Someone contacted me telling me that my magento company website was not secure, and they addressed me to http://www.magereport.com/scan/. I told them that the patches were installed manually, which it was what I was told at the time by the developers. I double checked with the developers and they told me that the manually applied patches will not be considered in that url. I however checked this other one https://magento.com/security-patch and says that the website appear to be safe. (including the "bespoke" admin url
Could anyone confirm if it is true that the manually installed patches can't show in those url's?
In one hand I have to trust my developers, and I believe they are saying the truth, but on the other hand I had a couple of people (probably trying to sell something) telling me something different. In the meantime I want to make sure the site is safe, and there is no compromise to our customers details.
What would you recommend as the best plan of action?
Magento version is 1.8.1.0
Many thanks for your honest help!
i am checking my magento web site at regularly (one a week)
http://mxtoolbox.com/ (ip and domain badlist control)
http://sitecheck.sucuri.net/ (malware control)
http://www.unmaskparasites.com/ (malware control)
http://www.magereport.com/ (magento security patch control)
You can trust this web sites. And I think, enough to control these sites
http://www.magereport.com/scan/ is very accurate. I would trust your developers.
Magereport is checking site from front end and cannot see is your php files completly patched. You should check Magefence extension that check your site from backend by scanning php files for each security patch, beside other security features. This is most complete security extension for regular site owners. https://www.extensionsmall.com/mage-fence-security.html
Related
I'm an rather experienced web developer and have Plesk Onyx running on my dedicated server. It features 2FA via Google Authenticator. Inside Plesk, I added multiple WordPress-based webpages of mine and friends of mine. All of these WordPress installations are securely installed by Plesk and hardened access to by moving the admin area, globally disabling comments, 2FA, and so on.
Now a few days ago, a friend told me he was seeing massive ads on my webpage. Since the server also yields my company's page, that is perhaps something to take serious - so did I. However, I couldn't reproduce the ads or the pop ups, etc. - at all -, neither on my Windows machines (10 and Server 2016), nor on any mobile or laptop device. Yesterday, I was viewing my webpage with a friend of mine (desktop PC). And all of a sudden, ads are shown up when he clicks links in my WP menu and stuff like this. Very pushy, very much, absolutely... unacceptable.
I introduced myself as rather experienced web developer. However, I don't know how to tackle this. Whether my server was actually hacked or compromised, some WordPress plugin is messing up with ads (however, friend found problems on multiple sites that are not using the same plugins), or whatever. I think Plesk and WP are both strong and shouldn't be compromised that easy. Besides, I didn't notice any further.
How to tackle this?
Did you try Revisium Antivirus to scan your websites? It is available on Plesk extensions. I had a similar issue and Revisium Antivirus found all the files that were infected.
Also, check your friend's PC (web browser) for malware. There is some malware (hidden software) which can run adds or add strange links to your website. So, in that case, there is nothing to do with your server or websites.
At our office we use mediawiki as our intranet portal. Some of our departments like Sales, Support, etc use it to manage files on the network. They often link to Word/Excel documents with a file:// uri. The issue is everybody uses different browsers, ie explorer, Firefox, chrome. Often they cannot download files (link not working in certain browsers, browser security settings, etc). Is there a way to fix this for everybody without having to install additional software or change settings on each PC?
If possible I would like to keep linking to these local network files. I'd rather not upload them to google docs (extra work!) and use a share-link so it's just http.
Are you using the mediawiki way of posting links?
[[LinkHere]]
This might help with your issue, since MediaWiki chooses the way it is displayed.
https://www.mediawiki.org/wiki/Help:Links
Sorry. Cannot comment yet. This is not an answer.
am I just stupid or does Drupal have a big flaw? (probablt the former of the two..)
I have built a site with some public content and some private content. The problem is that even though menus can be hidden from public, unauthorized users, there is no stopping a visitor from just typing in node/5 (if node/5 were one of the private, hidden pages).
And I am baffled by how troublesome this is to fix. there is no basic functionality to fix this, and having tried two modules simple_access and access_control none of them work! Currently trying to fix a drupal 6 site. Any suggestions on modules that might fix this VERY BASIC functionality? Is Drupal not meant to handle corporate pages where you have external pages and internal sensitive content?
By the way, Drupal 7 is in the .9 stage, there are still VERY limited module availability, mostly everything is in an alpha stage and has been like forever, is there no development being done for D7?
The module that'll fix the problem for you is Nodeaccess; this is the opening text from the module page:
Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. Users with the 'grant node permissions' permission will have a grant tab on node pages which allows them to grant access to that node by user or role.
So that will do exactly what you want. Also the way Drupal's access system works means that any menu link that points to a node to which the user does not have access, will not be shown for that user. So you won't even have to hide your menu items any more, Drupal will do it for you :)
Regarding Drupal 7 contributed modules, the 'major' modules (Views, CTools, Devel, etc.) are all coming along nicely and are stable, in RC or at least beta. Because Drupal is open source the sole maintainers of smaller modules may not have the time to devote to bringing the Drupal 7 version alongside maintaining the v6 module (a lot of people still use D6 and there are still issues to attend to there).
Personally I've developed quite a number of D7 sites now and have found the contributed modules to be available and of a good quality (for the most part). I guess it just depends what specific functionality you need at the end of the day.
I think there's just a gap between your expectation and how Drupal actually works.
Drupal doesn't limit access to content based on whether or not that content is in the menu. On a site with thousands of nodes it would be overwhelming to have a menu of thousands of items.
Drupal has a rich node access system and there are dozens of modules which can help solve this problem. See the list of content access control modules for ideas on which you might use.
When I run into specific problems with modules I tend to follow a few steps:
re-read the README.txt file and INSTALL.txt file
re-read the project page to see if it links to any further documentation
read the issues for the project to see if any of them have similar descriptions of problems (click on the number links in the right sidebar of the project page)
create a new test site where the only thing I install is the module in question and then walk through the steps I think I should, documenting them in a new issue in the project issue queue as a "support request", and then ending the post with "expected results" and "actual results" - maintainers will usually get back in a few days time
nodeaccess module (http://drupal.org/project/nodeaccess) should work perfectly for you.
hi
i have a problem at my production site, client reported that he is not seeing data in lists of sharepoint, as well drop downs which have years in pages of site appear empty with one user A on machin X having with windows 7. but data and comes up and drop downs are now populated when accessed from machine Y with same user A.
i dont knw wht really the problem is. As to development site this issue is not produced,
plz help,
thnks in advance
From your question, I gather the data does exist and the same user can see the information from one computer but not another.
A couple things spring to mind. (I am presuming usage of Internet Explorer since SharePoint 2007 has some rather weird rendering issues with other browsers. Correct me if this is an incorrect assumption.)
First, Windows 7 has later versions of IE which can refuse to send network credentials to a server it doesn't think is part of the intranet (corporate network). What makes this especially frustrating is that IE will prompt for network credentials (a result of the challenge from the website) but will not transmit those credentials. Examine the IIS logs to see if this is the case. The requests will be void of credentials using IE but will be present using Firefox (and presumably any other web browser). The fix for this is usually as simple as adding the domain into the Local Intranet zone in Internet Options.
If this is not the case, can you confirm the user is using the same credentials? Is this integrated authentication using Active Directory or forms authentication?
Are there any differences between the two computers with regards to how they reach the SharePoint site? (Such as one is VPN, the other is directly connected)? Or are they essentially equal but with different browser/OS configurations?
Are the lists standard out-of-the-box lists or have they been customized with SharePoint Designer or any other means? Are you injecting JavaScript via a Content Editor Web Part which might not be executing correctly?
It would be very helpful to know browser versions used, OS versions used, differences in connectivity to the resource from each machine, type of authentication used, and any other thing you can think to list.
I wish you luck in tracking this down!
Windows 7 or xp has nothing to do over here probably it has to do with the browser which he is using to browse the site ask him to chk the internet explorer settings and verify that he has enabled execution of javascript and other related things
Warning: Something's Not Right Here!
www.mywebsite.com contains malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified www.mywebsite.comthat we found malware on the site. For more about the problems found on www.mywebsite.com, visit the Google Safe Browsing diagnostic page.
If you understand that visiting this site may harm your computer, proceed anyway.
One of our website is now down and it looks like this. What is the cause of this?
Please HELP.
I can only speculate what the cause is since you didn't provide the link, but my guess is that your site has been compromised. Look at your code and see if there is anything out of place. For example, a tag that is below your closing tag. Someone probably injected code on your site that contains data from their site. Google sees the domain that has been marked as malware and then says that your site has malware.
Can you provide a link to the code?
Just contributing a few links that might be more useful for folks looking to troubleshoot this problem when it comes up on their server.
Malware Blog
Post
Stop
Badware
If the website has been compromised, run the antivirus software on your PC to scan the entire computer. If any malware is detected, delete it. Remember to keep antivirus program up-to-date. If security tools don't work, refer to the instructions below:
http://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows_pc.html
http://blog.mightyuninstaller.com/infected-by-trojandownloadervbsagent-el-steps-to-completely-remove-trojandownloadervbsagent-el/