Our site www.viart.com site is operated by latest Viart Shop 5 with default Clear design
Topic Information
Anjula
Anjula
Dear Customers,
 
We would like to notify you about possible hack attacks to your site configuration files if the 'install.php' file was not deleted from your version after installation.
 
To avoid attacking, we strongly recommend you to perform the following steps:
 
1) Delete the file 'install.php' from your server (if it wasn't deleted earlier).
2) Rename the 'admin' folder to any name you choose and update your bookmarks.
3) Unselect 'writable' privileges for all folders, except for the 'images' folder.
4) Check your Admin panel for unknown php code (it can be placed in the footer body, for example).
5) Change the login/password to your Admin panel (via Administration > System > Administrators > Change password) and ensure that you are not using the default details, like: admin/admin
 
Please, feel free to contact our support team on any issues or problems.
 
With kind regards,
ViArt Support Team
Last modified: 23 Sep 2008 2:41 PM
 
SajMalik
SajMalik
3) Unselect 'writable' priviliges for main folders.
 
Anjula
 
My folders are WRITABLE for Owner only. Is that right?
 
Thanks
 
Chris
 
freezer
freezer
3). Main folders > which folders are these exactly.
 
Just includes & admin or more than them
 
and yes as per christopherO is this just set to just owners e.g 755
 
Maybe a little more time and therefore clarity could be devoted to this important warning ! We are not all techies !
 
freezer
freezer
Does this also include the install zend php files ?
 
Anjula
Anjula
Hello All,
 
Please, kindly find answers to your questions as to a security alert issue.
 
Does this also include the install zend php files ?
 
No, you may leave zend php files on your server. There is no need to remove them.
 
Unselect 'writable' priviliges for main folders.
My folders are WRITABLE for Owner only. Is that right?
 
Actually, it depends mostly on what type of owner you are. If you have complete root privileges (provided by your hosting provider), then you should leave 755 privileges, otherwise you won't be able to upload files via FTP. In this case no one except you won't be able to access your file(s) and make any changes there.
 
If you as an owner does not have root permissions, but rather an access, like www-data:www-data, then it is strongly recommended to unselect any writable permissions to avoid any hack attack. www-data - is just a sample name, it can be different for different systems, like: apache:apache - for FreeBSD, httpd:httpd - for RedHat, www-data – for Debian.
 
For example, with wxrwxr-x root:root - nobody except a root owner is able to change files, while with root:www-data -anyone from www.data group may access your files and edit them.
 
Therefore, it is advisable to check your owner's privileges and set necessary permissions for your folders, taking into account your server settings and owner’s privileges.
 
With kind regards,
ViArt Support Team
 
freezer (Guest)
freezer (Guest)
Thanks Anjula,
 
755 should do the trick for me !
 
Anjula
Anjula
Hello,
 
In addition to the precautions we described earlier you can also add an extral layer of defense by password protecting your "admin" directory with an ".htaccess" file. The only inconvenience is that you'll need to log in twice, however this measure will increase security.
 
For detailed instructions on creation an .htaccess file, please refer to the following articles:
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
http://www.cs.dal.ca/studentservices/faq/tutorials/web_sites/htaccess.shtml
http://www.javascriptkit.com/howto/htaccess3.shtml
 
With kind regards,
ViArt Support Team
 
Last modified: 30 Sep 2008 1:19 PM
 
Keith (Guest)
Keith (Guest)
I assume that all the advice above relates to just the admin folder?
 
arkid
arkid
Hi anjula
 
Can I recommend that you add a neat version of all these tasks to the final completion page of the installation wizard for the next version of Viart.
 
This would remind people at the moment they are most likely to make all the required changes.
 
arkid
arkid
Even better,
 
- the viart installation could check the rights of folders itself
 
- the admin and shop front end could display an error and not run until the install.php file had been deleted.
 
 
similar things could be done to assist with many of the other tasks you recommend are applied to a newly installed shop.
 
 
i hope the next release can start automating and doing some of these checks itself.
 
Last modified: 1 Dec 2008 11:18 AM
 
Shoequeen (Guest)
Shoequeen (Guest)
automation seems the most logical way to go, for sure. crazy not to if it can be done considering massive fines for those not pci compliant; and if they're not technical experts in any way,,, well not everyone knows this stuff.