ITISI Posted April 8, 2008 Posted April 8, 2008 As seen through Who's Online, I have an ongoing problem with a visitor/session that remains in my site for many hours. I've seen 16+ hours at a time. This has been going on for weeks at a minimum. My host is at a loss and as far as they are concerned they do not see any problem from their end. I did see a post discussing something similar redirecting traffic else where. Some facts... 1. Their IP address changes frequently but their time online continues to increment. 2. Their Last URL changes along with their IP address. 3. The displayed IP addresses are real, although I'm concerned they are masking their real IP, and just cycling through a list of valid IP's, in which caset I probably don't want to block. 4. I've restarted my site via my host control panel many times but they come right back. In fact, the amount of time on the site for their session continues to increment as if the restart did not knock them off the site. 5. The Last URL rotates between many of my web pages, but often includes additional appended text that begins with "cid=" then a url. For example cid=http://cherrygirl.h18.ru/images/cs.txt?. I've visited these URLS which only contain some sort of a script. Any insight would be great. Also, I'm trying to find a reliable osCommerce technical resource so if you know of a professional that can assist me, it would be greatly appreciated. Thanks much
♥FWR Media Posted April 8, 2008 Posted April 8, 2008 As seen through Who's Online, I have an ongoing problem with a visitor/session that remains in my site for many hours. I've seen 16+ hours at a time. This has been going on for weeks at a minimum. My host is at a loss and as far as they are concerned they do not see any problem from their end. I did see a post discussing something similar redirecting traffic else where. Some facts... 1. Their IP address changes frequently but their time online continues to increment. 2. Their Last URL changes along with their IP address. 3. The displayed IP addresses are real, although I'm concerned they are masking their real IP, and just cycling through a list of valid IP's, in which caset I probably don't want to block. 4. I've restarted my site via my host control panel many times but they come right back. In fact, the amount of time on the site for their session continues to increment as if the restart did not knock them off the site. 5. The Last URL rotates between many of my web pages, but often includes additional appended text that begins with "cid=" then a url. For example cid=http://cherrygirl.h18.ru/images/cs.txt?. I've visited these URLS which only contain some sort of a script. Any insight would be great. Also, I'm trying to find a reliable osCommerce technical resource so if you know of a professional that can assist me, it would be greatly appreciated. Thanks much The appended url looks like they are looking for an XSS (cross site scripting) vulnerability. Is your site fully up to date with all recommended security fixes? You may get some peace of mind by installing the security pro contribution which guards your querystring against attacks like this. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
arietis Posted April 9, 2008 Posted April 9, 2008 you might try a contribution that allows you to block the ip address. there is http://addons.oscommerce.com/info/2532 and there may be others. he's obviously not a customer, so banning his ip wouldn't hurt and it'll keep him from being able to figure out how to hack your site and/or steal your bandwidth.
ITISI Posted April 9, 2008 Author Posted April 9, 2008 you might try a contribution that allows you to block the ip address. there is http://addons.oscommerce.com/info/2532 and there may be others. he's obviously not a customer, so banning his ip wouldn't hurt and it'll keep him from being able to figure out how to hack your site and/or steal your bandwidth. Thanks Dave. Unfortunately it appears he rotates valid URL's instead of displaying his own.
ITISI Posted April 9, 2008 Author Posted April 9, 2008 The appended url looks like they are looking for an XSS (cross site scripting) vulnerability. Is your site fully up to date with all recommended security fixes? You may get some peace of mind by installing the security pro contribution which guards your querystring against attacks like this. Thanks for the suggestions. I have no idea if I'm up to date and I'm looking for a an osCommerce person to assist me. Please let me know if you'd like to take care of this for me. (paid of course) I can be reached at [email protected]
Recommended Posts
Archived
This topic is now archived and is closed to further replies.