Jump to content

Archived

This topic is now archived and is closed to further replies.

packblitz

Potential web site hack attempt?

Recommended Posts

I get emailed whenever there is an TEP_STOP error on the site. This helps me know if there's a problem that I need to fix. I got the following emails this morning that have me concerned. Can anyone make any sense of it and what to do about it? I'm posting them in order. I got message 1 first, then message 2, etc...

 

Thanks in advance!

 

 

Message 1

advanced_search_result.php?manufacturers_id=〈script𣊪lert(213);〈/script〉&pto=&inc_subcat=1&dto=mm/dd/yyyy&pfrom=&search_in_description=1&osCsid=8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '8eb021ec6e06558a46428078b13d2a05' for key 1----Query:insert into sessions values ('8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm', '1358335988', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:1:{s:16:\"manufacturers_id\";s:0:\"\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 1

 

Message 2

advanced_search_result.php?manufacturers_id=42&pto=〈script𣊪lert(213);〈/script〉&inc_subcat=1&dto=mm/dd/yyyy&pfrom=&search_in_description=1&osCsid=8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '8eb021ec6e06558a46428078b13d2a05' for key 1----Query:insert into sessions values ('8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm', '1358335999', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:2:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 2

 

Message 3

advanced_search_result.php?manufacturers_id=42&pto=&inc_subcat=〈script𣊪lert(213);〈/script〉&dto=mm/dd/yyyy&pfrom=&search_in_description=1&osCsid=8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '8eb021ec6e06558a46428078b13d2a05' for key 1----Query:insert into sessions values ('8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm', '1358336010', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:3:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";s:10:\"inc_subcat\";s:0:\"\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 3

 

Message 4

advanced_search_result.php?manufacturers_id=42&pto=&inc_subcat=1&dto=〈script𣊪lert(213);〈/script〉&pfrom=&search_in_description=1&osCsid=8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '8eb021ec6e06558a46428078b13d2a05' for key 1----Query:insert into sessions values ('8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm', '1358336031', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:4:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";s:10:\"inc_subcat\";s:1:\"1\";s:3:\"dto\";s:0:\"\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 4

 

Message 5

advanced_search_result.php?manufacturers_id=42&pto=&inc_subcat=1&dto=mm/dd/yyyy&pfrom=〈script𣊪lert(213);〈/script〉&search_in_description=1&osCsid=8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '8eb021ec6e06558a46428078b13d2a05' for key 1----Query:insert into sessions values ('8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm', '1358336041', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:5:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";s:10:\"inc_subcat\";s:1:\"1\";s:3:\"dto\";s:10:\"mm/dd/yyyy\";s:5:\"pfrom\";s:0:\"\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 5

 

Message 6

advanced_search_result.php?manufacturers_id=42&pto=&inc_subcat=1&dto=mm/dd/yyyy&pfrom=&search_in_description=〈script𣊪lert(213);〈/script〉&osCsid=8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '8eb021ec6e06558a46428078b13d2a05' for key 1----Query:insert into sessions values ('8eb021ec6e06558a46428078b13d2a05&keywords=&categories_id=174&dfrom=mm', '1358336053', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:6:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";s:10:\"inc_subcat\";s:1:\"1\";s:3:\"dto\";s:10:\"mm/dd/yyyy\";s:5:\"pfrom\";s:0:\"\";s:21:\"search_in_description\";s:0:\"\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 6

 

Message 7

advanced_search_result.php?manufacturers_id=42&pto=&inc_subcat=1&dto=mm/dd/yyyy&pfrom=&search_in_description=1&osCsid=...\...\...\...\...\...\...\...\...\boot.ini&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '...........................boot.' for key 1----Query:insert into sessions values ('...........................boot.ini', '1358340297', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:10:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";s:10:\"inc_subcat\";s:1:\"1\";s:3:\"dto\";s:10:\"mm/dd/yyyy\";s:5:\"pfrom\";s:0:\"\";s:21:\"search_in_description\";s:1:\"1\";s:6:\"osCsid\";s:53:\"...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\boot.ini\";s:8:\"keywords\";s:0:\"\";s:13:\"categories_id\";s:3:\"174\";s:5:\"dfrom\";s:10:\"mm/dd/yyyy\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 7

 

Message 8

advanced_search_result.php?manufacturers_id=42&pto=&inc_subcat=1&dto=mm/dd/yyyy&pfrom=&search_in_description=1&osCsid=....\....\....\....\....\....\....\....\....\boot.ini&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry '................................' for key 1----Query:insert into sessions values ('....................................boot.ini', '1358340298', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:10:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";s:10:\"inc_subcat\";s:1:\"1\";s:3:\"dto\";s:10:\"mm/dd/yyyy\";s:5:\"pfrom\";s:0:\"\";s:21:\"search_in_description\";s:1:\"1\";s:6:\"osCsid\";s:62:\"....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\boot.ini\";s:8:\"keywords\";s:0:\"\";s:13:\"categories_id\";s:3:\"174\";s:5:\"dfrom\";s:10:\"mm/dd/yyyy\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 8

 

Message 9

advanced_search_result.php?manufacturers_id=42&pto=&inc_subcat=1&dto=mm/dd/yyyy&pfrom=&search_in_description=1&osCsid=Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZAo=&keywords=&categories_id=174&dfrom=mm/dd/yyyy-------1062 - Duplicate entry 'Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bh' for key 1----Query:insert into sessions values ('Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZAo', '1358340298', 'cart|O:12:\"shoppingCart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"1\";currency|s:3:\"USD\";navigation|O:17:\"navigationHistory\":2:{s:4:\"path\";a:1:{i:0;a:4:{s:4:\"page\";s:26:\"advanced_search_result.php\";s:4:\"mode\";s:6:\"NONSSL\";s:3:\"get\";a:10:{s:16:\"manufacturers_id\";s:2:\"42\";s:3:\"pto\";s:0:\"\";s:10:\"inc_subcat\";s:1:\"1\";s:3:\"dto\";s:10:\"mm/dd/yyyy\";s:5:\"pfrom\";s:0:\"\";s:21:\"search_in_description\";s:1:\"1\";s:6:\"osCsid\";s:40:\"Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZAo=\";s:8:\"keywords\";s:0:\"\";s:13:\"categories_id\";s:3:\"174\";s:5:\"dfrom\";s:10:\"mm/dd/yyyy\";}s:4:\"post\";a:0:{}}}s:8:\"snapshot\";a:0:{}}wishList|O:8:\"wishlist\":0:{}messageToStack|a:1:{i:0;a:3:{s:5:\"class\";s:6:\"search\";s:4:\"text\";s:62:\"At least one of the fields in the search form must be entered.\";s:4:\"type\";s:5:\"error\";}}')[TEP STOP]

End Message 9

Share this post


Link to post
Share on other sites

Those are hacking attempts. They seem to have been spotted by something in your shop, though they should really be removed by your code for better results.

Share this post


Link to post
Share on other sites

@@packblitz

 

 

Follow below Basic Precautions:

 

1. All .php and .js files should have 444 permission.

2. All folders should have 555 permission.

3. Admin folder should be renamed.

4. Add captcha to create account, contact us, reviews and any other forms on site.

5. Make admin .htaccess protected.

6. Upgrade version and remove wp version from code.

7. Disable file manager.

8. Delete sample data.

9. Frequently check website for any vulnerability through Google webmaster/ http://www.acunetix.com/vulnerability-scanner/


Like post..hit LIKE button.

 

osCommerce | Joomla | WordPress | Magento | SEO | CakePHP | CI

 

Guaranteed Website Speed Optimization!!

Share this post


Link to post
Share on other sites

Ther's no oe thing to look for. It depends upon what the hackers aim is and what he did. As mentioned, it doesn't look like he got in but I suggest installing the SiteMonitor addon. It probably won't help in this case but allow you see changes made in the future. Also, if you change the permissions as mentioned, you will have some problems. Changing them as directed will prevent some hacker attempts but they will also stop your shop from working properly. See one of the security threads here on the forums for more ideas on how to secure your site.

Share this post


Link to post
Share on other sites

@@packblitz

 

The aforementioned permissions are incorrect.

 

Use:

 

Files: 604

Directories: 705

Two configure.php files: 444

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

1. All .php and .js files should have 444 permission.

2. All folders should have 555 permission.

On most systems, this will make files and folders READ-ONLY. While this will make it much harder for a hacker to change or add files (e.g., back doors), it will also make it very difficult to conduct normal operations that require changing or uploading files (such as adding a new product). It can be done, and may be temporarily useful to discourage the hacker (assuming they don't have login access to your site hosting account), but in the long run it's probably more pain than gain.

 

Use:

 

Files: 604

Directories: 705

Two configure.php files: 444

Chris, please keep in mind that your server is set up in a somewhat unusual way, and those permissions would be uncommon. At the very least, someone thinking about doing that should check with their host to see if their site will continue to function correctly with such permissions. At least (in reaction to the other post) you have files and directories writable by the owner (except for the configure.php files which are Read-Only by everyone). Note that while this makes normal operations much easier, it is still vulnerable if PHP is operating as owner (e.g., suPHP), as the program itself will be able to overwrite any file or directory except the configure.php files. If PHP is running under your group or as a random user on the server, 644/755 would be sufficient to block osC or a rogue script from overwriting anything. In fact, selected files and directories would have to be 664/775 or even 666/777 in order for PHP to be able to write to them.

 

In this particular situation, where a hacker is pounding on the door, it may be good to restrict permissions to Read-Only for a while, until the hacker gets tired of his game and goes away. Just be sure that you understand how your server is set up and consult with your host as to what permissions are suitable for normal operations (i.e., allowing the osC program to write when and where it needs to). Usually this will be 644/755 (with 444 for configure.php), but it depends on your particular server setup.

Share this post


Link to post
Share on other sites

What Mr Phil said. I particularly like the references to suPHP as many see this as the "holy grail" whereas it offers its own significant insecurities.

Share this post


Link to post
Share on other sites

Thank you Phill to introduce suPHP, will definitely try suPHP.


Like post..hit LIKE button.

 

osCommerce | Joomla | WordPress | Magento | SEO | CakePHP | CI

 

Guaranteed Website Speed Optimization!!

Share this post


Link to post
Share on other sites

suPHP is something your host would provide, and you would have no choice about using it or not. It's security software that among other things, runs PHP as owner and forbids "world writable" files and directories (xx6 and xx7 permissions). Like any other security software, it probably has some holes in it and is not a silver bullet.

Share this post


Link to post
Share on other sites

I do everything that @@FWR Media, but I do not see osC_Sec listed in the signature. Is this something that works for OSC 2.3.3?

What other security measures should I take for OSC?

:::::These are the contributions I have installed (Please disregard my notations, this is my personal task list)::::

NEW STORE INSTALL LIST

1. Super Download Store 2.3 (Overwriting upload) (SQL Database)

2. KISS Error Reporting

3. Theme Switcher

4. Admin Theme Switcher

5. iOSC 5.2 (SQL Database change in ReadMe)

6. Security Pro r11

7. KISSit Image THUMBnailer

8. Product Info Page Box (SQL Database change)

9. Free Product Checkout

10. Enhanced Contact Us v1.2 (Change text according to your store in languages/english/contact_us.php)

11. Password Strength Meter

12. Free Product Box

13. Ultimate SEO URL 5

14. CrossSell 3.0 (XSell) [Needs some work!] (SQL Database change)

15. PHP POS (Needs Development in order to work properly with osCommerce Database!)

16. Magneticone POS (Perfect)

17. iOS 5.3 update

18. MyAccountInfo Box

19. Modular Front Page

20. Orders at a Glance Admin Dashboard Panel

21. Ask a Question (Did not install, issue with product_info.php)

22. Barcode for products

23. Sitemap Generator with images

24. Magento osCommerce POS

25. Auto Backup v4.3 (Breaks Some Buttons)

26. Ajax Price Update v1.2

27. Quick Inventorys

28. AJAX Attribute Manager (Still needs Updates to handle Downloads. Double Check Later)

29. Product Tabs (Did not display. May be an issue with the theme changer. Removed)

30. Store Mode (Open | Closed | Maintenance)

31. Wishlist 2.3.3R1

Share this post


Link to post
Share on other sites

×