Taipo Posted July 17, 2011 Author Share Posted July 17, 2011 For the .php/login bans, they will all be hack attempts. 'flush' is removed in the latest release coming out shortly. Try setting everything to 0 and see if that makes a difference. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 18, 2011 Author Share Posted July 18, 2011 osC_Sec 2.7[r5] Whats New? - Removed the referer check test for $chkPostLocation which was causing issues for sites behind https - Removed the ban aspect of $testExpiredCookie which now calls a 403 page ban and page die - Due to session conflicts in osCommerce versions 2.2.x and the $testExpiredCookie, osC_Sec now disables $testExpiredCookie with those versions - Optional change in the location of the require_once() include in both application_top.php files (see readme.htm for new location) for where osC_Sec is included To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 20, 2011 Author Share Posted July 20, 2011 osC_Sec 2.7[r6] Whats New? - Fine tuning of the postShield black list to allow for file editting via file managers and language editors. To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Guest Posted July 21, 2011 Share Posted July 21, 2011 I am still getting the white screen when I click add to cart but only when osc-sec is enabled via application_top.php. Link to comment Share on other sites More sharing options...
Taipo Posted July 21, 2011 Author Share Posted July 21, 2011 At the moment it sounds like osC_Sec is calling a page die because IP banning is disabled. Can you add your email address to $youremail, switch on $banipaddress and $emailenabled which will probably then trigger a ban when you try and add something to the cart. From there you will receive an email notification. Can you PM that through to me thanks, that will help me determine what is causing this in your situation. In doing so your IP address will be banned, so once that happens, remove the IP address from your htaccess file and switch the settings back to their original state. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 28, 2011 Author Share Posted July 28, 2011 osC_Sec 2.7[r7] Whats New? - Script clean up of the way osC_Sec detects the cookie settings To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 29, 2011 Author Share Posted July 29, 2011 osC_Sec 2.7[r8] Whats New? - Add checks for servers that have register_globals enabled - Now checks that $_GET is always an array - Fixed an issue in the coding that caused a redirect to the index.php rather than a ban To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 29, 2011 Author Share Posted July 29, 2011 osC_Sec 2.7[r9] Whats New? - Fix to bug in register globals code To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Guest Posted July 30, 2011 Share Posted July 30, 2011 Just updated to the new version and I am still getting the blank screen when adding a product to the cart. See for yourself www.protoolzonline.com Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Author Share Posted July 30, 2011 What are the settings you are using in osc.php - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Author Share Posted July 30, 2011 osC_Sec 2.8 Whats New? - Fixed issues with $_GET arrays - Cleanup readme.htm to reflect new code in osc.php - Fixed code in email section - Fixed bug in $chkPostLocation To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Guest Posted July 30, 2011 Share Posted July 30, 2011 $timestampOffset = 12; # Set the time offset from GMT, example: a setting of -10 is GMT-10 which is Tahiti, 12 is New Zealand $nonGETPOSTReqs = 1; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is $chkPostLocation = 0; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal) $GETcleanup = 0; # 1 = Clean up $_GET variables, 0 = don't cleanup. If you use FWR_SECURITY_PRO then you can set this to not 0. $testExpiredCookie = 0; # 1 = Checks for an expired cookie, 0 = don't check ( only use this with oscommerce version 2.3.1 ) $banipaddress = 0; # 1 = adds ip to htaccess for permanent ban, 0 = calls a page die if injection detected $useIPTRAP = 0; # 1 = add IPs to the IP Trap contribution, 0 = leave it off $ipTrapBlocked = "http:// www.protoolzonline.com/blocked.php"; # Put the full URL to your blocked.php if you intend to use this option. # Example: $ipTrapBlocked = "http:// www.protoolzonline.com/blocked.php"; /** * Email settings: Don't use if your * Web Service Provider limits how * many emails per hour / per day **/ $emailenabled = 1; # 1 = send yourself an email notification of injection attack, 0 = don't $youremail = "[email protected]"; # set your email address here so that the server can send you a notification of any action taken and why $fromemail = "[email protected]"; # set up an email like [email protected] where the attack notifications will come from $diagenabled = 1; # 1 = automatically send an email to the developer with the ban IP address and the reason for the ban to help improve osC_Sec, 0 = don't $diagemail = "[email protected]"; # this is the email of the developer of osC_Sec.php (see readme.htm) /* * END OF SETTINGS Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Author Share Posted July 30, 2011 Thanks for that Matt. Try the latest version 2.8 and see if that makes a difference. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Guest Posted July 30, 2011 Share Posted July 30, 2011 Stillnot working. It is sending emails for other known malicious ips though. Link to comment Share on other sites More sharing options...
Guest Posted July 30, 2011 Share Posted July 30, 2011 As soon as I comment out the line in application_top.php it works fine. But obviously I am not protected. Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Author Share Posted July 30, 2011 Tell me a bit more about your setup. What version of PHP is running, what version of osCommerce, is register globals on or off, what other addons are you using etc etc. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Author Share Posted July 30, 2011 There is something perculiar about the way products are added to the cart on your site. On most versions of osCommerce I would have expected the add to be done via a POST operation and not a GET. So I would be quite interested in what addon you are using that is causing that. Other than there being something in the configuration or addons that are affecting the way osC_Sec works, you will have to try commenting out parts of osC_Sec code in order to narrow down which section is causing the issue. Example: Since adding a product is a GET request, check down at line 206 in osc_sec.php for the following getShield( $_GET, $oscsec_getVar_blacklist ); Change this to: #getShield( $_GET, $oscsec_getVar_blacklist ); and see if that makes a difference. There are a few functions in there that work irregardless of whether or not you have options activated in osc.php, that one is one of them. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 30, 2011 Author Share Posted July 30, 2011 osC_Sec 2.8[r1] Whats New? - Changed the way $httphost is set To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted August 2, 2011 Author Share Posted August 2, 2011 osC_Sec 2.8[r3] Whats New? - Removed the trim aspect of the email notification - Added more items to GET and POST blacklist items - Fixed an issue with $_SERVER[ "REMOTE_ADDR" ] reporting the IP address of the server in front of one the website is hosted on when hosted in server clusters. To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
burt Posted August 2, 2011 Share Posted August 2, 2011 Found an issue with a slightly older version of osc_sec [cannot remember which revision] which stopped the status flag from setting things to inactive (banners, specials, products). Solution is to update to latest version of osc_sec. Link to comment Share on other sites More sharing options...
Taipo Posted August 3, 2011 Author Share Posted August 3, 2011 osC_Sec 2.8[r4] Whats New? - Refined the code for determining the visitors IP address when the server is 'proxied' in a cluster. To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted August 3, 2011 Author Share Posted August 3, 2011 osC_Sec 2.8[r5] Whats New? - Further fine tuning of the code for determining the visitors IP address when the server is proxied in a cluster/cloud. - Update to banned request_uri and query_string code - Updated several items from the GET blacklist that can cause false positive results To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted August 7, 2011 Author Share Posted August 7, 2011 osC_Sec 2.8[r6] Whats New? - Updated expired cookie ini_get code - Updated the way the visitor IP address is detected - Updated the injection checks - getShield now searches the Request_Uri rather than Query_String - postShield now decodes all post inputs before testing against the blacklist To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm, as per usual, all updates contain the complete package Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ctec2001 Posted August 7, 2011 Share Posted August 7, 2011 osC_Sec 2.8[r6] Whats New? - Updated expired cookie ini_get code - Updated the way the visitor IP address is detected - Updated the injection checks - getShield now searches the Request_Uri rather than Query_String - postShield now decodes all post inputs before testing against the blacklist To update just replace the osc_sec.php file in your includes directory Install instructions: see the readme.htm, as per usual, all updates contain the complete package Download from: http://addons.oscommerce.com/info/7834 Taipo, Just wanted to pop a small message to say thanks for the application you developed. Working great Mike Do or Do Not, there is no try. Link to comment Share on other sites More sharing options...
Taipo Posted August 7, 2011 Author Share Posted August 7, 2011 Great stuff, thanks for that Mike. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.