Hacked for the last time

[WebDev22]

We've put so much energy into patching up osCommerce, but were hacked yey again by someone who uploaded an index.html file, which redirects people to a link similar to this http://adf.ly/xxxxxxxxxxxxxxx. I'm finished messing with osCommerce and will research over the weekend and make a recommendation on Monday to most likely migrate to another platform. HostGator now offers Magento, which is the first place I'll be looking.

[Guest]

Brett,

 

Ofcourse non of the members here like to here someone is migrating to another cart, however the choice is always yours. You will find Magento very limited in configurability and it too has security issues you will have to resolve.

 

I have to say, in the 9+ years of have been configuring OSC for my clients and personal use, I have only had ONE site hacked and this was because the client has a password grabber emailed to them and they ran it without knowing. Having said this, if you would have made ALL of the required security changes and ensured server security I am positive you would have had a better experience with OSC.

 

So, when you are done trying Magento, feel free to look us up again.

 

 

Chris

[WebDev22]

Brett,

 

Ofcourse non of the members here like to here someone is migrating to another cart, however the choice is always yours. You will find Magento very limited in configurability and it too has security issues you will have to resolve.

 

I have to say, in the 9+ years of have been configuring OSC for my clients and personal use, I have only had ONE site hacked and this was because the client has a password grabber emailed to them and they ran it without knowing. Having said this, if you would have made ALL of the required security changes and ensured server security I am positive you would have had a better experience with OSC.

 

So, when you are done trying Magento, feel free to look us up again.

 

 

Chris

We made a lot of modifications including the following:

1. Installed SiteMonitor

2. Changed name of Admin folder

3. Created very cryptic password for cPcanel, FTP and Admin.

4. Removed File Manager and one other link from Admin, as well as their respective files.

 

There are others that I can't think of right now.

 

Is there a concise list somewhere?

[♥mdtaylorlrim]

Is there a concise list somewhere?

The first pinned topic in this forum.

[Guest]

Two MUST READ threads:

 

http://www.oscommerce.com/forums/index.php?showtopic=340995

 

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

 

 

 

Chris

[WebDev22]

Two MUST READ threads:

http://www.oscommerce.com/forums/index.php?showtopic=340995

http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-site/

Chris

I appreciate the links, but once again I'm required to spend even more time reading about security and applying them to the site. What a mess. This is never a concern with any of our Yahoo Stores.

 

So, instead of brainstorming graphics for our next round of home page promotions, I'm back to spending more time on security. Perhaps osCommerce is really designed for stores with plenty of development resources.

[Guest]

Brett,

 

To be honest......those two threads should have been your FIRST resource when you installed your store. They are pinned topics and anyone who has not implemented all the patches and suggested security contributions, is just asking for hacker problems.

 

 

Chris

[WebDev22]

Brett,

 

To be honest......those two threads should have been your FIRST resource when you installed your store. They are pinned topics and anyone who has not implemented all the patches and suggested security contributions, is just asking for hacker problems.

 

 

Chris

Perhaps you're right. How do you communicate that to the countless people out there installing osCommerce using Fantastico that have no clue of the security breaches they're about to endure? These are people like me that have a vested interest in the site, but aren't advanced PHP coders. Had I known, I probably would have turned towards an easier solution geared for business owners as opposed to developers.

[Guest]

Brett,

 

If you installed through fantastico then right away you were at a disadvantage because fantastico versions are typically already behind in versions and security because they are created/modified by hosting providers. I suggest anyone who is looking for a secure, up to date cart to purchase one from a qualified developer that will support the cart. The added initial expense is worth more than the time it takes for non-technical people to try to figure it out.

 

In your case, all that is hind-sight now but I still suggest you continue to use OSC as you cart solution as it is leaps and bounds ahead of the others in configurability.

 

 

Chris

[Jack_mcs]

I appreciate the links, but once again I'm required to spend even more time reading about security and applying them to the site. What a mess. This is never a concern with any of our Yahoo Stores.

 

So, instead of brainstorming graphics for our next round of home page promotions, I'm back to spending more time on security. Perhaps osCommerce is really designed for stores with plenty of development resources.

You're making the assumption that oscommerce is at fault, which it may very well be. But the host also plays a part in this. Like Chris, my experinece is that very few sites properly setup get hacked. But if you search these forums for hosts that uss 777 as their standard permissions settings, you will get many results.

 

There is also a trade-off to consider. While your Yahoo stores may have fewer problems, you have less control over what you can do with them and handling products with them is terrible so I don't think that comparison is valid.

[WebDev22]

You're making the assumption that oscommerce is at fault, which it may very well be. But the host also plays a part in this. Like Chris, my experinece is that very few sites properly setup get hacked. But if you search these forums for hosts that uss 777 as their standard permissions settings, you will get many results.

 

There is also a trade-off to consider. While your Yahoo stores may have fewer problems, you have less control over what you can do with them and handling products with them is terrible so I don't think that comparison is valid.

I can see where the host might play a role, but they don't write the scripts. Plus, now there's this: http://www.oscommerce.com/forums/index.php?showtopic=363431. Has this issue already addressed somewhere in the forums?

[BryceJr]

... Plus, now there's this: http://www.oscommerce.com/forums/index.php?showtopic=363431. Has this issue already addressed somewhere in the forums?

That issue can be prevented with an htaccess in the newly renamed admin folder.

[♥mdtaylorlrim]

Brett, if you have already convinced yourself to move to another cart there is not much we can do to change your mind. But, I have found that with a minimal amount of experience one can install a base osCommerce, and all the necessary security patches to keep you safe, all in one day. Beyond that it is a matter of installing patches that may come up as crackers find other ways to exploit servers. It is all a part of being a member of this community and sharing information with each other.

 

What it sounds like to me is that you are expecting a robust, security proven, shopping cart program for free, and it is just not going to happen. But the majority of us here feel that osCommerce is as close as you will get to that.

 

Note that additional versions are in beta and once released will have most, if not all, of the known security holes patched. You just came in at the end of life for this particular version...

 

Whether you stay or go we wish you well, but know that there are a lot of us here that will step forward and assist you in any way we can.

 

Cheers,

Mark

[WebDev22]

I appreciate that, Mark. One issue I have is trying to add these patches to existing code. I just tried to modify the htaccess file for the admin folder, but it broke the site.

[Jack_mcs]

I can see where the host might play a role, but they don't write the scripts. Plus, now there's this: http://www.oscommerce.com/forums/index.php?showtopic=363431. Has this issue already addressed somewhere in the forums?

But is it the scripts that are at fault? You can spend the next year figuring out ways to lock the front door to you site only to find your host held the back door open the whole time.

 

Yes, as answered, the problem in the other thread is a known issue and there are several fixes for it.

 

By its nature, php/mysql is not very secure. And no programer, at least none that I know of, can write code as complicated as oscommerce, or even parts of it, and cover all issues that may occur at some point in the future.

[pbor1234]

The first pinned topic in this forum.

 

The first pinned topic is indeed a very good overview of what should be done.

 

The question is however; why were these provisions not incorporated in a (patch) release osc2.2?????

 

For example: why doesn't the install/wizard add an .htpasswrd to the admin folder?

 

Let's be honest; an average osc starter has a long list of feature-requests and security isn't anywhere near the top10..... (although it should be)

 

Paul

[Jan Zonjee]

The first pinned topic is indeed a very good overview of what should be done.

 

The question is however; why were these provisions not incorporated in a (patch) release osc2.2?????

 

For example: why doesn't the install/wizard add an .htpasswrd to the admin folder?

See Github for the latest code.

[Guest]

Paul,

 

Very FEW contributions are incorporated into the BASE osCommerce download. As Jan has pointed out the GITHUB updates for 'oscommerce v2.3' will have important security issues corrected, however osCommerce is designed to start from a base version and it is up to the website developer to choose how to customize it to suit your own needs. If you are not inclined to make the edits and install the patches, then perhaps you should seek out help in doing so.

 

 

Chris

[pbor1234]

Paul,

 

Very FEW contributions are incorporated into the BASE osCommerce download. As Jan has pointed out the GITHUB updates for 'oscommerce v2.3' will have important security issues corrected, however osCommerce is designed to start from a base version and it is up to the website developer to choose how to customize it to suit your own needs. If you are not inclined to make the edits and install the patches, then perhaps you should seek out help in doing so.

 

 

Chris

 

Chris,

 

I fully agree on this approach when it comes to 'functional'-features, these are typical questions that a shop-owner would ask for; such as the ability to giftwrap the items, or to offer a more intuitive 'search'-interface. I think some other improvements however should be incorporated in the base such as:

- security updates

- legal guideline/demands

- performance-related updates (typically query-stuff)

- compatibility with newer php/mysql-versions

- and i could probably mention some other non-functional aspects that should be continued to work on...

- and i even think that the base should have an uptodate architecture that suits modern feature-requests. Some contributions are implemented in a quick and dirty way because the base simply doesn't provide the required design, for example; why is there no customer-entity; would be nice when you're developing a PWA contribution, right?

 

Just for your information; i happen to be able to install contributions and most of the time first rewrite parts to the best of my knowledge. This however has lead to a code-base in which i can rarely share parts with other developers since 'everything is different from the BASE'. Maybe you can give me some good advise on how to handle this?

 

Paul