Jump to content

Archived

This topic is now archived and is closed to further replies.

DunWeb

IP Trap Variable

Recommended Posts

Ok, I have been watching hackers trying to access clients osCommerce sites through the admin vulnerabilities.

 

If you use Supertracker you will see they try to access the site though URL's like this:

 

/oscommerce-pri-64.html?reviews_id=1/admin/file_manager.php/login.php

 

 

So, since my Admin directory has the IP trap in it (my admin directory was renamed and I placed the IP trap in a dummy Admin directory) I also created a /file_manager.php directory and placed a login.php file in it that contains the same information as Fimbles fake index.php file.

 

 

So, now there are 1000-1500 less bad url requests per day.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

No matter which way the attackers try to obscure that type of attack, the end resulting request URL will always contain the following:

 

.php/login.php

 

So as a stop gap measure, if you add something like this to the top of both includes/application_top.php files:

 

if  (strpos($getvariables, ".php/login.php") !== false) {
die("oops you got nabbed"); // choose what you want to do with this request
}


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Sorry that last code should be:

if  (strpos($_SERVER['REQUEST_URI'], ".php/login.php") !== false) { 
       die("oops you got nabbed"); // choose what you want to do with this request 
}


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×