Guest Posted March 11, 2011 Share Posted March 11, 2011 Ok, I have been watching hackers trying to access clients osCommerce sites through the admin vulnerabilities. If you use Supertracker you will see they try to access the site though URL's like this: /oscommerce-pri-64.html?reviews_id=1/admin/file_manager.php/login.php So, since my Admin directory has the IP trap in it (my admin directory was renamed and I placed the IP trap in a dummy Admin directory) I also created a /file_manager.php directory and placed a login.php file in it that contains the same information as Fimbles fake index.php file. So, now there are 1000-1500 less bad url requests per day. Chris Link to comment Share on other sites More sharing options...
Taipo Posted March 11, 2011 Share Posted March 11, 2011 No matter which way the attackers try to obscure that type of attack, the end resulting request URL will always contain the following: .php/login.php So as a stop gap measure, if you add something like this to the top of both includes/application_top.php files: if (strpos($getvariables, ".php/login.php") !== false) { die("oops you got nabbed"); // choose what you want to do with this request } - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted March 12, 2011 Share Posted March 12, 2011 Sorry that last code should be: if (strpos($_SERVER['REQUEST_URI'], ".php/login.php") !== false) { die("oops you got nabbed"); // choose what you want to do with this request } - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.