Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Advice : Recommendations/advice re SiteLock.com


PeterCourt

Recommended Posts

Hi,

I'm after some advice. I am an IT Support professional but not a coder, nor web hosting experienced. My wife wants a small website to allow purchasing as an adjunct to her school uniform shop.

We paid $600 to a mob to develop an *** based Shopping site (no live Credit card needed). It was a freelancer project and I'm not convinced we picked well, nor trust them fully now.

We are on BlueHost. Even during development (which took about 4 months elapsed) it was hacked a few times. Eventually once 'completed' it was hacked before we could use it and has never been up long enough to go live.

 

I only have a backup from shortly after handover (8 months ago) and a recent scan showed a virus. I thought i'd cleaned that (but very unsure fully what to do) and put it back up but it got hacked again and within 3 weeks its suspended by BlueHost for SPAM / Virus etc..

BlueHost recommended Sitelock.com (from an "amazing $12.95") .. I called them and was told I needed an "Enterprise" pack ($200) plus a $59 pack. I paid, then the next day i get a mail saying its another $550 to clean the site and to "harden" ***. The $200 was for ongoing daily scanning etc .. for 12 months.. not cleaning they explain and the $59 was just a fixed cost to get a quote.

I've reopened dialogue with the original developer as nothing changed yet so his copy should be clean and would be OK still. Avoiding a clean fee from SiteLock.

My questions are I suppose:

Q1: Are SiteLock fees reasonable ?

i.e. is $550 to clean a hacked site reasonsable ?

Is $200 for 12 months of daily 'scanning' worth it ? (I'm sort of committed to that but might try to to get a refund if you feel their service is of marginal value)

Is $200 to 'harden' an OsCommerce site reasonable ?

Q2: Is my developer negligent in not securing the site initially ? It doesnt seem reasonable that a 'vanilla' site is so hackable numerous times ?

Q3: Any experiences with Sitelock ? Are they reputable/compentent otherwise ?

Thanks in advance..

rgds .. Peter

Link to comment
Share on other sites

I am assuming you have been sold an outdated version of osCommerce. Once the site is cleaned out of the virus code, install the addon called osC_Sec, its free. Unlike Sitelock, daily scans, and whatever other services out there that look for general hack techniques, osC_Sec has in it the patch that puts pay to the security hole that is in the obsolete versions of osCommerce.

 

$550 for a cleanup, probably sounds reasonable depending on the time it takes to clean out the script. Of course, any freelancer worth their salt would have just had a good backup and then all they needed to do was hit the restore. How long would that take....10 minutes?

 

Daily scanning is a post mortem way of dealing with website security. It is best to fix the actual security hole that is in the outdated versions of osCommerce right from the outset.

 

$200 to harden osCommerce? Well yep, a freelancer could charge that for time taken to rename the admin directory, add htaccess to the new admin, protect the image directory from being read, and adding addons like osC_Sec to actually protect your site.

 

I guess the point is, if they had set it up properly from the outset you wouldn't have had to deal with this at all. osC_Sec was first released back in January, so there has been a free addon at least since that time that deals directly with the security hole in 2.2x

 

Sitelock sounds reasonable as a service for dealing with generic database attacks, but why pay when there is an addon that does all that plus actually addresses the issues in osCommerce. It doesnt hurt though to have both Sitelock and osC_Sec running.

 

osC_Sec also does all the sql injection protection that Sitelock boasts about. The thing about the security hole that is in earlier versions of osC_Sec is that it is unique to osCommerce so there are no generic site protection systems that are going to catch it unless they have specifically dealt with the issues that osCommerce faces, which the main one is not a database injection but a remote file upload and a method of bypassing the admin login.

 

And osC_Sec is free.

 

Except you will either have to install it yourself, or get someone to install it for you. Once installed, thats it, no reoccuring fees, no daily scanning, if an attack occurs, and email will be sent to you if you wish telling you all the technical details you need as well as banning the attack.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Depends Chris, if all you are running on your website is a 2.2 version of osCommerce and you have osC_Sec installed then yes I completely agree with you, services like Sitelock would be surplus.

 

The 2.2 range of osCommerce is vulnerable to at least one database injection that I know of however it is yet to become a part of the main attack vectors being levelled at osCommerce users websites. That is not to say it isn't being exploited, it is a known vulnerability - its just not as easy to exploit as the current admin bypass security hole.

 

Many of the other osCommerce derrivatives also suffer from database injection vulnerabilities, even ones that claim to have 'concrete' level security.

 

It is the reason I added the dbShield section to osC_Sec, so in that sense then yes, you do not need sitelock if all you are running is one of the 2.2. versions of osCommerce with osC_Sec installed, or if you are running 2.3.1.

 

However if you are also running other freebee systems like Joomla, Wordpress whose plugins are rife with database injection vulnerabilities...then you had better get a system of some sort that deals with all database injections at a server level or you can pretty much kiss your site goodbye.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

I agree Te, but there are still soooooo many insecure websites out there and companies that offer services for 'site monitoring' and 'website cleaning' are merely taking advantage of website owners because most of the time their services DON'T include SECURING the site. They purposely don't offer the service because that would put an end to their recurring income.

 

 

 

 

Chris

Link to comment
Share on other sites

No doubt that sort of thing is going on, some of it intentional, most of it because IT professionals have only learnt about security in a book...and have no real world experience.

 

Some of the Apache mods that were supposed to end database injections have not lived up to their hype either. Eventually the coding in those mods will catch up with their sales hype and at that point we should see an end to the dreaded database injections, but until then it has to be addressed at the script level firstly by a high standard of coding, or at an addon/contrib level to catch any mistakes by developers.

 

Every programmer makes mistakes, and almost all scripts in the past have had errors in them that lead to database leakage of one form or another. It is no simple thing to develop a system like osCommerce or a forum or other type of CMS.

 

What has changed in the past 5 years is a massive increase in script users who do not know the first thing about PHP so are not able to patch their sites unless the system offers a point and click update function.

 

osCommerce 2.x is of the old school where addons are added in via hand coding, updates are the same. If you look at Wordpress for example, even though its plugins are plagued with database security and file injection issues, you can see how the more modern methods are being employed. Select and install or update without any knowledge of coding.

 

Hopefully once osCommerce and other popular scripts move to that same direction, companies that offer bogus services to assist people with no knowledge of PHP will be a thing of the past.

 

Taipo

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...