ideas how they are getting in to change the users in the Administrators table?" I too have had new administrators added on my site, on three occasions iirc. Afaik the only solution seems to change the passwords on the proper administrator user, ftp and sql frequently and make the passwords hard to crack. Any ideas on the hackers get in to add Administrators is much welcomed. Kjell Aa Link to comment Share on other sites More sharing options...
Guest Posted August 16, 2010 Share Posted August 16, 2010 Have you read these ?? http://www.oscommerce.com/forums/index.php?showtopic=340995 http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/ There is a post there about .htaccess control of the admin directory, which should not be named admin at all. Chris Link to comment Share on other sites More sharing options...
KjellAa Posted August 16, 2010 Share Posted August 16, 2010 Hi, Yes, I did read those postings, and I have implemented most of them. Doing a workaround to get rid of the filemanager tonight. Kjell Aa Link to comment Share on other sites More sharing options...
Guest Posted August 16, 2010 Share Posted August 16, 2010 Yes, File_mangler and define_languages also need to be removed. If you have FTP access or cpanel access to your site then these files are redundant anyway . Chris Link to comment Share on other sites More sharing options...
FIMBLE Posted August 19, 2010 Share Posted August 19, 2010 the main one being to rename your admin folder, im not going to say how but there is an easy way to access the admin folder and defeat the log in page. If they cannot find the admin folder then this particular hack will be avoided, then ensure your folders and files are correctly set with permissions, this depends on your account as to what they should be, most say 755 is good enough but this only applies if you have a certain ownership, in some cases it can be like leaving an open door also. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
chrishamblin Posted August 25, 2010 Author Share Posted August 25, 2010 Thanks for all your help. I've now renamed the admin directory on my stores and am in the process of adding .htaccess password protection to the admin area. Fingers crossed this should be enough to keep idle hands off my site for a while.# Thanks again, and keep up the good work. Chris. Link to comment Share on other sites More sharing options...
hansonspakistan Posted October 7, 2010 Share Posted October 7, 2010 Hi, Got about the same issue all because of none other than myself. I had forgotten the admin user and password both and then tried to press "empty" from administrator via phpmy admin but ( call me an idiot if you will ) i deleted the administrator entry. Now I want it back. I have a backup (sql ) but its very old about one year back. How can I extract =just the administrator query from old sql and insert into the current site so that the admin section should start to work again and accept admin user and pass HANSONS PAKISTAN Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted October 7, 2010 Share Posted October 7, 2010 Run this in any sql tab. CREATE TABLE IF NOT EXISTS administrators ( id int(11) NOT NULL AUTO_INCREMENT, user_name varchar(32) COLLATE utf8_unicode_ci NOT NULL, user_password varchar(40) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (id) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; When you access the admin area again it should ask you to create a new admin. If the sql fails then your administrator table is probably still there but corrupt. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.