Jewelion Web Design

osCommerce: Recovering from a Hack Attack

Julian — Fri, 29 Apr 2011 07:17:26 +0000

I was called upon yesterday to sort out a website running osCommerce. It had been installed a few years ago, had a few modifications added and that was it. No security updates. Ever!

The first sign something was amiss was it became impossible to browse the shop. I quickly traced that to a key missing file. When the file was replaced all appeared to be OK again. It was then a matter of how that file came to be missing. Was it human error, a deliberate act of focussed sabotage or something destructive but less personal? Fortunately, as the incident unfolded, the first two possibilities were eliminated.

Emails arrived indicating that a page had been set up on the site phishing for people’s bank details. Then another page, then another. The hunt was on then to find and eliminate the phishing files and the files left by the hackers which enabled the phishing files to be deposited. Simply removing these is no use as the vulnerability that let the hackers in in the first place has to be addressed.

First: the default admin folder was renamed and the vulnerable files were removed (file_manager.php, define_languages.php). Then various security updates and modifications were applied. Finally a site monitoring tool was installed and run to check for suspicious files, files that should be there but with suspicious content and to alert to future changes. The site monitor found a dozen files that had been deposited over the past week, plus 5 bona fide files that had nasty stuff injected into them by the hackers.

The site is now thoroughly cleansed and all is well. But monitoring continues, both for intrusion attempts and any security updates.

If you have an osCommerce site that needs updating or you suspect/know has been hacked, contact Jewelion Web Design today – we can help!

webmasterjewelioncom
T:01691 682428
M:07980444071
Visit our osCommerce Services Pages

Euthanasia in the aisles

Julian — Thu, 28 Apr 2011 15:24:59 +0000

As the computerised lady thanked me for using Sainsbury’s Self Check-out, for one awful moment I had a vision of Dignitas’s Swiss practices making their way into the supermarkets.

Clever Cash Machine

Julian — Thu, 28 Apr 2011 15:19:32 +0000

I was in Gobowen the other day, walking past the Co-op. The ATM had a notice on it saying “This cash machine will charge £1.85 for withdrawals.”

No, the cash machine won’t charge you. The bank operating it will charge you.

Presumably they feel less opprobrium will be heaped on their shoulders if they . . . → Read More: Clever Cash Machine

Validation -W W Worth it?

Julian — Tue, 14 Sep 2010 13:48:01 +0000

We all need standards. In a car it’s useful to be able to know that everybody is maintianing the same standard as to which side of the road they drive on – mostly. Or that what Shell calls diesel will work in a diesel engined car. If everybody sticks to standards then we all know where we are and everything will work smoothly. And so it is in the world of web page design. Or is it?

There is a body, the W3c, which develops standards on which all web pages should be constructed. They have a page where you can test your website for compliance – here it is: http://validator.w3.org/

As an embryonic web developer back in the miasma that was in the days of Internet Explorer 2, Netscape 3 and AOL’s very own custom browser, standards were a right royal pain. Just getting a page to work and display was success enough. Now things have changed, the world has moved on.

There is a rich satisfaction when the green square of validation reveals itself that perhaps only someone who has struggled with proprietary html tags and attributes can understand. This is often followed by an intense depression as testing reveals that beautifully crafted html, that perfect layout which works in all modern browsers actually chokes Internet Explorer 6. Yes, it’s still out there. Yes we have to cater for it.

But I digress. We can write html which validates. Is there ever a case for allowing non-validating html code? I think the answer has to be a guarded “yes, sometimes”. Why? Well, once upon a time if you had come to jewelion.com you would have seen the proud boast “always bespoke”. Things have changed, the world has moved on. There’s so much that can be done in such a sophisticated manner that it is just not practical to develop it all from the ground up, to engage in needless wheel re-invention. Take the little carousel on the front page of this website – someone has developed that and very kindly made it available. However, they didn’t pay close attention to standards and it doesn’t validate. At first it produced over 20 errors – I have corrected them but there remains one.

As the page works – is the existence of one validation issue important? I think not.

Backscatter

Julian — Tue, 31 Aug 2010 14:09:44 +0000

It seems that it is almost impossible these days to do or say anything that in some way does not cause offence. And, when it comes to running a server attached to the internet there are innumerable new ways in which to breach the code of conduct to which all should adhere if they wish to be good “netizens”.

While checking all was well in cyberspace, imagine my horror at discovering that the mailserver was in fact on a blacklist for abhorrent behaviour. Now, years of experience has taught the value of a certain fastidiousness when it comes to making sure that the mailerver is locked down to prevent abuse by spammers and/or scammers. However there it was, in black and white: I was officially a backscatterer!

Backscatter isn’t a particularly nice sounding term. Indeed it conjures up images of unfortunate medical conditions – the least said the better. But, in order to get to grips with it, we need to have some understanding of what it means.

When an email arrives at the mailserver there are two basic options. The server can accept it and take delivery of it for further processing or it can REJECT it there and then, ie refuse to handle it. Having accepted the email, if the server then finds it is unable to deliver it to the appropriate mailbox it can then DROP or BOUNCE the message. DROP means, just that, forget the message ever existed and delete it. Not always a good idea because the sender of the message will not know it didn’t reach its target. BOUNCE is much friendlier because the sender is notified of non-delivery.

As we know spammers often send their emails with a forged “From address”. Also they also try their luck by sending emails to a vast combination of names @yourdomain.co.uk in the hope that some are valid. If the server is set up to accept the email, then check to see if the user exists and if it doesn’t, to BOUNCE the email back, and if the From address is forged then that unfortunate and entirely innocent address is going to be on the receiving end of a lot of spam.

The answer is to set the server to check that recipient address is valid before accepting it. If it is not then to REJECT it, which stops the process then and there.

Backscatter.org maintains the blacklist. They’re not a particularly pleasant bunch, requiring money if you wish to be removed from their list – you can opt to wait for a month and let the listing expire if you’d rather not pay. Which is what I did.

First Post

Julian — Tue, 17 Aug 2010 16:30:53 +0000

This is a website about Web design, so the blogs on this site will mostly be centered around that topic. However, we are humans with a wider sphere of interest than just the internet and computers so expect a few articles on “other stuff”.