Jump to content

Archived

This topic is now archived and is closed to further replies.

Ariadnetheweaver

update or upgrade?

Recommended Posts

I've been using OSCommerce 2.2rcA for a while now, with good success. I don't have a big, busy store, but I've got quite a few products and used quite a few addons to get the look that I wanted.

 

Despite installing ALL the "major 5" security addons, I've been hacked twice since installing them, the latest only this week. Thankfully I keep regular backups so restoring to an unhacked state has been pretty straightforward.

 

I understand that 2.3.1 is better for security etc, so I'm after some advice really from anyone who has already done it.

 

I gather from the update instructions that I really have two options:

 

1) run all the manual update from 2.2rcA > 2.3 a (which says it's not a proper update though), and then 2.3->2.3.1

2) do a fresh install, reinstall any compatible addons, and import my database (hopefully).

 

The addons I had included (but not exclusively) the "product extra fields", one of the postage ones, plus the security ones. My major problem is that I can't remember all the additional addons I used, but it took me quite a long time to set the site up as I'm not an instinctive coder - I can follow instructions well however!

 

I have a lot of products and I did a lot of modification of files for both look and feel, and added files such as "FAQs" etc so I think that doing a fresh install is likely to take quite a long time. However I'm also aware that doing all the updating on individual files is also likely to take some time.

 

I'm lucky I guess in that my site is not particularly busy, nor is it seasonal, so being down over the holidays may be ok - it's not as if I have many orders - but I would like to know others opinions - you've given me excellent advice in the past, and I would be interested to see if anyone else has had the same concerns, and what they ended up doing.

 

my site, by the way, recently restored after the latest hack attempt (and I got NO notification of any attempt!) is: www.ariadnetheweaver.org

 

 

Thanks

 

Sarah

Share this post


Link to post
Share on other sites

If your rc2a site is running fine, then don't bother to upgrade. 2.3.1 has a steep learning curve, and barely any contributions work with it "out of the box". Those old contributions have instructions that bear no resemblance to the code in 2.3.1. You will struggle.

 

Your hack is still there. The reason for this is the "major 5" are fine, but you have leftover some code that is not fine.

Share this post


Link to post
Share on other sites

Try to follow all the tips given in this thread:

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

 

You still have not renamed your admin folder for example.

 

Updating your 2.2 to 2.3 will be more work than rebuilding from scratch onto a 2.3 base IMO. Besides the security improvements in 2.3, there are also bugfixes, and deprecated code replaced etc. If you don't wish to fully upgrade to the 2.3 system, here is a guide for upgrading, but it is not 100% up to date.

 

http://www.oscommerce.info/confluence/display/OSCDOC22/Upgrade+Guide

Share this post


Link to post
Share on other sites

If your rc2a site is running fine, then don't bother to upgrade. 2.3.1 has a steep learning curve, and barely any contributions work with it "out of the box". Those old contributions have instructions that bear no resemblance to the code in 2.3.1. You will struggle.

 

Your hack is still there. The reason for this is the "major 5" are fine, but you have leftover some code that is not fine.

 

 

Which file does your software say is still hacked? That's the same error as I was getting this morning, but since I restored my backup (which I believe is completely clean as it's been kept offline all the time since I initially installed it), the error went away. All my files seem fine, the datestamps are correct, the file sizes are the same, and I am not code savvy enough to go through every single file line by line to see if it's changed.

 

I tried renaming my admin folder when I first set the site up, all it meant was that nothing worked. presumably it's a case of not just renaming it, but repointing some files to the right place. [edited to say Ah, found the post that explains this, I will try this change and see if it makes a difference]

 

My server is windows based, and the changing file permissions seems to only work on a non-windows server. Apart from those two things, I believe I had done all the things that were in the other post - I certainly tried to! :)

Share this post


Link to post
Share on other sites

Sarah - your site isn't giving me that warning anymore. It was the index page of your site that was giving the warning, so the problem could have been in any file that makes up the component parts of that page.

 

It might be worth you updating to 2.3.1 - it's not too difficult - but on the proviso that some of the stuff you want/need (as in contributions) are not available right now, and may never become available. A typical example of something that I am having problems integrating into 2.3.1 is "option types v2" - I just cannot get it to work, and I am fairly experienced with osCommerce :lol:

Share this post


Link to post
Share on other sites

Sarah - your site isn't giving me that warning anymore. It was the index page of your site that was giving the warning, so the problem could have been in any file that makes up the component parts of that page.

 

It might be worth you updating to 2.3.1 - it's not too difficult - but on the proviso that some of the stuff you want/need (as in contributions) are not available right now, and may never become available. A typical example of something that I am having problems integrating into 2.3.1 is "option types v2" - I just cannot get it to work, and I am fairly experienced with osCommerce :lol:

 

hi Burt

 

Thanks again for replying. I suspect when you checked, that google had cached the dodgy page - and took a while to update perhaps. (I haven't changed anything *since* you posted)

I've renamed my admin directory and am steeling myself to install from fresh and be prepared to spend some time re-inputting all my products etc. Might be a good time to chivvy my hubby into actually doing the artwork he promised 6 months ago, and go for a site makeover :)

 

I have an inkling that doing a completely new install of 2.3.1 and hoping I don't need to change *too* much may be my safest option (and even re-inputting all my products by hand if needed, hope not though). I suspect that going through all the files and changing what's needed to update my 2.2 version to 2.3.1 may take a lot longer and the chances of me missing something out are probably far higher. I'll probably wait post-Christmas so my kids are playing with new toys so I have more time!

Share this post


Link to post
Share on other sites

×