TechHui

Hawaiʻi's Technology Community


Off-the-shelf oscommerce is inherently hackable.  But you can secure it by following these steps:

 

Steps 1, 2 and 3 are absolutely essential. Step 4 is important if you're using any oscommerce contributions (e.g. community supplied modifications and enhancements) but it is a good idea anyway because it adds extra protection from SQL injection hacks.

 

Do this after you install oscommerce – even before you configure your client's store. Not doing these leaves your entire server open to hacking. If you have an existing oscommerce site and haven't taken these steps, do them right now....then go thank your lucky stars you weren't hacked.

 

  1. Delete /admin/file_manager.php (#1 hack target)

  2. Rename your /admin to something else

  3. Use Cpanel “Password Protect Directory” to password protect the newly named admin directory.

  4. Secure your database SQL using Security Pro (http://addons.oscommerce.com/info/7708)

    1. Upload fwr_media_security_pro.php to your /includes/modules directory

    2. Edit your /includes/application_top.php slightly (see the readme)

 

If you want to play cat and mouse with the malicious bots you can install what is called a “honey pot” or IP trap. There are a few oscommerce contributions which automate this process but I like to have more control since I sometimes forget that I renamed admin and fall into my own trap :-)

 

Here's how to install a simple IP trap that notifies you when a bad bot trolls through places it shouldn't go.

 

  1. Edit your domain's robots.txt to say:

    User-agent: *
    Disallow: /admin/

    A good bot (like search engine bots) will read your robots.txt and avoid the directories you disallow. A bad bot will either ignore your robots.txt or read it and go straight to the disallowed directory and look for an opportunity to hack your server.

    You have to do this step or you'll be plagued with search engine bots falling into your trap. If you don't have a robots.txt just create it in a text editor, add the above two lines and upload it to the top directory of the domain. (e.g.
    public_html or public_html/[Addon Domain Name])

  2. Create the following (text) file (which you will name index.php) and put your own info:

    $ip = $_SERVER["REMOTE_ADDR"];
    mail("[
    YOUR EMAIL HERE]","Hack attack on [YOUR DOMAIN HERE]/admin",$ip,"From:noreply@[YOUR DOMAIN].com");
    ?>


  1. Make a copy of this file and call it file_manager.php (since this is the admin file that the malicious bots look for most.)

  2. Upload both index.php and file_manager.php to your (fake) /admin directory (not your renamed and real admin directory...these files go in your false directory that is named “admin”)

 

What to do if you get  email that a bot has fallen into your IP Trap

 

I like to check the IP first (to make sure it doesn't come from my client. I use http://whatismyipaddress.com/ip-lookup because I can also look up to see if this ip has been blacklisted. (Be aware that some ip's are blacklisted for spam purposes just because they belong to an ISP and most ISPs don't allow their customers to operate mail servers. So your own IP may show up blacklisted on the mail blacklist.)

Once I'm sure the IP is a malicious bot, I use
Cpanel to IP Deny it to all my domains (on all my servers)

 

Just today I saw 3 different bots trolling through a client's domain (which wasn't even an oscommerce site) looking for /admin/file_manager.php. These bots are set to recursively search through all the domains they can find, trying again and again to strike it rich (malicious-bot-wise) by hitting an installed /admin/file_manager.php file which will then let them upload a rootkit and run amok on the server.

 

I can absolutely guarantee you that if you don't delete admin/file_manager.php (the real one – not your ip trap) your oscommerce site will be hacked. And when it is hacked, your entire server will be hacked. So I cannot stress how important it is to secure your oscommerce site.

Views: 1404

Comment

You need to be a member of TechHui to add comments!

Join TechHui

Comment by Karen Chun on May 14, 2011 at 4:32pm

Sorry, Brian,  I have been programming for too long to be sucked into these "my language can beat up your dad's language" flame wars.

 

I was gently trying to point out that you were being arrogant but perhaps I was too subtle.

Comment by Fred Baclig on May 14, 2011 at 12:12pm

"PHP sucks for the same reason VB sucked in the 90s. It's a relatively easy language to code in"

 

Couldn't one say the same about Python and Ruby.  Python and Ruby's syntax is more readable than PHP.  Not to mention I'm sure we'd see the same amount of poor coding if Python or Ruby had stepped up to the plate first.

 

now, if we were talking about performance.. I'd have nothing to say there :)

Comment by Brian on May 14, 2011 at 2:19am

"It's not very sensible for most companies to manage their e-commerce infrastructure;"

 

I would disagree with this statement.

 

Care to elaborate?

 

Brian sez: "I use the trm php developer loosely because I don't really consider php a language"

And you are dissing php and php programmers because...?

 

I don't really want to hijack your post into a thread of why I think php sucks, but since you asked.. briefly:

 

PHP sucks for the same reason VB sucked in the 90s. It's a relatively easy language to code in, so as a result there's a lot of terrible software out there. Google "php image gallery" and you'll understand what I'm talking about. This is problematic in a real sense, because these atrociously-written apps result in compromises.

 

phpBB anyone?


Of course, you can argue that this doesn't matter - Facebook is mostly php and they're wildly successful as a company. Perhaps it wouldn't have been implemented without such an easy to use language. Youtube, WordPress, digg, wikipedia - all heavily use/used PHP. So in terms of creating successful applications PHP has a great record.

 

But it's also a bit of a ridiculous argument nowadays when much cleaner languages that are just as easy to use (e.g. Python) are available. 10 years ago this was more compelling because the alternatives weren't there as much. Nowadays if you want to be the next big thing, grab some EC2 or GAE infrastructure and rapidly write your stuff in ruby or python.

 

As far as the language itself:

 

* No unicode support

* Namespacing? Oh they finally added it in 5.3 but there's such a legacy of crap out there that this was rather late.

* Slow, caching is a kludgey approach to improving its performance. Zend wants to make $$ from you.

* Scales poorly - this is why Facebook has such absurdly large datacenters. In their case it doesn't matter because Zuckerberg can just swim in his money pool, but most companies care about overhead costs - and won't have such margins.

* Ugly language full of inconsistent & confusing naming conventions. Doesn't necessarily affect the applications you write, but why would you choose this when better alternatives exist?

Comment by Karen Chun on May 12, 2011 at 7:33am

Brian sez: "I use the trm php developer loosely because I don't really consider php a language"

 

And you are dissing php and php programmers because...?

Comment by Karen Chun on May 12, 2011 at 7:31am

"It's not very sensible for most companies to manage their e-commerce infrastructure;"

 

I would disagree with this statement.

Comment by Karen Chun on May 12, 2011 at 7:29am

Brian is correct that some malicious bots will (as I said in my post) use your robots.txt to go directly to the places you've asked them not to go.  For that reason, I don't include /wp-admin as disallowed.

 

Well behaved bots like google and other search engines aren't going to go there even though you don't list it in your robots.txt as "Disallow".  So there is no need to draw attention to that directory and make the malicious bots' job easier.

 

However it is my experience that the vast majority of bots are programmed to brute force look for vulnerabilities by searching out wp-admin/whatever-the-vulnerability-de-jour.php without regard of whether there is even a wp-admin on your server.

Comment by Brian on May 11, 2011 at 6:38pm

While not directly related to your original post, it's worth noting that robots.txt - can essentially be a roadmap to your vulnerabilities if you use it to say "hey, important stuff I don't want indexed".

 

Robots.txt is not a security mechanism, it is for telling webcrawlers not to index certain content - for example dynamic caches.

Comment by Brian on May 11, 2011 at 6:29pm

You have to be careful with honeypots; often they just attract attention.

 

Perimeter security is not a very effective strategy anyway; if you have critical data - encrypt it, or don't put it on a public facing server, etc etc..

 

It's not very sensible for most companies to manage their e-commerce infrastructure; outsource it to someone reputable with more resources than you. There are tons of DIY php+mysql e-commerce/image gallery/forum apps out there and nearly all of them are poorly written. I don't think your average "php developer" even knows what a parameterized query is (I use the term php developer loosely because I don't really consider php a language).

Comment by Karen Chun on May 7, 2011 at 3:06pm

Uh-oh....noticed 5 different IPs looking for .../admin/categories.php.  Turns out there's a vulnerability in the oscommerce file /admin/categories.php.  But you all aren't worried, right?  Because you renamed your admin and password protected it, right?

 

But for those who decided to go ahead and implement an IP trap, copy your ip trap file ALSO to /admin/categories.php.

 

BTW, even if you don't have a oscommerce site, if you want to clear out malicious bots by trapping them, you can simply create a /admin/ directory and add the above IP trap files to it.

 

I see that the malicious bots are also trolling for /admin/banned.php.  Haven't tracked down what package has this particular file yet.  Anyone know?

Sponsors

web design, web development, localization

© 2019   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service