Guest Posted June 24, 2011 Share Posted June 24, 2011 I was just reviewing my logs and came across the following: "http://k-wbookworm.waterloohosting.com/catalog/index.php?cPath=3%20ONMOUSEDOWN=%20ct%20this%2C%20%20http%3A//www.k-wbookworm.com/catalog/index.php%3FcPath%203%20%2C%2047%20%2C%204%20%2C%20%20index.php%3Fcpath%203%20+dvd%20%2C%20%20%2C%20%2000d95beaa7f22d8ac706a43b66fcdf20b5ffd7adbb2d5a8827f7%20%2C%200%20/admin/categories.php/login.php%3FcPath=&action=new_product_preview#07541720191895596481" I assume this is a break in attempt. Am I vulnerable to this, and what is this? Keith Link to comment Share on other sites More sharing options...
Guest Posted June 24, 2011 Share Posted June 24, 2011 Keith, As long as you have secured your v2.2 site or you are using v2.3.1, then it is not really a concern. Chris Link to comment Share on other sites More sharing options...
kvadre Posted July 15, 2011 Share Posted July 15, 2011 Just to make sure, is the answer the same for this, I should have fixed all the holes for 2.2 but still. REQUEST.cPath=28+onmousedown%3Dctthis%2C+http%3A%2F%2Fmysite.dk%2Findex.php%3FcPath%3D28%2C33%2C6%2CcPath%3D28%2C%2C+00a769711e86c85f347e28f68247524740a29b90ca534da14661%2C+0%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute, GET.cPath=28+onmousedown%3Dctthis%2C+http%3A%2F%2Fmysite.dk%2Findex.php%3FcPath%3D28%2C33%2C6%2CcPath%3D28%2C%2C+00a769711e86c85f347e28f68247524740a29b90ca534da14661%2C+0%2Fadmin%2Fsqlpatch.php%2Fpassword_forgotten.php%3Faction%3Dexecute, Request URI: /index.php?cPath=28%22%20onmousedown=%22ct(this,%20%27http%3A%2F%2Fmysite.dk%2Findex.php%3FcPath%3D28%27,%2733%27,%276%27,%27%22cPath%3D28%22%27,%27%27,%20%2700a769711e86c85f347e28f68247524740a29b90ca534da14661%27,%200)/admin/sqlpatch.php/password_forgotten.php?action=execute And what are they trying to do. /Jesper Link to comment Share on other sites More sharing options...
Taipo Posted July 15, 2011 Share Posted July 15, 2011 REQUEST.cPath=28 onmousedown=ctthis, http://mysite.dk/index.php?cPath=28,33,6,cPath=28,, 00a769711e86c85f347e28f68247524740a29b90ca534da14661, 0/admin/sqlpatch.php/password_forgotten.php?action=execute, GET.cPath=28 onmousedown=ctthis, http://mysite.dk/index.php?cPath=28,33,6,cPath=28,, 00a769711e86c85f347e28f68247524740a29b90ca534da14661, 0/admin/sqlpatch.php/password_forgotten.php?action=execute, Request URI: /index.php?cPath=28" onmousedown="ct(this, 'http://mysite.dk/index.php?cPath=28','33','6','"cPath=28"','', '00a769711e86c85f347e28f68247524740a29b90ca534da14661', 0)/admin/sqlpatch.php/password_forgotten.php?action=execute Looks to me like an attempt to exploit a zencart version 1.3.8 site. Known as the "Zen Cart 1.3.8 Remote SQL Execution Exploit". Most likely this is an automated attack which is not detecting whether or not a site is Zen Cart backed or not before executing the attack vectors. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
astecme Posted August 20, 2011 Share Posted August 20, 2011 REQUEST.cPath=28 onmousedown=ctthis, http://mysite.dk/index.php?cPath=28,33,6,cPath=28,, 00a769711e86c85f347e28f68247524740a29b90ca534da14661, 0/admin/sqlpatch.php/password_forgotten.php?action=execute, GET.cPath=28 onmousedown=ctthis, http://mysite.dk/index.php?cPath=28,33,6,cPath=28,, 00a769711e86c85f347e28f68247524740a29b90ca534da14661, 0/admin/sqlpatch.php/password_forgotten.php?action=execute, Request URI: /index.php?cPath=28" onmousedown="ct(this, 'http://mysite.dk/index.php?cPath=28','33','6','"cPath=28"','', '00a769711e86c85f347e28f68247524740a29b90ca534da14661', 0)/admin/sqlpatch.php/password_forgotten.php?action=execute Looks to me like an attempt to exploit a zencart version 1.3.8 site. Known as the "Zen Cart 1.3.8 Remote SQL Execution Exploit". Most likely this is an automated attack which is not detecting whether or not a site is Zen Cart backed or not before executing the attack vectors. I get a whole load of these type of things, many trying to fire up filemanager. The best thing to do is change your admin folder name and then rename it in the defines. It is still annoying!! Also I have installed sitemonitor. Once you are clean it gives you peace of mind. Link to comment Share on other sites More sharing options...
satish Posted August 22, 2011 Share Posted August 22, 2011 htaccess protect your admin. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.