Guest Posted July 19, 2004 Posted July 19, 2004 Hi All I've been checking through my log files and who's online and I have found the following style of URL comming up from different IP's uest 62.118.251.16 21:48:00 21:48:00 /catalog/index.php?msm=735438699834048 00:21:40 0 Guest 81.134.206.139 21:28:38 21:38:16 /catalog/product_info.php/cPath/55/products_id/98 00:21:20 0 Guest 80.46.157.181 21:28:58 21:32:50 /catalog/index.php/cPath/79 00:15:38 0 Guest 80.225.123.233 21:34:40 21:36:12 /catalog/index.php 00:11:39 0 Guest 206.16.0.222 21:38:39 21:38:39 /catalog/ 00:11:18 0 Guest 206.16.0.222 21:39:00 21:39:00 /catalog/ 00:02:20 0 Guest 194.129.209.10 21:47:58 21:47:58 /catalog/index.php?msm=893866393249481 00:02:20 0 Guest 212.46.111.26 21:47:58 21:47:58 /catalog/index.php?msm=166909003703953 00:02:20 0 Guest 204.235.97.11 21:47:58 21:47:58 /catalog/index.php?msm=826311820260347 I am concerned by the msm= I have not come accross this before is this a hacking attempt or other malicius attempt or a standard part of OSC that I haven't come accross?
noob Posted July 20, 2004 Posted July 20, 2004 how do u log whos online? Checkout my osc contrib here! You can also checkout the site im working on by clicking the card button!
peterr Posted July 20, 2004 Posted July 20, 2004 Hi, I've had similar attempts lately, in summary, they are trying to "break" the PHP code, but fortunately osC has been well written. :) Have you tried passing this yourself ... /catalog/index.php?msm=735438699834048 The string 'msm' is not used anywhere in the 'standard' Osc code. Report the offending IP back to the ISP or , if you can trace it, the web hosting company. Peter
Guest Posted July 20, 2004 Posted July 20, 2004 Hi All Sorry for the delay time difference and all that... Firstly the attempts are showing up in the who's online contribution which you can download from Here noob. Secondly I have tried parsing the info myself and it doesn't seem to affect the returned page or OScID so I would assume it is pretty benign. However the attack if that is what I am to believe it is is reasonably sophisticated as it is coming from several IP addresses. If I do a whois on the IP addresses it appears that they are being spoofed because one says IP not in correct format, 2 that the IP's don't exist 1 from CNETs IP block etc etc I don't know myself how easy it is to spoof an IP address (ie send a false IP address to the server) and I am reasonably computer literate so I would assume that the person who is doing this has a purpose. Obviously I have taken the precautions (as I advise all to do)of backing up site and database files daily and removing CC numbers from the database Which I do daily after each set of orders, and I will continue to monitor the situation. It may be worth others paying close attention to the logs of their sites to ensure that this is not a situation that would be detrimental to them also. On a side note this occurs a week after I was hammered by several IP addresses doing mass requests for pages at the rate of 600 a minute. The server stood up well to this attack and OSC was still accesible to my clients. Needless to say I banned the relevant IP's and terminated all threads when it became apparent. It could all be coincidence or ....... perhaps not! Anyway all seems OK for Now and OSC is performing well.
peterr Posted July 20, 2004 Posted July 20, 2004 Hi Chris, .... it is is reasonably sophisticated as it is coming from several IP addresses. This is VERY similar to what happened to me a week or so ago, and we tracked it down to an attempted DDoS attack. I don't know myself how easy it is to spoof an IP address (ie send a false IP address to the server) and I am reasonably computer literate .... Apparently quite easy to spoof IP addresses, being done by hex encoding, proxy servers, etc,etc. I found this article interesting: http://secinf.net/info/misc/tricks.html Peter
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.