Jump to content

Archived

This topic is now archived and is closed to further replies.

WoodsWalker

Weird Stuff in "Who's Online"

Recommended Posts

Hi Folks,

 

Every now and then when I look at "Who's Online", under "Last URL" I see this:

 

/catalog/index.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm?

 

or something similar.

 

I have no such paths in my site.

 

I checked what was at http://babycaleb.fortunecity.co.uk/index.htm, at peril of getting viruses, and it looked like a legit page of baby pictures (but who knows?).

 

The IP Address of this entry was 65.93.226.125, which turned out to be a not-particularly-suspicious address from Bell Telephone in Toronto.

 

Anyone seen this kind of thing? Know what it is?

 

Thanks,

~Wendy

Share this post


Link to post
Share on other sites

Havn't experienced this before so not 100% sure if you are or aren't ... I would download your index.php file from your server and check it thoroughly for any malicious code...

Share this post


Link to post
Share on other sites

Thanks! Good idea. In fact, I had already done a search of my whole site for babycaleb and fortunecity, with none found.

 

What's the best way to search for malicious code? Any particular tags, etc.?

 

~Wendy

Share this post


Link to post
Share on other sites
Thanks! Good idea. In fact, I had already done a search of my whole site for babycaleb and fortunecity, with none found.

 

What's the best way to search for malicious code? Any particular tags, etc.?

 

~Wendy

 

If you had a backup of index.php just compare the two to see if there are any new lines ... look for any new javascript tags or any new php tags ... i dont want to frighten you but to me it seems as though somebody has tampered with your files but as I said before I'm not 100% sure ... check your /images directory and make sure there are no new .php files in there or .js files that don't belong to you - images is usually the first directory that gets hit as many people leave this directory as world writeable so anybody could access and write to it

Share this post


Link to post
Share on other sites

Hi sLaV-

 

OK, did all that (I assume you mean /catalog/index.php). I didn't find anything spooky. It's good news!

 

Maybe this will remain a mystery? I don't know what causes it, but I hope people on my site aren't being redirected.

 

Thanks again,

~Wendy

Share this post


Link to post
Share on other sites
Hi sLaV-

 

OK, did all that (I assume you mean /catalog/index.php). I didn't find anything spooky. It's good news!

 

Maybe this will remain a mystery? I don't know what causes it, but I hope people on my site aren't being redirected.

 

Thanks again,

~Wendy

 

Same experience here today. Server was out. Something with need to flush. Now shop is online again and I see the same url in who's online.

Share this post


Link to post
Share on other sites
Same experience here today. Server was out. Something with need to flush. Now shop is online again and I see the same url in who's online.

 

I've been seeing this for a while now too. Interesting that the link is a pic of someones child the mother and the mothers c-section scar. Weird. Anyone else figure out anything new on this? I noticed it now has 2 different links in there instead of the one.

Share this post


Link to post
Share on other sites

I would call your host and figure out what is going on.. it is either a hack or something REALLY funky happening with a shared server


A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Share this post


Link to post
Share on other sites

I saw it again today - checked the IP and it was somewhere in Asia this time I think. The plot thickens.

 

I've checked the files in my site for any weirdness - nothing seems to be wrong. Yes Lindsay - checking with my host might be a good idea.

 

Interesting that someone else is getting this too. Jayman - where are you located? I am in Canada, and my host is Bell Hosting.

 

~Wendy

p.s.: I don't know enough PHP to understand what could give rise to an URL such as "/catalog/index.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm?". Is it some sort of redirect? :unsure:

Share this post


Link to post
Share on other sites

I see this stuff occasionally in my own site when visiting Who's Online via Admin.

 

Wendy...have you actually copied and pasted the URL in your browser to SEE where it takes you?

 

I do...and thankfully, it always takes me to a legitimate page in my own website.

 

I refer to this bunch in my head as 'baby' hackers. They're trying to do something, but...they don't know what they're doing. LOL.

 

Just take note of the IP address you see when you catch it...and block them either via your .htaccess file or Cpanel.

Share this post


Link to post
Share on other sites

I'm in New Jersey. I did a search for that URL online and it appears to show up on a lot of other sites histories also. Last night I blocked the ip in my CP and it knocked it off immediately. If anything it seemed to just be eating up bandwith. I'm going to keep an eye out and see if it hits me from other ip addresses.

Share this post


Link to post
Share on other sites

If you copy and paste the whole url, including your domain name into your browser does it take you to the other website?

 

If it does then you have an open redirect taking place - which means that your website is using old unpatched code dating back to the osCommerce 2.2 MS2 version of 2003. If that's the case then you need to download osCommerce 2.2 MS2 (060817) from sourceforge.net and manually update your website with the 2005 and 2006 bug fixes and security updates contained in the update file.

 

Vger

Share this post


Link to post
Share on other sites

Hi Lindsay, Jason, Andrea and Vger,

 

Thanks for all the input.

 

The answer to the big question is: No, the full URL, (my URL, + redirect and all), does not take me to an outside page - it takes me to a slightly scrambled (but only to my eye) page of my products.

 

Saw it again today under another IP - I was thinking of blocking them, but then I had this thought:

 

Can I be sure if the IP addresses I'm seeing with these weird URLS are the "causes" or the "victims" of the strange redirect addresses?

 

Thanks,

~Wendy

Share this post


Link to post
Share on other sites
Hi Lindsay, Jason, Andrea and Vger,

 

Thanks for all the input.

 

The answer to the big question is: No, the full URL, (my URL, + redirect and all), does not take me to an outside page - it takes me to a slightly scrambled (but only to my eye) page of my products.

 

Saw it again today under another IP - I was thinking of blocking them, but then I had this thought:

 

Can I be sure if the IP addresses I'm seeing with these weird URLS are the "causes" or the "victims" of the strange redirect addresses?

 

Thanks,

~Wendy

 

Glad to hear you haven't found anything more sinister! If it were me, just to feel more secure, I'd delete the entire site and re-upload a fresh copy. (assuming you keep a working copy locally. If not you should). Also, be sure you have all the security mods installed.

 

@jason: Never put off updating security features or bug fixes just because it's a lot of work. Recovering from a hack can be a great deal more work. Bugs can also drive away customers. It's well worth a few hours (or even a few days) to update software if it saves a sale or two. As to blocking IPs, if those are dynamic IPs you won't be stopping the hacker completely but you will be blocking innocent people on the same host.

Share this post


Link to post
Share on other sites
Glad to hear you haven't found anything more sinister! If it were me, just to feel more secure, I'd delete the entire site and re-upload a fresh copy. (assuming you keep a working copy locally. If not you should). Also, be sure you have all the security mods installed.

 

@jason: Never put off updating security features or bug fixes just because it's a lot of work. Recovering from a hack can be a great deal more work. Bugs can also drive away customers. It's well worth a few hours (or even a few days) to update software if it saves a sale or two. As to blocking IPs, if those are dynamic IPs you won't be stopping the hacker completely but you will be blocking innocent people on the same host.

 

I thought I was pretty up date or at least hoped so. I installed it around last July. Looks like I have v2.2 RC1. Any idea if that is up to date? Also, what security features are there that you all suggest that I can pop in there maybe even from the contributions. I don't see that this babycaleb url is doing anything more than just using up bandwith but I'm not a pro so I could be wrong. I havent had any complaints or noticed anything on the site changing.

Share this post


Link to post
Share on other sites
I thought I was pretty up date or at least hoped so. I installed it around last July. Looks like I have v2.2 RC1. Any idea if that is up to date? Also, what security features are there that you all suggest that I can pop in there maybe even from the contributions. I don't see that this babycaleb url is doing anything more than just using up bandwith but I'm not a pro so I could be wrong. I havent had any complaints or noticed anything on the site changing.

 

Security Mods

 

hth

Share this post


Link to post
Share on other sites

Well just a little update... I have added the Security Pro to prevent injection. I still see the darn babycaleb hitting the site so not sure if this is helping any.

 

Jason

Share this post


Link to post
Share on other sites

probably because the code is already in there.. you need to find it and get it out.


A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Share this post


Link to post
Share on other sites

Here's something I found on a Google search for "babycaleb".

 

A guy's web page about index.php exploits

 

Apparently this is a fellow with his own server who got so annoyed by hack attempts that he began to log them. The "babycaleb" thing turns up quite a bit, and he has it categoized under attempted "index.php exploits".

 

Unfortunately, he gives no further information on server security or how to get rid of these attempts aside from blocking IPs.

 

I don't even understand what it is these hackers are "attempting" to do. Perhaps simply to show their mighty presence?

 

Anyone know more about index.php exploits?

 

~Wendy

Share this post


Link to post
Share on other sites
Here's something I found on a Google search for "babycaleb".

 

A guy's web page about index.php exploits

 

Apparently this is a fellow with his own server who got so annoyed by hack attempts that he began to log them. The "babycaleb" thing turns up quite a bit, and he has it categoized under attempted "index.php exploits".

 

Unfortunately, he gives no further information on server security or how to get rid of these attempts aside from blocking IPs.

 

I don't even understand what it is these hackers are "attempting" to do. Perhaps simply to show their mighty presence?

 

Anyone know more about index.php exploits?

 

~Wendy

 

I saw that too but like you said there just wasnt any useful info. I looked through my index.php for anything related to caleb and no luck. Last night I saw it in my who's online hit me from 3 different ip's at one time. seems some are from canada and some from usa. So, chances are if you start blocking ip's you are gonna start losing customers that originate from those same servers. Not to mention it looks like you would be fighting an endless battle of ip's from this. I just wish for the life of me I could figure out what it was doing or trying to do cause I cant see anything in my site being affected. If I copy the whole link and paste it, it just brings up a normal page in my site that lists all my categories by the thumbnail image. didnt look like anything strange to me. Someone has to know something about this one.

 

Jason

Share this post


Link to post
Share on other sites

somthing interesting i just noticed.....if you click on the link to the babycaleb. scroll to the bottom, below her showing her belly in front of the fish tank. click on the white and drag all the way down. There is a ton of characters hidden in there. If you view the source there is a ton of crazy coding with a lot of if begining with $ symbol. I also opened in dreamweaver to look into the code more and I cant make heads from tails on it. There is a lot of mumbo jumbo mixed in there. i looked at it through this link: http://babycaleb.fortunecity.co.uk/index.htm?

Share this post


Link to post
Share on other sites

×