hpqnet Posted December 16, 2003 Share Posted December 16, 2003 I have someone setting up a dummy ([email protected]) account on my site and staying in the account/create_account/address_book files, I think they are trying to sql inject... Anyone had this issue? http://www.oscommerce.com/forums/index.php?sho...=hello++account Link to comment Share on other sites More sharing options...
Guest Posted December 16, 2003 Share Posted December 16, 2003 find their ip address in your server logs, then in your httpd.conf file you can block that ip address. also, are you using ms1 or ms2? in another post there is a sql injection talk if using ms1 Link to comment Share on other sites More sharing options...
hpqnet Posted December 16, 2003 Author Share Posted December 16, 2003 I am using ms2, and I do not have access to httpd.conf file. My ISP has blocked the IP via firewall, but because of legalities may not be able to keep it blocked. Link to comment Share on other sites More sharing options...
Guest Posted December 16, 2003 Share Posted December 16, 2003 legalities? then i would changs hosts and be in control of your own httpd.conf file, or buy space from someone who will block the ips for you. i havent heard of legalities in blocking unwanted ip address' from connecting . .. who is your host provider? by the way, ms2 does not have the sql injection problem one thing they could be trying to do is use your store/mail to send spam without you knowing . . . . Link to comment Share on other sites More sharing options...
hpqnet Posted December 16, 2003 Author Share Posted December 16, 2003 The legalities, I assume would be the result of us blocking access to a user without any evidence or proof of damage. I am pretty sure they will end up keeping the user blocked since I shot them a copy of the SQL injection security post I found on this forum. I think they were concerned that I wanted to block a user, until I presented something to them. Although we have a good idea that is what is being attempted, nothing has happened yet. I may have access to my httpd.conf but I have not found it via the command line, it may be buried within my web admin gui screen. I have been considering applying the contribution that email the password to the user, that would force them to have a valid email address. Link to comment Share on other sites More sharing options...
hpqnet Posted December 16, 2003 Author Share Posted December 16, 2003 What does this mean? That sucker put something into his account. Warning: Variable passed to reset() is not an array or object in /home/virtual/site83/fst/var/www/html/admin1/includes/classes/object_info.php on line 17 Warning: Variable passed to each() is not an array or object in /home/virtual/site83/fst/var/www/html/admin1/includes/classes/object_info.php on line 18 Link to comment Share on other sites More sharing options...
hpqnet Posted December 18, 2003 Author Share Posted December 18, 2003 anyone have an idea of the above post? I wonder if the hacker was able to put something it the db that would have caused this. see above Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.