Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Newbies Servers are


WiseWombat

Recommended Posts

Hi to all members webservers and developers of oscommerce.

I though I would post this thread as I feel that all newbies, servers, and members might help to collate a database of all blocked ip addresses as I think it would benifit all our members.

 

As new members start out in oscommerce they learn about oscommerce, their server and they learn about contributions, adding and removing contributions, setting up security, phpmyadmin and htaccess ect and all that stuff .

Because they are new they do not have as much knowlege as others.

I have found that in the past the newbies are an easy target for hacker networks, they browse the forum looking for easy targets and bait you for a response to their questions.

 

 

If you are interested, I would like all willing members to collate their information regarding blocked ip addresses and ip ranges, as I feel that this will benifit all those who read this thread and host their own server.

 

Here are mine

I Have Blocked these entire networks from korea

210.118.193.0-210.118.193.255 ----- korean

222.232.128.0 to 222.232.159.255 -----korean

203.240.226.0 to 203.240.226.255 -----korean

202.30.144.0 to 202.30.144.255 ----korean

This one ran maliciuos code, crashed the site and defaced database. Lucky I had a back up

144.139.167.55

This guy tried to copy my entire site and downloaded 120 megs running tests

144.139.9.13

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

Where would a newbie (like me) put these IPs to block them?

If your running apache add to your httpd.conf file

look for

# Controls who can get stuff from this server.

#

Order allow,deny

deny from 210.118.193.0/24

deny from ect

deny from ect

</Directory>

Just add those you want blocked

and also add them to your blocked fire wall list.

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

  • 2 months later...
Hi to all members webservers and developers of oscommerce.

I though I would post this thread as I feel that all newbies, servers, and members might help to collate a database of all blocked ip addresses as I think it would benifit all our members.

 

As new members start out in oscommerce they learn about oscommerce, their server and they learn about contributions, adding and removing contributions, setting up security, phpmyadmin and htaccess ect and all that stuff .

Because they are new they do not have as much knowlege as others.

I have found that in the past the newbies are an easy target for hacker networks, they browse the forum looking for easy targets and bait you for a response to their questions.

If you are interested, I would like all willing members to collate their information regarding blocked ip addresses and ip ranges, as I feel that this will benifit all those who read this thread and host their own server.

 

Here are mine

I Have Blocked these entire networks from korea

210.118.193.0-210.118.193.255 ----- korean

222.232.128.0 to 222.232.159.255 -----korean

203.240.226.0 to 203.240.226.255 -----korean

202.30.144.0 to 202.30.144.255 ----korean

This one ran maliciuos code, crashed the site and defaced database. Lucky I had a back up

144.139.167.55

This guy tried to copy my entire site and downloaded 120 megs running tests

144.139.9.13

heres an up date.

Over the past weeks I have noticed a 195.0.0.0 range ip address indexing my site but not following the guidelines as to robots.txt and spiders.txt files.

linking directly to my stylesheet and products.phpsid=?????

Which I thought very strange.

And yesterday For those that are interested My site was hacked from the 195.0.0.0 range some prick in poland behind a fire wall

I logged the below in the past 18 hours whoever it is must be on dialup or changes the ip number and has tried uping the ports on every try.

Here are the IP Addresses and ports

195.136.184.3

195.136.184.73

195.136.184.150

195.136.5.179

 

Ports

20814

47179

47947

48643

49329

50014

50696

51376

52719

53381

54046

54705

55355

55999

56645

57285

57922

56511

I would recommend to all block the intyre 195 network.

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

I would recommend to all block the intyre 195 network.
Well, if you do you'll block me, and I'm based in the UK.

 

Before you all go haywire blocking everything right, left and centre, then you really need to take a chill pill. Once it's taken effect then selectively apply ip bans on specific ip addresses via .htaccess in the root of your web.

 

Vger

Link to comment
Share on other sites

Well, if you do you'll block me, and I'm based in the UK.

 

Before you all go haywire blocking everything right, left and centre, then you really need to take a chill pill.  Once it's taken effect then selectively apply ip bans on specific ip addresses via .htaccess in the root of your web.

 

Vger

Well to brake it down some what 195.136.0.0/16

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

rather than blocking off ranges of IP's you should cure the source of the vulnerability.

 

A webserver only needs 3 open ports.. 80, 443, 22.. anything else should be closed.

Done a port scan and theres isnt a problem.

My ports are secure.

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

Done a port scan and theres isnt a problem.

My ports are secure.

 

Then your server shouldnt of been compromised by any of the attempts you are seeing and then subsequently blocking whole countries in bulk :)

 

If you server was compromised then the cause is likely to reside in one of the scripts you are running and blocking large portions of the world wont defend against that :)

Link to comment
Share on other sites

what did you use to do a port scan?  do you have a firewall on your server?

do you use cpanel?  whm?  secure ftp?  ssh? imap?

Hi John Im running firewall and ran the port scan with nmap349.

I edit all work directly on the sever while off line only and I do not use ftp.

I dont know how they did It but it appeared that they ran some kind off code script on the server Apache2.0.54 possible causing php crash then opening the severs file systems to access configure.php from where they seemed to run a code to access sql database.

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

they ran some kind off code script on the server Apache2.0.54 possible causing php crash then opening the severs file systems to access configure.php from where they seemed to run a code to access sql database.

 

even if php crashes your includes directories on both admin/catalog sides cannot be accessed (at least by default) due to .htaccess which is controlled by the apache server. If apache goes down they cannot access anything of course.

 

I would expect your .htaccess in your includes directories to have at least this:

 

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

Link to comment
Share on other sites

even if php crashes your includes directories on both admin/catalog sides cannot be accessed (at least by default) due to .htaccess which is controlled by the apache server. If apache goes down they cannot access anything of course.

 

I would expect your .htaccess in your includes directories to have at least this:

 

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

Thanks for the reply mark I have.

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

In both directorys

This is the second time this has happen in the past 12 months major hack?

Who ever it is they knows what there doing.

It is very strange that I also see my domain/admin/includes/configure.php in side the server log (hack) to the configure.php file with osc session attached.

Do all configure.php files have the same sessions ID by default

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

even if php crashes your includes directories on both admin/catalog sides cannot be accessed (at least by default) due to .htaccess which is controlled by the apache server. If apache goes down they cannot access anything of course.

 

I would expect your .htaccess in your includes directories to have at least this:

 

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

 

 

you put this in the includes directory... and it won't break the site?

please elaborate, i'm a noob :blush:

Link to comment
Share on other sites

you put this in the includes directory... and it won't break the site?

please elaborate, i'm a noob  :blush:

Sorry the last post was wrong I have .htaccess files inside both catalog/includes and admin directory

But I only have

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

in the catalog includes directory.

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

Yes, all that the .htaccess code shown does is to stop anyone from accessing directly any of the files above the web root level, for example by typing http://www.yourdomain.com/includes/configure.php into their browser.

 

Vger

But What about if I install a Default index.html as a backup in all directorys so if php crashes again the server will then show the index.html page rather than opening up the folder directory.

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

If you want to see who accesses the admin is fairly simple. As I understand you have a dedicated ip (or I assume that) so check out the spider bait contribution and integrate it into the header.php of your admin section something like

 

$filename = "/<domain path>/catalog/.htaccess"; 
$content = "SetEnvIf Remote_Addr ^".str_replace(".","\.",$_SERVER["REMOTE_ADDR"])."$ bannedips\r\n"; 
$handle = fopen($filename, 'r'); 
$content .= fread($handle,filesize($filename)); 
fclose($handle); 
$handle = fopen($filename, 'w+'); 
fwrite($handle, $content,strlen($content)); 
fclose($handle);

 

then in your .htaccess of the catalog setup an environment variable called bannedips set the Remote_Addr and Request_URI checking for the variable and of course you add a check in the php for your static ip so it will only allow you to have access to your admin panel based on your ip.

 

Something else, make sure your .htaccess files are not readable by anyone. (also robots.txt in many sites may offer the tree structure of the site, not a good a thing)

 

Installing a default html index page makes no difference. If someone knows you have osc they can still access the individual pages. But something else was going on, because the .htaccess files should deny access to sub-dirs.

Link to comment
Share on other sites

  • 1 month later...
I guess this thread really shows the joys of running hosting on a windows server :D

Actualy he was trying to hack and access a Singles Site through myserver.

I wonder if his missus knows what he gets up to :D :lol: :D

( WARNING )

I think I know what Im talking about.

BACK UP BACK UP BACK UP BACK UP

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...