aiyou Posted March 28, 2014 Share Posted March 28, 2014 With whos_online, I'll see the following. 99% of the time, when I look up the IP, its related to a mail sever, dictionary attacker, etc. 00:00:00 Guest dynamic.vdc.vn 10:38:55 pm 10:38:55 pm Some Product Name (Product) Yes Yes Name: Guest ID: 0 IP Address: 113.162.222.1 User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) osCsid: 4bbec7e4b61a58ba9263cbd950db5bdd Referer?: http://www.mystore.com/product_info.php?cPath=73&products_id=319'A=0 Inactive with no Cart and 00:00:00 Guest dynamic.vdc.vn 10:38:39 pm 10:38:39 pm Some Product Name (Product) Yes Yes Name: Guest ID: 0 IP Address: 113.162.222.1 User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) osCsid: ba80ede01c5c4929bc16615cfcdac3aa Referer?: http://www.mystore.com/product_info.php?cPath=73'A=0&products_id=319 What's with the A=0 value in the referer? What are they trying to accomplish, and how can I manage them with something like a bad behavior rewrite in .htaccess, rather than explicitly adding each IP as a deny? Store is 2.3.3.4 with the 0-day patch, renamed /admin with .htaccess. Would osc_sec address this? Thanks Rob Link to comment Share on other sites More sharing options...
Jack_mcs Posted March 28, 2014 Share Posted March 28, 2014 It's most likely a hacker playing around to see what is valid for a url on your site. But it could just be a malformed link where it may be posted. That IP is from Vietnam. If you know you won't do business with someone from Vietnam, block the whole country. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Taipo Posted March 31, 2014 Share Posted March 31, 2014 I agree with Jack on the hacker playing.... Its probably just an automated server trolling through osCommerce websites to see if they can generate a database error i,e, by adding the 'a=0. so that in of itself is not an injection attempt therefore osCSec will not block that attempt, but will block most if not all actual database injection attempts, which would be requests that look something like: http://www.mystore.com/product_info.php?cPath=73&products_id=319'%20union%20select%20from..... - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.