Jump to content

Archived

This topic is now archived and is closed to further replies.

Druid6900

Crawl or hack attempt?

Recommended Posts

I observed this in my Admin panel this morning and it was there a couple of days ago and I'm not quite sure what to make of it.

 

00:14:20 0 Guest 88.190.11.113 12:05:39 12:05:39 /catalog/index.php?cPath=2%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fwww.legacycomputersnparts.com%2Fcatalog%2Findex.php%3FcPath%3D2','28','9','%22by+osCommerce%22++rom','',%20'009090e04ab470f592b60df6a2e25288f0f5b54e686491a21327',%200)/admin/file_mana

 

Both times, there were several instances of it at once, like when a Bot is crawling your site, but the coding was much longer than say, GoogleBot or Slurp or Yandex.

 

Of the 4 that are active right now, two are going for /admin/file_manager (which has long ago been removed) and two are going for /admin/categories

 

Is this cause for concern?


No Good Deed EVER Goes Unpunished

Share this post


Link to post
Share on other sites

Everything except authorized personnel (probably just you) going for your admin is a hack attempt.

 

As long as they don't "hit the target" it's not much to worry about, except maybe using bandwidth.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Well, I've been pretty diligent about installing security features (and the site seems to be still operating correctly :rolleyes: ), so, that's comforting.


No Good Deed EVER Goes Unpunished

Share this post


Link to post
Share on other sites

I found a crawler searching for other stuff and folders that's not even listed on my server

Strange is it's also indexing the pages

 

.htaccess deny from 79.125.59.235 :thumbsup:


Getting the Phoenix off the ground

Share this post


Link to post
Share on other sites

I have been experiencing the same kind problem, for example right now my who is online shows this:

 

/conditions.php/admin/file_manager.php/login.php

 

This has been going on quite long time, for months. have been blocking theese ip adresses manually everytime i spot them, because i have thought that there cant be anything good in trying to get to my admin. Ofcourse i have done everything possible to protect my admin, but still i dont like someone attempting to go for it. But the problem is that i have life to live and a store to run, i cant sit looking for ips to block from my site 24/7, is there anyway to get them automaticly banned when the word admin pops up (obviously the first thing i have done was renaming the admin folder, so there is no one who should be searching for it on my site)?

 

And sorry for my bad english.

Share this post


Link to post
Share on other sites

There are a couple of addons that would catch that attempt and automatically add the IP address to an htaccess file. One such addon is one I wrote called osC_Sec

http://forums.oscommerce.com/topic/373777-oscommerce-security-osc-secphp/

 

It seems to be doing an alright job of nabbing such attempts and banning them.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×