osCommerce Security – protecting and recovering from hacks

Recently, I’ve been seeing many osCommerce sites that are insecure. I’ve been emailing shop owners to let them know. To prove the point, I’ve been (after having permission to do so) uploading an image file to the insecure site, and pointing out that it could just as easily have been a page of malicious code uploaded instead…

So, what I want to do in this blog post is try to show every shop owner some steps they should take to secure their osCommerce.

1. Rename your Admin area to something completely random. So instead of it being yoursite.com/admin/ it is something like www.yoursite.com/frfrow0033kdie7/
2. Remove the admin file called file_manager.php and the file called define_language.php (note that rc3 delivers without the file_manager.php already)
3. Protect your admin area using .htaccess via your hosting control panel (note that osCommerce rc3 has this feature installed already via the admin area)
4. As a minimum, install the following addons listed here.

If you have already been hacked, then the most likely culprit is the “eval” hack, which inserts code at the top of almost every .php page, and adds a few extra malicious files. This “eval” code needs to be decrypted, and then the malicious files can be found and removed.

Once that’s done, then you must remove the “eval” code from each and every php file. Important to note that “eval” is in fact used by osCommerce legitimately – so you only need to find the malicious eval code (always at the top of each infected php page).

There are also other newer contributions that you can use to protect your site – such as Intrusion Detection System. Have a hunt for more in the osCommerce forum and addons area.

If all this is beyond the scope of your ability, please feel free to contact me (my email address is up there^^ )as I am happy to fix a hacked site and secure it against known hacks. Note that this is a commercial service that I offer, hence you would be paying commercial rates.