5 replies to this topic

[Felix Scheiffers]

Who knows what the hackers are trying to do with this attack from the log (24 hours a day):

[Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(??:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"]

www.xxxx.nl = website customer ...

Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions).
So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem).
What are they trying to do ? Who can explain me ?
What security updates for later versions are important for oscommerce (ms2) ?
Why do they attack my customer, what and how have they detected to choose my customer ?

Edited by Felix Scheiffers, 20 November 2009, 03:53.

[spooks]

Felix Scheiffers, on 20 November 2009, 03:47, said:

Who knows what the hackers are trying to do with this attack from the log (24 hours a day):

[Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(?[img]http://forums.oscommerce.com/public/style_emoticons/default/sad.gif[/img]?:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"]

www.xxxx.nl = website customer ...

Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions).
So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem).
What are they trying to do ? Who can explain me ?
What security updates for later versions are important for oscommerce (ms2) ?
Why do they attack my customer, what and how have they detected to choose my customer ?

ms2 wont work with rg off unless modified, have they turned rg back on in the app? They would be best upgrading to 2.2rc2a and adding security http://forums.oscommerce.com/index.php?showtopic=313323

[Felix Scheiffers]

spooks, on 20 November 2009, 11:00, said:

ms2 wont work with rg off unless modified, have they turned rg back on in the app? They would be best upgrading to 2.2rc2a and adding security http://forums.oscommerce.com/index.php?showtopic=313323

[Felix Scheiffers]

Thanks Sam, I go to study your changes for making some old sites for my customers more secured.

You can change ms2 to rg off, with modifications in application_top and /functions/sessions.php.

I sent the attack to the RSA and Paypal organization but nobody answers, only to take your website down.

But maybe after your modifications, they can't come in anymore (until now they still fail).

[Felix Scheiffers]

Felix Scheiffers, on 20 November 2009, 03:47, said:

Who knows what the hackers are trying to do with this attack from the log (24 hours a day):

[Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(??:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"]

www.xxxx.nl = website customer ...

Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions).
So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem).
What are they trying to do ? Who can explain me ?
What security updates for later versions are important for oscommerce (ms2) ?
Why do they attack my customer, what and how have they detected to choose my customer ?

Is one trying to install folder/program "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php" in the webserver ? When they were succesfully on the previous server, they installed mallware in that folder! But how and where they come in and do they use a password or is that not necessary for this possibility ?

[spooks]

Felix Scheiffers, on 20 November 2009, 23:50, said:

Is one trying to install folder/program "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php" in the webserver ? When they were succesfully on the previous server, they installed mallware in that folder! But how and where they come in and do they use a password or is that not necessary for this possibility ?

My suspicion is they have still hacked the site, its just your server security is blocking some stuff they try. Remember when sites are hacked they often leave hidden back doors, thats why its best to wipe as host then restore with known clean backup.

If the site is not properly secured there are a number of ways in without passwords, see my thread & Jan's thread on admin I linked to in it.

Good luck! [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]