StopTheHacker

StopTheHacker

Protecting osCommerce Sites Against Malware

Posted on April 2, 2013 - 10:17 by ccondon

The following is a guest article by Anirban Banerjee, CTO & co-founder of StopTheHacker. StopTheHacker is a StopBadware Partner, and Dr. Banerjee is a regular contributor to StopBadware's community forum, BadwareBusters.org

When it comes to starting an online store, osCommerce is a popular choice of e-commerce software. Like many other content management systems, osCommerce offers users free tools to set up and host online stores. osCommerce’s popularity can also make it attractive to hackers and malware authors.  When your livelihood depends upon your website, it’s up to you to protect it from malware.

What Malware Does to Your Online Retail Store

If a hacker plants malware on your website, the upload may result in several unfortunate issues for you and your customers, including:

  • Opening pop-up ads whenever a user opens your page.
  • Receipt of multiple spam emails by customers that appear to come from you.
  • Slowing of the user's Internet connection or crashing of the user's computer.
  • Redirection to pages with viruses or malware.
  • Stealing of personal information.

As an online retailer, it’s easy to understand how badly a malware attack can affect your relationship with your customers. Customers can potentially suffer long-term consequences from a malware attack on your site, and your reputation will suffer, too.

Taking Care of Business

If you had a brick and mortar storefront, you would have insurance in case of an emergency, but you would also have locks on the doors. Having an online retail store is no excuse to skip this basic level of protection. Your store is a source of income, and you need to protect that income source against potential invaders. With a few simple steps, you can “lock up" your osCommerce store.

  1. Upgrade to the latest osCommerce online merchant package as soon as it’s available. Each update of the osCommerce package includes the latest security measures.
  2. Avoid third-party add-ons. osCommerce provides plenty of add-ons to enhance your site. Third-party add-ons can increase your risk of hosting vulnerable code on your site; if you do use code from third parties, you should always know where it comes from and how it's maintained. 
  3. Don’t wait for an attack to happen. Keep an eye out for any unauthorized changes or users. You can also scan your website regularly with an online malware scanner or other security tool to make sure hackers have not breached your site’s security.
  4. Consider signing up for website security. Website security companies can have trained experts monitor your site for suspicious activity, increasing the chances you’ll catch malware before it becomes an issue.
  5. Be proactive. This might include steps like:
    - Changing the name of the osCommerce “admin” folder before launching your site.
    - Choosing a difficult password that contains both numbers and characters to reduce the chance of a hacker figuring out your password.
    - Not using the same password with osCommerce that you use on any other website.
    - Deleting the “file_manager.php” and “define_language.php” files from osCommerce admin. According to osCommerce users, these files have known vulnerabilities.

If your site does get infected with malware, take it offline as soon as something bad is detected and clean it up. Detection tools and webmaster forums (such as BadwareBusters.org) can help you do this; if you subscribe to a malware protection service, they can help you clean up quickly.

If you are looking to try your hand at online sales, osCommerce and other e-commerce management systems can be good options. Your osCommerce site is only as good as its security; by keeping it secure, you protect both your revenue stream and your customers.

StopTheHacker is a security company whose suite of technologies are designed to keep websites safe. They are also a StopBadware Sponsoring Partner. For more information, visit www.stopthehacker.com.

 

Tags: 
malware, osCommerce, stopbadware, StopTheHacker

5 reasons why websites are hacked and blacklisted

Posted on February 21, 2012 - 09:26 by ccondon

The following is a guest post by StopTheHacker, a provider of website security services and a StopBadware Partner. Members from StopTheHacker are also active participants on StopBadware's community forum, BadwareBusters.org. They, and other experts on the forum, give webmasters advice on finding and getting rid of badware on websites that have been compromised.

Author: Anirban Banerjee, Co-founder at StopTheHacker
Contributor: Oliver Bock, Marketing Director at StopTheHacker

Thousands of websites are blacklisted on a daily basis. Many of these blacklisted websites are legitimate businesses, online portals, academic sites, entertainment outlets and more. the blacklisting often occurs as a result of the sites getting hacked and having malicious code injected without the permission of the websites' owners. In this article we provide some best practices to help website owners stay safe and stay off blacklists—like Google's Safe Browsing blacklist.

Why do sites end up on blacklists?
Malicious hackers and automated bots infect websites with malicious computer code (i.e., web malware). Security companies, search engines, browser manufacturers, and others will prevent or deter users from visiting these compromised sites in order to protect those sites' visitors. Hacked websites may also be used to launch spam and phishing campaigns. For example, a compromised site might try to convince Internet users to visit a fake banking page, buy pharmaceuticals, or something similar. This can cause sites to be blacklisted, too.

How do sites get hacked?
Websites can get hacked and compromised in many ways. Below are some of the primary methods.

  1. Poor choice of passwords. A lot of website owners use simple passwords. In a 2011 large-scale password analysis study, "123456" was found to be one of the most common passwords used. Choosing weak passwords leaves webmasters vulnerable to brute force attacks, where criminals try to log in using tools that try every easy-to-guess password.
  2. Insecure FTP connections. Many sites are infected after the FTP password and username are sniffed by a silent Trojan/rootkit that has been installed on the computer of a website administrator. Once a username and password are obtained, they're automatically passed on to a master controller (e.g., through an IRC chat room). This malicious actor accesses the website and infects the site with malware.
  3. Web application vulnerabilities. A lot of websites use Web 2.0 functionality in order to create a rich experience for users. This functionality takes many forms: posting comments (on blogs or Facebook, for example), signing up for newsletters, filling out support forms, and live chatting with others, to name a few. The applications that make these rich functionalities possible can all be avenues for malicious code injection, especially if they are not kept up to date.
  4. Third party add-ons. Third party add-ons for websites have become extremely popular for their ability to provide more interesting site functionality. Add-ons can offer functions like dynamic IP geolocation, image resizing, and much more. These third party pieces of code may harbor vulnerabilities that the original website owner may not even be aware of. Many webmasters might not realize that third party add-ons need to be updated in addition to software like WordPress or Joomla.
  5. Server level vulnerabilities. A large number of web servers on the Internet run vulnerable software, such as easily hackable FTP software. Sometimes, even though website and server administrators know about vulnerabilities in the server software, they forget to patch these security holes—leaving them vulnerable to hacks. These issues are primarily related to server setup and configuration. Improper permissions settings can give malicious hackers access to files they shouldn't be able to get to.

Essential tips to protect your website:

  • Never store credentials, like your FTP password, on your local PC. 
  • Use strong passwords and try to set up difficult-to-guess usernames (such as "av21bx" instead of "Alex").
  • If you use FTP, consider switching to a more secure solution, like ssh/SCP/SFTP.
  • Make sure to check your website frequently for web application vulnerabilities and malicious code. Vigilance can protect your visitors.
  • Install only reputable plugins. Make a list of all third party plugins you use, and be sure to update them regularly. Both the software you use to run your website and all your plugins should be kept current!
  • Set appropriate file permissions on your web server.
  • Make sure you regularly scan your local PC with at least one, and preferably more than one, antivirus engine. Antivirus software for your PC won't detect website infections, but using an infected local machine can cause a website to become infected, so it's important to protect your PC, too!

If you would like to learn more, please visit StopTheHacker's "Experts Explain" series of posts. StopBadware also has tips for webmasters who want to prevent or remove malware.

Tags: 
badware, blacklists, StopBadware Partners, StopTheHacker, webmaster tips