rommany Posted January 7, 2008 Share Posted January 7, 2008 Hello I'm getting a strange URL coming up on my who's online, i see this popping up many times a day and have no idea why and how it got there, ive removed the first part and the end bit joioiskioeriyyskwkdwjsdfewis.land.ru does change to a few other addresses but the URL should just be www.xxxxxxxx.co.uk/baby_names.php /baby_names.php?f=http://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body? So doe this look like i have been hacked and what good would that do to them as the address doe not exist Link to comment Share on other sites More sharing options...
GemRock Posted January 7, 2008 Share Posted January 7, 2008 find out that person's ip address and ban it from accessing your site. Ken commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile). over 20 years of computer programming experience. Link to comment Share on other sites More sharing options...
rommany Posted January 7, 2008 Author Share Posted January 7, 2008 Thanks Ken That's a great idea, i can get that from the who's online in admin, but i will watch it for a day or so and see how many IP address are coming from it, i also will try to see where that IP is reg. Thanks again Link to comment Share on other sites More sharing options...
MJP Posted January 8, 2008 Share Posted January 8, 2008 I'm getting the same thing in my store. IP Addresses (according to Whos Online) are from Norway, South Carolina and Quebec so far. Can this be right? I just read an article that SQL injection attacks are going on. Don't know if this applies to us but it got me concerned. SQL Injection Attack Link to comment Share on other sites More sharing options...
WedgeCoop Posted January 8, 2008 Share Posted January 8, 2008 I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following: require($_GET['f']); I believe stock OSCommerce does not do this. The best thing to do is block any request that has "http://" in the query string. Link to comment Share on other sites More sharing options...
MJP Posted January 8, 2008 Share Posted January 8, 2008 I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following: require($_GET['f']); I believe stock OSCommerce does not do this. The best thing to do is block any request that has "http://" in the query string. Thanks a lot WedgeCoop. I've been busy banning. But I don't understand why the IP Addresses are so spread out among the world. They are now coming from Kentucky and New York state now. All I know to do is to ban. Thanks again! Link to comment Share on other sites More sharing options...
Guest Posted January 9, 2008 Share Posted January 9, 2008 I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following: require($_GET['f']); I believe stock OSCommerce does not do this. The best thing to do is block any request that has "http://" in the query string. Bit of a stupid question. A lot of contributions (downloaded from here) have unprotected gets like this in the admin panel. Easy fix would be: mysql_real_escape_string($_GET['f']); but is this really necessary if the admin panel is htacces, ip & login protected and only trusted personnel have access to it? Link to comment Share on other sites More sharing options...
phpwannabe Posted January 19, 2008 Share Posted January 19, 2008 Hello I'm getting a strange URL coming up on my who's online, i see this popping up many times a day and have no idea why and how it got there, ive removed the first part and the end bit joioiskioeriyyskwkdwjsdfewis.land.ru does change to a few other addresses but the URL should just be www.xxxxxxxx.co.uk/baby_names.php /baby_names.php?f=http://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body? So doe this look like i have been hacked and what good would that do to them as the address doe not exist I've been getting the same treatment. I just found this link very helpful: http://www.webproworld.com/internet-securi...-attackers.html If anyone has any comments or suggestions about this solution, we would love to read them :) I am running what is probably an older version of osCommerce. Does anyone know if the newer version now has code in place to prevent these kinds of attacks? Link to comment Share on other sites More sharing options...
none_uk Posted January 20, 2008 Share Posted January 20, 2008 So are ppl proteched with 2.2 RC1? I'v installed few mods Link to comment Share on other sites More sharing options...
THOUGHTOUT Posted June 12, 2008 Share Posted June 12, 2008 I believe they are trying to do a remote file include exploit and would only hurt you if you had something similar to the following: require($_GET['f']); I believe stock OSCommerce does not do this. The best thing to do is block any request that has "http://" in the query string. Is this the correct code to block the http request? RewriteCond %{QUERY_STRING} http://*\(.*\) [OR] RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] Link to comment Share on other sites More sharing options...
♥FWR Media Posted June 12, 2008 Share Posted June 12, 2008 Bit of a stupid question. A lot of contributions (downloaded from here) have unprotected gets like this in the admin panel. Easy fix would be: mysql_real_escape_string($_GET['f']); but is this really necessary if the admin panel is htacces, ip & login protected and only trusted personnel have access to it? Dangerous advice this imo. mysql_real_escape_string has nothing to do with the querystring it is for escaping entries into a MySQL database. e.g. try this <?php $url = 'http://www.imahacker.com/index.php?dosomethingnasty=this'; print(mysql_real_escape_string($url)); ?> It prints http://www.imahacker.com/index.php?dosomethingnasty=this Security Pro is available as a contribution for those who wish to safeguard their querystring. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted June 12, 2008 Share Posted June 12, 2008 So are ppl proteched with 2.2 RC1? I'v installed few mods If you consider that osCommerce has had to run securely over the years with register globals set to on (which is pretty much unthinkable these days in terms of security) I think it really gives a good indication of the care taken over, and the quality of the coding. You really shouldn't worry about a stock oscommerce RC1/2 (although you should always upgrade when the upgrades are available especially if there are security updates), the problems are the contributions where there is no code control. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted June 13, 2008 Share Posted June 13, 2008 Dangerous advice this imo. mysql_real_escape_string has nothing to do with the querystring it is for escaping entries into a MySQL database. e.g. try this <?php $url = 'http://www.imahacker.com/index.php?dosomethingnasty=this'; print(mysql_real_escape_string($url)); ?> It prints http://www.imahacker.com/index.php?dosomethingnasty=this Security Pro is available as a contribution for those who wish to safeguard their querystring. fudge. you're right. so what other sanitization method should be implimented (aside from security pro), which is already installed... double sanitation does not hurt. htmlspecialchars()? but isn't there ways around this one. Link to comment Share on other sites More sharing options...
♥FWR Media Posted June 13, 2008 Share Posted June 13, 2008 fudge. you're right.so what other sanitization method should be implimented (aside from security pro), which is already installed... double sanitation does not hurt. htmlspecialchars()? but isn't there ways around this one. All user input should be checked against the purpose for which it is intended and what is expected. e.g. if you are expecting a digit you could just force it to be so by using the standard osc function .. tep_string_to_int($string); Or just using (int)$var will force the $var into an integer. Some standard php functions are useful such as .. ctype_alpha() ctype_digit() ctype_alnum() Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted June 15, 2008 Share Posted June 15, 2008 thanks!!!! i've never came across any of these before. bit of a question about them.. doesn't seem to be much chatter about it on php.net.. my test string (just trying to output the 1st letter of the query string): $letter = ctype_alpha(substr($_GET['letter'],0,1)); ...results in a "1". can this only be used in this fashion: $letter = $_GET['letter']; if (ctype_alnum($letter)){ //results in my desired output }else{ require('404.php'); } if so, what is quicker? preg_replace or if? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.