Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Trojan attempting to hit contact.php


petebown

Recommended Posts

Has anyone else been receiving strange emails via the osC contact page?

 

I've been receiving some very odd emails via contact.php lately. This problem has been occuring on two unconnected web sites, both running osCommerce installed in the /shop directory.

 

The senders IP addresses are all over the place... One was US Military. The emails either contain a random email address (often AOL), other emails contain random words.

 

The emails are not doing any damage and the Trojan (or whatever it is) is not managing to spread itself. I updated to the latest version of osC the other day, but the attacks are continuing.

 

According to the site log, the offending machines are going straight to the contact page without viewing any other pages before or after. osC is not sending the success page after the message is posted.

 

This virus is not doing any harm, it just annoying. My guess is, its a failing trojan that's attempting to use contact.php to send spam. It won't be long before we see those lovely Viagra adverts!

Link to comment
Share on other sites

Further info...

 

One of our site logs shows and attack lasting a few minutes. About 10 different IP addresses around the world, first requesting (GET) shipping.php, contact.php, conditions.php and index.php

 

5 unconnected IP addresses then attempted a POST to contact.php resulting in 5 meaningless emails. All within a minute of each other

 

All of the IP addresses were using the same osCsid number.

Link to comment
Share on other sites

There is a patch for this on the contrbation part of this site. Mine site did this afew days ago and then bam, my site sent 50,000 emails to aol users talking about viagra and enlargments for men etc all with my domain email address. Patch you stuff now.

Link to comment
Share on other sites

There is a patch for this on the contrbation part of this site. Mine site did this afew days ago and then bam, my site sent 50,000 emails to aol users talking about viagra and enlargments for men etc all with my domain email address. Patch you stuff now.

 

I think mine is patched already as I've got the latest version. I'm also working on my own amendment to contact.php to block access to anyone that follows the pattern that I've seen on my site log.

Link to comment
Share on other sites

add the visual verification contribution to get rid of automated scripts filling forms.

http://www.oscommerce.com/community/contributions,1560

 

Many thanks!

That's just the sort of thing I was looking for.

I've just checked the latest release of osC against the anti-spam patch mentioned by rocket468. It would appear that the patch still needs to be done even if you've got the latest version, although I think the attacks that I saw were failing to send spam, due to having an up-to-date version.

 

I've also added a small script at the beginning of contact_us.php. This bit of PHP rejects any user where the browser can't be identified. All of the attacks on my sites did not come from a web browser.

Link to comment
Share on other sites

This bit of PHP rejects any user where the browser can't be identified. All of the attacks on my sites did not come from a web browser.

Not a good idea. I may use the firewall to block the user agent field, when I browse the web and do shopping. Why? Because each browser has certain vulnerabilities and can be exploited. So a server could run a certain script against the specific browser I use.

 

As much as merchants have problems to identify legit customers, so do customers, have problems to find legit merchants.

Link to comment
Share on other sites

I have a dirty little javascript converted to PHP that when someone attemps to go directly to the contact_us.php a popup will appear that tells them they can't connect directly but mus come through the index.php, when they click OK it takes them to the index.php page.

 

Insert this at the bottom of the catalog/contact_up.php

 

<?php
echo "<script LANGUAGE=\"JavaScript\">\n";
echo "<!-- Begin\n";
echo "var requiredfrom = \"index.php\"; //  required prev. page\n";
echo "if (document.referrer.indexOf(requiredfrom) == -1) {\n";
echo "alert(\"You must come to this page from \" + requiredfrom);\n";
echo "window.location=requiredfrom;\n";
echo "}\n";
echo "//  End -->\n";
echo "</script>\n";
?>

 

I know it works in IE and Firefox, if you want to try it check out this page

 

This might help in stopping bot's from hitting your contact_us.php page directly anyways.

Installed Contributions: CCGV, Close Popup, Dynamic Meta Tags, Easy Populate, Froogle Data Feeder, Google Position, Infobox Header Entire Row, Live Support for OSC, PayPal Seal with CC images, Report_m Sales, Shop by Price Revised, SQL Updater, Who's Online Enhancement, Footer, GNA EP Assistant and still going.

Link to comment
Share on other sites

I have a dirty little javascript converted to PHP that when someone attemps to go directly to the contact_us.php a popup will appear that tells them they can't connect directly but mus come through the index.php, when they click OK it takes them to the index.php page.

 

Insert this at the bottom of the catalog/contact_up.php

 

<?php
echo "<script LANGUAGE=\"JavaScript\">\n";
echo "<!-- Begin\n";
echo "var requiredfrom = \"index.php\"; //  required prev. page\n";
echo "if (document.referrer.indexOf(requiredfrom) == -1) {\n";
echo "alert(\"You must come to this page from \" + requiredfrom);\n";
echo "window.location=requiredfrom;\n";
echo "}\n";
echo "//  End -->\n";
echo "</script>\n";
?>

 

I know it works in IE and Firefox, if you want to try it check out this page

 

This might help in stopping bot's from hitting your contact_us.php page directly anyways.

 

Bots don't use jscripts or active scripting in general. Same for those who block active scripting on their browsers. So they land right at you contacts_us.php page

Link to comment
Share on other sites

Bots don't use jscripts or active scripting in general. Same for those who block active scripting on their browsers. So they land right at you contacts_us.php page

Most likely. Therefore there's a simple method for fooling those guys who target contact_us.php directly.

 

In includes/filenames.php change

 

define('FILENAME_CONTACT_US', 'contact_us.php');

 

to something else and rename contact_us.php to match.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Most likely. Therefore there's a simple method for fooling those guys who target contact_us.php directly.

 

In includes/filenames.php change

 

define('FILENAME_CONTACT_US', 'contact_us.php');

 

to something else and rename contact_us.php to match.

that's a good idea unfortunately for us the merchants, advanced bots utilize the search engine results (search engines may ignore metatags and robots.txt as they index a site apparently) and again can find the new page as they look for specific blueprints in the html generated code like </form> or "email" like strings And although I've deployed it, this approach had almost no effect initially....

 

But then I thought what if the spiders cannot index the contact_us page. So to rectify this problem one way would be to also check the spiders flag if it's on and then redirect the spider to a "not found" or to the home page. This way at least the SE cannot index it. Of course the bot still can and it can index the whole site looking for forms. It may operate like a regular spider without its signature. Seems like the chicken and the egg thing.

 

After thinking and re-thinking a strategy against this, the most effective one I could come up with was the VVC contribution. But of course has its drawbacks, with clients having to enter an extra field to contact or login or create accounts.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...