Re: [PATCH] Blocking those pesky hackers
 

I figured there had to be a way to make the part before the HTTP a wildcard of some kind. 8)

One more reason to learn more about PHP. I dabble enough to be dangerous and can reverse-engineer it with the best of them.... just don't fully get the syntax sometimes.

Re: [PATCH] Blocking those pesky hackers
 

won't be using a wildcard, will likely do a strpos() for the '=' sign, then explode() the value if it's there, and THEN use the substr() function to check for http, ftp, etc.

I'll leave you with that to see if you can piece together the solution in actual php :-)

Re: [PATCH] Blocking those pesky hackers
 

Heh.... I'm not THAT good... LOL


:D/

Re: [PATCH] Blocking those pesky hackers
 

Here are the two patches plus the sql file for 4.0.x
I tested them on my 4.0.19 and they're working fine.

Re: [PATCH] Blocking those pesky hackers
 

@imexhouse: thanks for your contribution!

Hi Scott, this should work:

Re: [PATCH] Blocking those pesky hackers
 

Where does this code go, in the auth.php file?

Thanks, Mike

Re: [PATCH] Blocking those pesky hackers
 

Hi Mike, yes, it replaces *some* of the code that you would have already added, using the patch file.

So nothing gets confused in copy/paste, here's an updated patch file.

EDIT: if you want to use the patch file via X-Cart admin, you'll need to reverse the previous patch (by uploading it to Patch/Upgrade and selecting "yes" for Reverse).
Then you'll need to apply this patch.

Cheers

Re: [PATCH] Blocking those pesky hackers
 

I started getting these URLs in the Users Online log. Is there a way I can block these too?

Re: [PATCH] Blocking those pesky hackers
 

I've been getting the same code in my logs (;DECLARE%20@S%20CHAR(4000); ....). I did some research: http://isc.sans.org/diary.html?storyid=4844

Re: [PATCH] Blocking those pesky hackers
 

Noticing a lot of these too... anyone got a good solution to block these? They appear to be coming from many different IP addresses, so individual IP blocks would be impratical.
Even if they arent getting in, it would be good to have a way to deflect them before they do figure out a way in.

/?';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST%20AS%20 CHAR(4000));ExEC(@S);............................. ...........................

(theres about 1200 characters total according a text editor that I pasted it into that does character count. )

Re: [PATCH] Blocking those pesky hackers
 

[quote=Scotty85]I started getting these URLs in the Users Online log. Is there a way I can block these too?

I know this is lame question...but where is the Users Online log? I looked under Summary->Logs and didn't see it?

Re: [PATCH] Blocking those pesky hackers
 

You have to have the 'Users Online' module enabled first. Then you can find it in the Statistics area. It isn't really a "log", but a listing of all the current users and their locations. There is also a hack that shows their IPs as well. I use it all the time.


Scotty

Re: [PATCH] Blocking those pesky hackers
 

Oh ok thanks. Just enabled that module and I'll keep an eye out.

Re: [PATCH] Blocking those pesky hackers
 

Ok got it working with the IP hack, out of curiosity...what do you look for in terms of security / protection?

Simply strange urls?

Re: [PATCH] Blocking those pesky hackers
 

Did some more research on this and found the following suggestion over at worldpress forums...

would this be a good solution that they mention putting in the .htaccess file?
PLEASE DO NOT USE THIS unless you know what you are doing. I am only posting it here to get some feedback from the programming guru's.


RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]
RewriteRule ^.* - [F,L]


Testing, it throws you into a 403 Forbidden page, would a redirect work better ?

Comments on this please.
Thanks

Re: [PATCH] Blocking those pesky hackers
 

Hmm, that should work, as long as you never have a legitimate value in your query string called "declare". You ask if a redirect would be better, why should you redirect?

Re: [PATCH] Blocking those pesky hackers
 

Agreed about the point of having a legitimate value in the querry for "declare" All though probably a rare chance, it could happen.

I thought of redirect simply for the chance that it was a human injecting the code, and not a hacked computer out probing every site it could. If it were a person that tried it, and it just appeared to ignore them, then they might be more likely to give up and not try refreshing the page a hundred times looking for results.

Have you deobfuscated the querry? From what I can gather,it basically tries to run a script (possibly located elsewhere such as the origination of the attack) against the database.
Do you have a better or cleaner way to avert this type of attempt?

Re: [PATCH] Blocking those pesky hackers
 

I'm getting more of these today. Any news on how to automatically block them with the mod?

Re: [PATCH] Blocking those pesky hackers
 

I have a question. Since installing this mod last week and I also installed the newest security updates, so cannot pinpoint the problem... I have been getting about 1 in 5 customers that get errors in the shopping cart when they try to enter their customer information during checkout. They get an error message, with no specific error. It just says their was an error in your form. Or something like that (I cannot reproduce the error, but all the phone calls tells me it is real). It then clears the form and they have to re-enter everything all over again. Very aggravating for them. When this happens they get the error repeatedly and never can place an order. They call us and we can place the order using the info they provide. Anyone else experienced this?

Re: [PATCH] Blocking those pesky hackers
 

The issue is actually due to the recent security patch released to protect us from hackers cross site scripting, and it also helps prevent us from making sales, lol.

Look here for more info on it:

http://forum.x-cart.com/showthread.php?t=41583&page=3

Re: [PATCH] Blocking those pesky hackers
 

Yea, I'm still not plugging in that security patch - WAY too many people having problems after applying it.

Re: [PATCH] Blocking those pesky hackers
 

HI guys, I'm aware this thread has been going for a while and am wondering if anyone has tested this with 4.1.9 or 4.1.10

Thanks

Re: [PATCH] Blocking those pesky hackers
 

Yes, works fine in both for me.

Re: [PATCH] Blocking those pesky hackers
 

cheers Balinor. What about that security patch you were mentioning.. is there a resolution to that yet do you know?

Re: [PATCH] Blocking those pesky hackers
 

HI Jon / guys.

I got "could not patch" when trying to apply this to admin/stop_list.php.

Can anyone give me instructions for how to manually apply that part of the patch?

Thanks

Re: [PATCH] Blocking those pesky hackers
 

I have applied the patches and enabled the stop list. I am not very savy, so how can I test this on our store? I guess I'm not much of a hacker. :lol:

Re: [PATCH] Blocking those pesky hackers
 

Well, it seems to be working. I have this note in the stop list. Does anybody know what it means?

Re: [PATCH] Blocking those pesky hackers
 

This keeps blocking legitimate customers. Everyday I am having to delete IP's from the stop list with the above statement. Anybody know what that means or how to stop it from happening?

Re: [PATCH] Blocking those pesky hackers
 

I just recently applied this patch, and have not gotten any stop ip's in the list. Pretty much in the same position as above quote. I was having an issue with always showing one or two customers logged on, and my sales n stats would never show them. I noticed that this has decreased, but occasionally i see that there is a customer logged in but sales n stats doesn't see them. Any thoughts or suggestions how i can test to see if it's working?

Re: [PATCH] Blocking those pesky hackers
 

So what happened, should I install this patch?

Re: [PATCH] Blocking those pesky hackers
 

I ended up disabling this mod. It was blocking customers and I couldn't figure out why.

Re: [PATCH] Blocking those pesky hackers
 

I am having a huge problem with this currently. Does anyone have a resolution for this hacker issue.

I am not code and change savvy and so am not sure which way to turn to get this figured out.
Thanks for any help
Chris

Re: [PATCH] Blocking those pesky hackers
 

What problem are you having?

Re: [PATCH] Blocking those pesky hackers
 

Sorry the same problem as listed in the first post.

with huge numbers of users on my site, minimal orders coming through to show reason for the inflated numbers and also the users viewing a page that is listed as a help page and then there is an additional http address in it.
an example in the attached image


Just like what the gentleman in the first post mentioned. I was going to ask my web guys to try to implement this patch, but was nervous as who it is working for and not working for. At a loss of what to do.

Thanks for any input
Chris

Re: [PATCH] Blocking those pesky hackers
 

Hey Chris,

In Post # 63, Balinor says that he uses it with success. Why not just give it a try?

Work on a copy of the file and you can always revert.

It is just one file: admin/stop_list.php

And one Language Label added via a SQL patch, but you can open that file in a text editor and add the Label through the Admin --> Languages interface if you prefer.

Robert

Re: [PATCH] Blocking those pesky hackers
 

WARNING: Any one using this mod please check that it's not banning the Google Bot IP. I have marked that some times this mod just bans the Google IP thinking it's hacking attempt.

This can affect your SEO in Google as google will not able to crawl your site. You can confirm this by login to your google webmaster account & then use the tool as crawl as Google Bot.

I can't figure out why some times this mods ban google bot's IP !!! ???