When do I do What and How to Recover

[mycommerce2]

After months and months setting up my site, I got HACKED!!! Guess I should have focused on security from the start, but guess I, like other get so caught up in the site setup, that we over looked the security measures.

 

I’ve spent all day reading everything I can about securing my website. I’m pretty clear on WHAT TO DO, but I’m still confused on WHEN & HOW TO DO it. Below I have a few questions related to when and how to do some of the things suggested. If you respond, please try to focus on the WHEN (in terms of sequence) and HOW, instead of just WHAT to recover from an attack by the “ <?php /**/eval(base64_decode…” malicious code.

Ref my earlier post: http://www.oscommerce.com/forums/topic/366089-help-removing-text-from-englishindexphp/

 

I believe I have good backup files, but not all sure how or when to upload them, among all the other things to do. This is where I’m trying to start from: http://www.oscommerce.com/forums/topic/345957-evalbase64-decode-hack/

It was suggested there are basically 2 ways to recover from a hacking.

1. It was said the easiest way to recover is to delete the entire set of PHP file (and non osC files) on my server and restore from a good backup. Is there a way to delete them all at once? If not, how do I go about deleting them one by one? What are the non osC files?

2. Delete File Manager.php and admin/define_language.php. I found how to delete these, but what do I use to manage files once these are deleted?

3. What are the associated links to File Manager and how do I delete them?

4. Where do I go to set folder permission?

5. Where do I get .htaccess and how do I install it into the renamed admin directory?

6. Just Host is my hosting service, how do I know if they are using a Windows server or not?

7. Is the admin folder the only place where .htaccess need to be added?

8. I was told to use .htaccess to shut down my website so only I can access it. Does placing it in admin fold accomplish this shutdown?

9. Once I install all the addons, rename admin directory and remove file manager and define_language, do I then remove .htaccess from some are all the place (#7) it was installed?

10. In what sequence do I do all the security stuff? Do I delete all PHP files first? Do I rename admin first? Do I install all the security addon first, or do I delete File Manager and define_language.php first?

Sorry for all the questions, but hope you understand and will take some time to help. Thanks very much.

[a.forever]

Answers to Questions 1, 2, and 4: First, setup an FTP with your site through your host and use an FTP to upload/download/delete/change permissions/etc. This will make everything easier. Use a free FTP program. I use FileZilla. You can upload whole folders and overwrite entire sections of your site very quickly, depending on your internet connection speed. Use the FTP program to manage your files from now on. You can also change permissions by right-clicking on any single or selected group of files/folders.

 

I wouldn't just delete infected files unless you inspected each and every one of them. If you have a good backup, I'd revert all files back to that backup. If you pick and choose which files to replace, you might break other things.

 

Answers to Question 3: If you delete file_manager.php, you shouldn't need to worry about what it associates itself with.

 

Answers to Question 5: .htaccess is something you can create for yourself if you don't already have one. You can use Notepad to save a .htaccess (it's really just a text file that is named .htaccess). Fill it with whatever code you wish to use. I'm sure you can find a ton here, in contributions, or through an online search.

 

Answers to Question 6: Ask.

 

Answers to Question 7 and 9: No, but the admin folder is the most important. You can custom a .htaccess file per folder depending on your needs. It's pretty powerful, so test out your coding to make sure it works and doesn't break anything. Test each code you add each time. Don't add them all at once and then test it once. Only remove the selected codes you've added if it breaks something. But I'd find a hard reason to remove the .htaccess file once you've used it.

 

Answers to Question 8: Yes and no? .htaccess is a strong step upwards towards securing your site, but it's not the only one. .htaccess is not the sole solution to securing your website. Consider adding all the security recommendations you read on this forum. I haven't heard a person doing ALL of them being hacked again, so it's a pretty safe win record.

 

Answers to Question 10: Restore your backup first. Then change your passwords to everything. Yes, everything. Then rename the admin folder. Then install your .htaccess file for the newly renamed admin file and test it out. Then delete file_manager.php and define_language.php. Then install the security add-ons. Then mess around with any other .htaccess scripts you want and test it out.

[a.forever]

Amendment to Question 10: Thought occurred to me since I have a backup of my website on my PC. If your backup is on your PC, a better solution would be to make all the security changes to the backup on your PC (rename admin, delete files, .htaccess, security add-ons, etc). Then delete ALL the files on your website. Then upload your modified backup from your PC. This method wouldn't give even a millisecond for hackers to reinject code. As long as the database isn't touched, I don't see a problem with this method.

[mycommerce2]

Answers to Questions 1, 2, and 4: First, setup an FTP with your site through your host and use an FTP to upload/download/delete/change permissions/etc. This will make everything easier. Use a free FTP program. I use FileZilla. You can upload whole folders and overwrite entire sections of your site very quickly, depending on your internet connection speed. Use the FTP program to manage your files from now on. You can also change permissions by right-clicking on any single or selected group of files/folders.

 

I wouldn't just delete infected files unless you inspected each and every one of them. If you have a good backup, I'd revert all files back to that backup. If you pick and choose which files to replace, you might break other things.

 

Answers to Question 3: If you delete file_manager.php, you shouldn't need to worry about what it associates itself with.

 

Answers to Question 5: .htaccess is something you can create for yourself if you don't already have one. You can use Notepad to save a .htaccess (it's really just a text file that is named .htaccess). Fill it with whatever code you wish to use. I'm sure you can find a ton here, in contributions, or through an online search.

 

Answers to Question 6: Ask.

 

Answers to Question 7 and 9: No, but the admin folder is the most important. You can custom a .htaccess file per folder depending on your needs. It's pretty powerful, so test out your coding to make sure it works and doesn't break anything. Test each code you add each time. Don't add them all at once and then test it once. Only remove the selected codes you've added if it breaks something. But I'd find a hard reason to remove the .htaccess file once you've used it.

 

Answers to Question 8: Yes and no? .htaccess is a strong step upwards towards securing your site, but it's not the only one. .htaccess is not the sole solution to securing your website. Consider adding all the security recommendations you read on this forum. I haven't heard a person doing ALL of them being hacked again, so it's a pretty safe win record.

 

Answers to Question 10: Restore your backup first. Then change your passwords to everything. Yes, everything. Then rename the admin folder. Then install your .htaccess file for the newly renamed admin file and test it out. Then delete file_manager.php and define_language.php. Then install the security add-ons. Then mess around with any other .htaccess scripts you want and test it out.

 

Thanks Kevin very much for the help. Now I'll go to work to try and clean up and protect my site.

[♥mdtaylorlrim]

I would password protect your entire site throughout the process.

 

Once you have been hacked you are now a target. You will not believe how fast the hackers can get to your site during the time you are installing the security updates.

 

After your site has been restored and all the security updates have been done you can remove the password protection on your entire site, but be sure and leave the password protection on your renamed admin directory.

 

Doing it this way there is no specific order to do things in. If I were having to reinstall from scratch I would install in a protected directory, then install the most complex of the add-on that I eventually intended to install, whether it was security related or not. (That way you can use the files commonly included to install in a non-modified shop.) Then install all the security updates.

[mycommerce2]

I would password protect your entire site throughout the process.

 

Once you have been hacked you are now a target. You will not believe how fast the hackers can get to your site during the time you are installing the security updates.

 

After your site has been restored and all the security updates have been done you can remove the password protection on your entire site, but be sure and leave the password protection on your renamed admin directory.

 

Doing it this way there is no specific order to do things in. If I were having to reinstall from scratch I would install in a protected directory, then install the most complex of the add-on that I eventually intended to install, whether it was security related or not. (That way you can use the files commonly included to install in a non-modified shop.) Then install all the security updates.

 

"I would password protect your entire site throughout the process."

 

Thanks Mark. Would you expand a little on how I do this. Do you mean just change all my existing pass words?

[♥mdtaylorlrim]

"I would password protect your entire site throughout the process."

 

Thanks Mark. Would you expand a little on how I do this. Do you mean just change all my existing pass words?

No. I mean use your hosts cPanel to set up private access to your site. Sometimes it is called directory security, sometime simply password protect a directory. In either case your cPanel will create an .htaccess file for your root directory and a password is required to access your site.

 

It is the same feature of protecting your admin with .htaccess but you put it on your site root directory.

[mycommerce2]

No. I mean use your hosts cPanel to set up private access to your site. Sometimes it is called directory security, sometime simply password protect a directory. In either case your cPanel will create an .htaccess file for your root directory and a password is required to access your site.

 

It is the same feature of protecting your admin with .htaccess but you put it on your site root directory.

 

Great! Thanks again

[Halcyon56]

How can you password protect the entire site? Wouldn't it ask for a password for anybody/client that wants to visit your oscommerce site store? I understand password protecting the admin area, but how would you go around doing this (protecting the entire store) without having the visitors type a username and password?

 

I must be missing something here.

 

Thanks for your help.

[♥mdtaylorlrim]

How can you password protect the entire site? Wouldn't it ask for a password for anybody/client that wants to visit your oscommerce site store? I understand password protecting the admin area, but how would you go around doing this (protecting the entire store) without having the visitors type a username and password?

 

I must be missing something here.

 

Thanks for your help.

Yes, and that is the whole point. When you have an unsecured osC installation you don't want anyone being able to access it but you so that you have time to get all the security patches installed. Once the security patches are installed then you can remove the password to the entire site leaving the password on your admin directory.

 

It's a couple of hours, tops. And it will prevent the hackers from being able to destroy your install until you can get the updates in.

 

What you are missing is the temporary nature of the suggestion.

[mycommerce2]

Yes, and that is the whole point. When you have an unsecured osC installation you don't want anyone being able to access it but you so that you have time to get all the security patches installed. Once the security patches are installed then you can remove the password to the entire site leaving the password on your admin directory.

 

It's a couple of hours, tops. And it will prevent the hackers from being able to destroy your install until you can get the updates in.

 

What you are missing is the temporary nature of the suggestion.

 

Mark,

 

I’m glad this post is still alive. After reading and studying the answers I got, I found I had some followup questions to Kevin’s helpful answers. Maybe you or Kevin too can shed some lights on these follows ups. Thanks.

 

Follow up to:

Answers to Questions 1, 2, and 4:

a. How can I determine the date I was hacked, to compare that date to the date of my backup files, to see if backup date is earliest?

 

Answers to Question 3:

a. I used website security feature in cpanel to create a password for my account. If I understand correctly, in securing it, I created a .htaccess file?

b. I did use Note pad to create an empty .txt file named “.htaccess”, but I don’t have a cue how to create the kind of code that goes in. How do I learn? See my follow-up question to Question 8.

 

Answers to Question 5:

a. What are some examples of code I could wish to use?

 

Answers to Question 7 and 9:

a. What are some examples of “needs” for which I should customize an .htaccess file.

b. Where and how do I test code?

 

Answers to Question 8:

a. How many .htaccess files do I need to create?

b. Where are they each stored?

c. Where can I find Sample code for each file I need.

 

Answers to Question 10:

a. We know “everything supposed to mean” just that, but what if one don’t know what’s included in “everything”? In deleting “everything” do this mean I need to also delete my website, built with the Just Host cpanel, or do I just delete osC?

b. I’ve downloaded all the security add-ons and unzipped each into a separate folder on my PC. I understand I can use Filezilla to upload to osC. But into which folder/subfolder does each of these security add-ons go?

c. Is it the Site Manager in Fillezilla that is used to upload add-ons and other file to the right osc folder?

[♥mdtaylorlrim]

Mark,

 

I’m glad this post is still alive. After reading and studying the answers I got, I found I had some followup questions to Kevin’s helpful answers. Maybe you or Kevin too can shed some lights on these follows ups. Thanks.

 

Follow up to:

Answers to Questions 1, 2, and 4:

a. How can I determine the date I was hacked, to compare that date to the date of my backup files, to see if backup date is earliest?

Having the Site Monitor contribution would alert you the next time it runs after being hacked. Failing to have Site Monitor installed you will have to compare every file in each directory with your backup looking at the dates. But if you did any manual updates the dates may differ. If you have .php files in your image directory then the data of that file may give you some indication.

 

 

Answers to Question 3:

a. I used website security feature in cpanel to create a password for my account. If I understand correctly, in securing it, I created a .htaccess file?

b. I did use Note pad to create an empty .txt file named “.htaccess”, but I don’t have a cue how to create the kind of code that goes in. How do I learn? See my follow-up question to Question 8.

Yes, cPanel either creates or edits an existing .htaccess file to add directory security.

Although you can manually create the code that would require directory security you cannot create the password without command line access. That is why you use cPanel to create the directory security for you. But there are dozens of purposes for an .htaccess file. You can find complete documentation at www.apache.org but it would be best to simply rely on the contributions that use the features. The authors have already done that research. It makes for some good reading if you are into that sort of thing.

 

Answers to Question 5:

a. What are some examples of code I could wish to use?

There is code that prevents cross site scripting, for example. There is a contribution that gives you that code. Ultimate SEO URLs uses code in an .htaccess file. Unless you really want to do a lot of research just pay attention to the contributions that utilize the file.

 

 

Answers to Question 7 and 9:

a. What are some examples of “needs” for which I should customize an .htaccess file.

b. Where and how do I test code?

Needs? Password protection, URL rewriting (as in SEO URLs), forcing https, to name a few. I use .htaccess for preventing access to certain directories like 'scripts', 'admin', 'phpMyAdmin', 'pma', and a host of others that hackers use to attempt to gain access to your files. Testing depends on the purpose of the code.

 

 

Answers to Question 8:

a. How many .htaccess files do I need to create?

b. Where are they each stored?

c. Where can I find Sample code for each file I need.

I have maybe 3 or 4. Don't remember. One on my images directory prevents the execution of php files. One on the root has the SEO URLs in it. The one in admin has password protection and forces https.

An .htaccess file affects the directory it is in and any sub-directory. You put it in the directory for which you want to affect the behavior. See www.apache.org for purposes and sample code. But it's better to just stick with proven contributions.

 

 

Answers to Question 10:

a. We know “everything supposed to mean” just that, but what if one don’t know what’s included in “everything”? In deleting “everything” do this mean I need to also delete my website, built with the Just Host cpanel, or do I just delete osC?

b. I’ve downloaded all the security add-ons and unzipped each into a separate folder on my PC. I understand I can use Filezilla to upload to osC. But into which folder/subfolder does each of these security add-ons go?

c. Is it the Site Manager in Fillezilla that is used to upload add-ons and other file to the right osc folder?

When we say delete everything we mean to delete the contents of the directory that osC is installed in, and the directory if not in root. Don't try to delete your public_html directory. If you have a website in public_html with multiple sub-directories, and osC is installed in 'catalog' then delete the catalog directory and all it's sub-directories.

 

Each add-on has a specific set of instructions. You don't merely upload the files in the contribution to your site. There is usually some editing of existing files to integrate the contribution code into the osC files.

 

I don't use Filezilla so will not comment on that. Usually, you will have to:

 

Make a backup of the file that needs to be changed by downloading to a 'backup' directory on your home computer.

Download the file again into a 'working' directory on your computer.

Use a suitable php editor to alter the file using the directions in the contribution.

Then upload the edited file to the proper place on your site.

Test.

If the test is unsuccessful then check all of your edits in the file and try again.

If you cannot get it to work the upload the copy in your 'backup' directory to fix your shop.

 

Keep in mind that there are similar named files in different directories and you must not confuse them by uploading a file to the wrong directory. They are not the same file.

[mycommerce2]

Thanks Very Much