ctec2001 Posted June 24, 2011 Share Posted June 24, 2011 Not sure what was the outcome of the last bit. To put osC_Sec back into the loop again and disable $useIPTRAP ($useIPTRAP = 0;) and repeat the ban attempt you did earlier to see if you can trigger the blocked.php page. Taipo, I was able to get IPTRAP to function the way it should. I did disable $useIPTRAP=0 as instructed. Will this degrade osc_sec any by leaving the IPTRAP disabled? Thanks, Mike Do or Do Not, there is no try. Link to comment Share on other sites More sharing options...
Taipo Posted June 24, 2011 Author Share Posted June 24, 2011 Just the process of elimination mostly. Now that I know its functioning with $useIPTRAP disabled, I have a better idea where to look in the code. Will get back to you shortly. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ctec2001 Posted June 24, 2011 Share Posted June 24, 2011 Just the process of elimination mostly. Now that I know its functioning with $useIPTRAP disabled, I have a better idea where to look in the code. Will get back to you shortly. Taipo, I really appreciate your help in this matter. I understand php but not at a level you have done with this contribution. I am using the banipaddress for now and it writes to the htaccess. Is this safe to have the .htaccess writeable? I guess if you have it in your contribution as an option, then it must be. Thanks again, Mike Do or Do Not, there is no try. Link to comment Share on other sites More sharing options...
Taipo Posted June 24, 2011 Author Share Posted June 24, 2011 osC_Sec 2.6[r5] Whats New? - A fix up of the IP Trap interaction - Added code to deal with register_globals vulnerabilities NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date. Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 24, 2011 Author Share Posted June 24, 2011 Try that release out Mike. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 24, 2011 Author Share Posted June 24, 2011 Wait one, I've got another coming out in 5 mins. Try this one instead. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 24, 2011 Author Share Posted June 24, 2011 Ok this time. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ctec2001 Posted June 25, 2011 Share Posted June 25, 2011 Ok this time. Hi Taipo, I installed the new release. Please let me know if this is correct... 1. In osc_sec I have the $useIPTRAP = 1 - When I attempt to perform an illegal access to the site I get my ip blocked and an email sent to me from IPTrap, which is a good thing and I also get redirected to blocked.php which lets me know that I have been banned and my ip is written to the banned folder. 2. When I attempt and illegal access (For ie. http://www.gordonimports.com/store/index.php/login.php) I do get an email sent from osc_sec which is a good thing but in Firefox it brings up the page 'Problem loading page' and on the page it states: The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies. - Is this a normal operation? - In IE8 it just hang and doesn't display anything. It is like in an internal loop. - However, when I attempt to access the store normally, I get redirected to the blocked.php page which let me know that my ip has been banned. Does it seem like it is working the way it should? Thank you for you support and efforts to help me in this, Mike Do or Do Not, there is no try. Link to comment Share on other sites More sharing options...
Taipo Posted June 25, 2011 Author Share Posted June 25, 2011 The loop after ban is not correct. Are you using the latest one I put out, er, version 2.6[r6] it came out earlier today. I guess the next question I need to ask is what other settings do you have enabled in osC_Secs osc.php settings? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 25, 2011 Author Share Posted June 25, 2011 osC_Sec 2.6[r7] Whats New? - Clean up of ban reasons - Fixed the expired cookie browser test - Added more GET request banned items - Fixed a bug in the blacklists that could cause a ban of a legitimate site request NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date. Download from: http://addons.oscommerce.com/info/7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ctec2001 Posted June 25, 2011 Share Posted June 25, 2011 The loop after ban is not correct. Are you using the latest one I put out, er, version 2.6[r6] it came out earlier today. I guess the next question I need to ask is what other settings do you have enabled in osC_Secs osc.php settings? Taipo, Just an FYI, you forgot to change the version # in the osc_sce.php, it still reads [r6]. Just thought you might want to know. Any how, to answer your question, I did set up the newer version [r6] and then now the [r7]. I am still getting the same results with the exception of IE8 just now pops up a blank page. Firefox still displays the same message as my previous post. The store is not in the root directory but rather a folder in the root. Will that make a difference? My setting are as follows: $timestampOffset = -8; # Set the time offset from GMT, example: a setting of -10 is GMT-10 which is Tahiti $httphost = "www.gordonimports.com"; # enter your site host without http:// using this format www.yourwebsite.com $nonGETPOSTReqs = 1; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is $chkPostLocation = 1; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal) $GETcleanup = 1; # 1 = Clean up $_GET variables, 0 = don't cleanup. Set this to 0 if this causes errors (for example with another addon) $testExpiredCookie = 1; # 1 = Checks to see if the browser understands what to do with an expired cookie, 0 = don't check $arbitrarysession_block = 1; # 1 = Prevents arbitrary session injections, 0 = leave it as it is /** * This section of settings is to allow osC_Sec.php * to ban an IP address if it breaks the rules * * Choose either $banipaddress to add to htaccess * or $useIPTRAP if you are using the IP Trap addon **/ $banipaddress = 0; # 1 = adds ip to htaccess for permanent ban, 0 = calls a page die if injection detected $htaccessfile = $dirFScatalog . ".htaccess"; # remember to change the write access of .htaccess to a writable setting $useIPTRAP = 1; # 1 = add IPs to the IP Trap contribution, 0 = leave it off $ipTrappedURL = $dirFScatalog . "banned/IP_Trapped.txt"; # If you are using IP Trap make sure this is pointing to the IP_Trapped.txt file /** * Email settings: Don't use if your * Web Service Provider limits how * many emails per hour **/ $emailenabled = 1; # 1 = send yourself an email notification of injection attack, 0 = don't $youremail = "ctec2001@yahoo.com"; # set your email address here so that the server can send you a notification of any action taken and why $fromemail = "securityscript@gordonimports.com"; # set up an email like securityscript@yourdomain.com where the attack notifications will come from $diagenabled = 0; # 1 = automatically send an email to the developer with the ban IP address and the reason for the ban to help improve osC_Sec, 0 = don't $diagemail = "oscsecdiagnostic@aol.com"; # this is the email of the developer of osC_Sec.php (see readme.htm) Thank you for your help. I don't mean to make more work for you and do apologize. Mike Do or Do Not, there is no try. Link to comment Share on other sites More sharing options...
Taipo Posted June 26, 2011 Author Share Posted June 26, 2011 Sorry about that, I uploaded the wrong file. Try again, the proper file is now uploaded. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 26, 2011 Author Share Posted June 26, 2011 Try these setting changes (leaving the rest as they are): $chkPostLocation = 0; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal) $arbitrarysession_block = 0; # 1 = Prevents arbitrary session injections, 0 = leave it as it is My guess is one of them is causing the loop 'perhaps'. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 26, 2011 Author Share Posted June 26, 2011 osC_Sec 2.6[r8] Whats New? - Added a check for magic quotes - Banned a few SQL injection and malicious moz-binding strings NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date. Download from: http://www.oscommerce.com/community/contributions,7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ctec2001 Posted June 26, 2011 Share Posted June 26, 2011 Try these setting changes (leaving the rest as they are): $chkPostLocation = 0; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal) $arbitrarysession_block = 0; # 1 = Prevents arbitrary session injections, 0 = leave it as it is My guess is one of them is causing the loop 'perhaps'. Taipo, I have done as instructed but seem to have the same problem with out the loop. I get all the emails and everything, so I guess it will be ok. The ip address does get banned which is a good thing. Is there a way to test the absolute path to the blocked.php page. May it can be tested instead of using the variables. As always thank you, Mike Do or Do Not, there is no try. Link to comment Share on other sites More sharing options...
Taipo Posted June 26, 2011 Author Share Posted June 26, 2011 I would assume the blocked.php file would be in the root catalog? ( http://www.somesite.com/catalog/blocked.php ) If not then edit these lines below to the full domain path. Change the two occurrences of: header( "Location: " . $http_server . $http_Catalog . "blocked.php" ); To: header( "Location: http://www.yourdomainname/pathto/blocked.php" ); Email me at rohepotae@gmail.com how this goes. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 26, 2011 Author Share Posted June 26, 2011 I just ran a test on your site testing one of the blacklisted items from osC_Sec and the blocked page came up with no loop. Upon reloading the site it went straight to blocked as it should. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 27, 2011 Author Share Posted June 27, 2011 osC_Sec 2.6[r9] Whats New? - Fixed issue with phpSelfFix - Fixed issues with IPTrap function - Fixed issues with scrubGET NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date. Download from: http://www.oscommerce.com/community/contributions,7834 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ctec2001 Posted June 28, 2011 Share Posted June 28, 2011 I just ran a test on your site testing one of the blacklisted items from osC_Sec and the blocked page came up with no loop. Upon reloading the site it went straight to blocked as it should. Taipo, Did you get a blank screen after testing the script or did the blocked.php page come up. Or did you get a blank page after testing the script and then try to access the store and the blocked.php page comes up. The second one is what I get. Thanks, Mike Do or Do Not, there is no try. Link to comment Share on other sites More sharing options...
Taipo Posted June 28, 2011 Author Share Posted June 28, 2011 When I did it, it went straight to the blocked.php page (this was on the 'other' site you are developing). - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Peper Posted June 28, 2011 Share Posted June 28, 2011 Need help please Taipo - anyone I recently installed this addon as I was using other ban ip and so on from other contributions Problem is I'm seeing now a whole lot of "GET" errors in my servers error log - all links to products but hundreds of them - seems to be spiders from yahoo, msn and so on calling the product I have set in osc.php $GETcleanup = 0; and $httphost = "www.domain.com"; My catalog is in sub domain using shop.domain.com Any help with this please Getting the Phoenix off the ground Link to comment Share on other sites More sharing options...
Taipo Posted June 28, 2011 Author Share Posted June 28, 2011 Can you send me an example of the errors, PM me if you want. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
♥mattjt83 Posted June 30, 2011 Share Posted June 30, 2011 Hi Taipo, I have been installing updates to osc-sec.php whenever you update it. The last update made my checkout not function properly (I use the dynamo effects checkout). With the latest update, the shipping module will not load unless I am a logged in customer. Normally, the you can checkout without having to sign in if it is your first time shopping at our site. This is the first update to have this negative effect on my site. Is there something I can fix to make it work properly or should I just keep using the second to last version? Thanks Matt Matt Link to comment Share on other sites More sharing options...
Taipo Posted June 30, 2011 Author Share Posted June 30, 2011 A couple of questions for you to assist me. 1/ What is the URL to download the dynamo effects addon so I can take a look at it? 2/ Are you using 2.69a or 2.7 of osC_Sec? 3/ What settings do you have enabled in the osc.php file? 4/ What other addons are you using? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted June 30, 2011 Author Share Posted June 30, 2011 ps I had a look at what I believe is your site (from another discussion where you left your URL) and I can see the shipping table upon checking out. Perhaps try viewing it on another computer or a different browser, it may just be something more local to your internet client perhaps. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.