Guest Posted November 20, 2009 Share Posted November 20, 2009 Who knows what the hackers are trying to do with this attack from the log (24 hours a day): [Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(?:(?:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"] www.xxxx.nl = website customer ... Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions). So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem). What are they trying to do ? Who can explain me ? What security updates for later versions are important for oscommerce (ms2) ? Why do they attack my customer, what and how have they detected to choose my customer ? Link to comment Share on other sites More sharing options...
spooks Posted November 20, 2009 Share Posted November 20, 2009 Who knows what the hackers are trying to do with this attack from the log (24 hours a day): [Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(??:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"] www.xxxx.nl = website customer ... Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions). So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem). What are they trying to do ? Who can explain me ? What security updates for later versions are important for oscommerce (ms2) ? Why do they attack my customer, what and how have they detected to choose my customer ? ms2 wont work with rg off unless modified, have they turned rg back on in the app? They would be best upgrading to 2.2rc2a and adding security http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted November 20, 2009 Share Posted November 20, 2009 ms2 wont work with rg off unless modified, have they turned rg back on in the app? They would be best upgrading to 2.2rc2a and adding security http://www.oscommerce.com/forums/index.php?showtopic=313323 Link to comment Share on other sites More sharing options...
Guest Posted November 20, 2009 Share Posted November 20, 2009 Thanks Sam, I go to study your changes for making some old sites for my customers more secured. You can change ms2 to rg off, with modifications in application_top and /functions/sessions.php. I sent the attack to the RSA and Paypal organization but nobody answers, only to take your website down. But maybe after your modifications, they can't come in anymore (until now they still fail). Link to comment Share on other sites More sharing options...
Guest Posted November 20, 2009 Share Posted November 20, 2009 Who knows what the hackers are trying to do with this attack from the log (24 hours a day): [Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(?:(?:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"] www.xxxx.nl = website customer ... Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions). So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem). What are they trying to do ? Who can explain me ? What security updates for later versions are important for oscommerce (ms2) ? Why do they attack my customer, what and how have they detected to choose my customer ? Is one trying to install folder/program "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php" in the webserver ? When they were succesfully on the previous server, they installed mallware in that folder! But how and where they come in and do they use a password or is that not necessary for this possibility ? Link to comment Share on other sites More sharing options...
spooks Posted November 21, 2009 Share Posted November 21, 2009 Is one trying to install folder/program "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php" in the webserver ? When they were succesfully on the previous server, they installed mallware in that folder! But how and where they come in and do they use a password or is that not necessary for this possibility ? My suspicion is they have still hacked the site, its just your server security is blocking some stuff they try. Remember when sites are hacked they often leave hidden back doors, thats why its best to wipe as host then restore with known clean backup. If the site is not properly secured there are a number of ways in without passwords, see my thread & Jan's thread on admin I linked to in it. Good luck! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.