Jump to content

Archived

This topic is now archived and is closed to further replies.

aiyou

Strange parameter in URL - what are they trying?

Recommended Posts

With whos_online, I'll see the following. 99% of the time, when I look up the IP, its related to a mail sever, dictionary attacker, etc.

00:00:00 Guest dynamic.vdc.vn 10:38:55 pm 10:38:55 pm Some Product Name (Product) Yes Yes
Name: Guest
ID: 0
IP Address: 113.162.222.1
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
osCsid: 4bbec7e4b61a58ba9263cbd950db5bdd
Referer?: http://www.mystore.com/product_info.php?cPath=73&products_id=319'A=0
Inactive with no Cart

and

00:00:00 Guest dynamic.vdc.vn 10:38:39 pm 10:38:39 pm Some Product Name (Product) Yes Yes
Name: Guest
ID: 0
IP Address: 113.162.222.1
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
osCsid: ba80ede01c5c4929bc16615cfcdac3aa
Referer?: http://www.mystore.com/product_info.php?cPath=73'A=0&products_id=319

 

What's with the A=0 value in the referer? What are they trying to accomplish, and how can I manage them with something like a bad behavior rewrite in .htaccess, rather than explicitly adding each IP as a deny?

 

Store is 2.3.3.4 with the 0-day patch, renamed /admin with .htaccess.

 

Would osc_sec address this?

 

Thanks

Rob

Share this post


Link to post
Share on other sites

It's most likely a hacker playing around to see what is valid for a url on your site. But it could just be a malformed link where it may be posted. That IP is from Vietnam. If you know you won't do business with someone from Vietnam, block the whole country.

Share this post


Link to post
Share on other sites

I agree with Jack on the hacker playing.... Its probably just an automated server trolling through osCommerce websites to see if they can generate a database error i,e, by adding the 'a=0. so that in of itself is not an injection attempt therefore osCSec will not block that attempt, but will block most if not all actual database injection attempts, which would be requests that look something like:

 

http://www.mystore.com/product_info.php?cPath=73&products_id=319'%20union%20select%20from.....


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×