|
[PATCH] Blocking those pesky hackers
1 Attachment(s)
My wife's X-Cart website has been showing a large number of Users Online for the past few weeks, but the purchases aren't nearly equaling the number of visitors.
I decided to check out the type of traffic that she's getting, and found that many are hackers/bots that are trying to exploit different areas of the website. One such exploit that I've seen 20 of in the past hour, is: /help.php?section=http://myweddingphotos.by.ru/image.php? The url that the hackers are passing varies. Many are trying to see if they can execute a remote inclusion apparently, and since this is the most popular attempt on our store right now, I've written some code to block such attempts, and ban the user (bans use the Stop List module, if it's enabled). As mentioned above, the Stop List module is used if detected to record bans, but if it's not enabled, that's fine, the patch will only block *immediate* hack attempts. When Stop List is enabled, that is when an IP ban will occur. The attached zip file has a .patch file and a .sql file. You can apply both patches via the Patch/Upgrade section of the X-Cart Administration. Additionally, this is for 4.1, I have not tested on any older versions of X-Cart. NOTE: If you happen to block yourself from your own store, the blocked IPs are only blocked from the customer section, so you can still login to your admin section, go to the Stop List section, and delete your IP address Once I enabled this mod, I noticed that our Users Online started being a bit more accurate, as this mod blocks the hack attempts before they get logged as a visitor. This code only bans based on a "http://" value being passed in the query string. I'm not aware of X-Cart passing a full url to itself in any query string parameters, but you need to be responsible for your own store by testing this thoroughly. No need to ban your users because you didn't test the patch out. I would specifically recommend testing multi-language websites, as that redirect method might pass a complete url, but I don't believe it does. |
Re: [PATCH] Blocking those pesky hackers
Thanks for this mod, Jon!
I really would like to implement it in our 4.0.12 store, cause lately we're also seeing really a lot of the same url's. Can there any harm be done by this patch in a older version of X-cart? |
Re: [PATCH] Blocking those pesky hackers
You'll likely have to manually apply. I haven't checked it or tested it on 4.0 at all. If anything, the code that doesn't pertain to Stop_List module should work completely fine. I dunno if Stop_List is available in 4.0, if it is, you'll need to make sure the same functions exist (for the IP ban functionality)
|
Re: [PATCH] Blocking those pesky hackers
We've had 31 bans, just today (I didn't enable the hack until afternoon... lol)
|
Re: [PATCH] Blocking those pesky hackers
Version 4.0.x has a stop_list, but applying patches manually is not one of my strongest skills... :wink:
|
Re: [PATCH] Blocking those pesky hackers
Quote:
I just installed this and was wondering where you found this information. I will let you know how it works when I get some results because I have had a "BUNCH" of these hackers lately. Mike |
Re: [PATCH] Blocking those pesky hackers
if you have Stop List enabled, you'll see the bans in there, with the reason "Malicious hacker activity"
|
Re: [PATCH] Blocking those pesky hackers
Jon,
Can you please contact me. Thank You, Timm |
Re: [PATCH] Blocking those pesky hackers
Seems to be working well I have not seen a http:// address in the users online section since installing the patch. That being said I have enabled the Stop List and there are no IP's there either, must be a setting or something.
Thanks, Mike |
Re: [PATCH] Blocking those pesky hackers
Hey Mike, as long as the Stop List module is enabled, should add bans there. might want to ensure there are no errors being tossed by your error log
|
Re: [PATCH] Blocking those pesky hackers
Yeah, I finally got 1 blocked but that suprises me because there was almost always one of these attmpts going on when I would look at the users online.
Works great though i have yet to see one since adding the mod. Thanks, Mike |
Re: [PATCH] Blocking those pesky hackers
It seems a bit of a waste of power to do all the blocking individually and not turn this into a shared blacklist. I am sure a lot of the people hitting one of us will end up hitting more of us from scanning. If shop owners opted into allowing their servers to report back to a central server the distributed list would be pretty awesome. Then again I know some people do not like the idea of someone else having control over who has access to their site...
Very cool mod though thanks for sharing. -Todd |
Re: [PATCH] Blocking those pesky hackers
After XC SEO Pro is completed, I'm contemplating developing a security module, similar to NukeSentinel for PHP-Nuke (dunno if NukeSentinel is still in development, but it was popular years ago). Idea is to support central banlists, etc, and provide more protection against hackers
|
Re: [PATCH] Blocking those pesky hackers
Jon does it again !!! Thank you for another great Mod !
|
Re: [PATCH] Blocking those pesky hackers
True - a great solution to hassles and security that is happening right now - thanks..
. I also know your new SEO module will also go well... as it just makes sense, goes that extra step and answers SEO needs :) - cheers and all the best, Asiaplay |
Re: [PATCH] Blocking those pesky hackers
Excellent mod!!! It works great. I'm so happy, I ban myself by entering hack attempts, just for the fun of it. Thank you helping me sleep better now knowing the site site is better protected.
|
Re: [PATCH] Blocking those pesky hackers
PATCH RESULTS
File admin/stop_list.php successfully patched PATCH FAILED AT FILE: auth.php, see PATCH LOG for details. PATCH LOG Patching file /homepages/28/d235556179/htdocs/xcart/admin/stop_list.php ... Hunk #1 succeeded at 146. done Patching file /homepages/28/d235556179/htdocs/xcart/auth.php ... Hunk #1 failed at 43. 1 out of 1 hunks ignored--saving rejects to /homepages/28/d235556179/htdocs/xcart/var/upgrade/auth.php.rej done Warning! The following files could not be patched with automated upgrade system. This may be because these files were changed from their original state. Those files needs to be patched manually or restored from backup. |
Re: [PATCH] Blocking those pesky hackers
your auth.php file has been modified to the point that the patch I provided can't alter it. you'd have to apply the patch manually
|
Re: [PATCH] Blocking those pesky hackers
I thought it was something like that..
From looking at the patch file I wouldnt know how to break it down and where to put the bits of code in the page. Quote:
|
Re: [PATCH] Blocking those pesky hackers
The way to manually apply a patch, is look for lines without the + or - in front, such as
Quote:
Quote:
That tells you where to start editing. Then notice that between those already existing lines, you need to add all lines with a + (and if there's ever a -, you remove that line). |
Re: [PATCH] Blocking those pesky hackers
What about the lines like
@@ -146,7 +146,7 @@ In the patch file what do they mean? |
Re: [PATCH] Blocking those pesky hackers
Those lines give the line number of where the edit starts, it's to help you figure out where you need to edit (not always the exact line number, but the lines are usually in the same area)
|
Re: [PATCH] Blocking those pesky hackers
Ok cheers, was just curious.
The patch wouldn't work for me anyway even by doing it manually as comparing the files between my version 4.0.5 and the ones in the patch some don't exist. Didn't think it would but I do like to tinker now and again :lol: |
Re: [PATCH] Blocking those pesky hackers
I'll be releasing a patch for 4.0 soon ;-)
|
Re: [PATCH] Blocking those pesky hackers
Wonderful stuff! Thankyou.
|
Re: [PATCH] Blocking those pesky hackers
Quote:
That's great news - looking forward to it! :D |
Re: [PATCH] Blocking those pesky hackers
Installed and working perfect..
I ran a http:// script myself and got banned just to test it, works a treat. I'll have to keep an eye on the list to see what people are upto. |
Re: [PATCH] Blocking those pesky hackers
I would like to know what sort of things someone can do when using a link like this on your site.
Is it bandwidth theft for spammers, or are they trying more malicious things with your site / software / server? I run Scan Alert, and they always add new things to the scan to harden server against, but this is something I guess I have little knowledge of and it would be nice to know what sort of things may be attempted against us with this activity. Nice mod by the way, looking for more released as discussed earlier in the thread. This has been affective in banning two folks so far, one in US and another from Spain. |
Re: [PATCH] Blocking those pesky hackers
Great mod!
Is there any reason why I can use this patch and intentionally try a bogus URL and it works perfectly.... but if I add an IP manually to the stop list, it does nothing? By the way... these are the hits I'm getting lately.. and they're not being blocked. Quote:
|
Re: [PATCH] Blocking those pesky hackers
I just noticed something else....
Should we be worried about any of the re-write mods being used against us? Quote:
|
Re: [PATCH] Blocking those pesky hackers
I got it.... for those interested...
In /auth.php change this: Quote:
To this: Quote:
Change: Quote:
Quote:
Change: Quote:
Quote:
Please note that this is AFTER you apply the patches from the original poster. (this is on a Windows 2003 server.... since it doesn't use the .htaccess file, this is easier than going into IIS everytime you wanna add a blocked IP) The 'H' and 'M' reflect whichever admin account you normally use to add your blocked IPs. Having it the same as what the mod uses, it covers the ones you add manually as well. Thanks again for a very cool mod! Scotty |
Re: [PATCH] Blocking those pesky hackers
Just curious...
How would you add an "elseif" to that to make it be labeled differently from being done by Admin or by the mod? (how do you make it use 'M' or 'H') |
Re: [PATCH] Blocking those pesky hackers
Hi Scotty, a note, be careful blocking other statuses with the stop list. I created status H so that I could be certain only obvious hackers were totally banned from the site. If you use status M (which I believe stands for manual, correct?) that could pose some issues (not saying it *would*, just haven't looked into any ramifications, so just a word of warning is all)
Regarding checking for http by itself, that means if http is found anywhere in the string, they get banned, and it's probably easier to have http in the middle of a string, than http://. To be certain, I would check to ensure the first 4 letters appear as http You mentioned, having an SEO mod used against you, howso? Add an elseif for a different label? Can you describe that better? |
Re: [PATCH] Blocking those pesky hackers
Well... as I posted earlier, Windows servers do not use the .htaccess file at all. My understanding is that when something is added to the stop-list, xcart adds it to the .htaccess file. Is that wrong? In any case, my stop list never worked until your mod came along. At that point, while testing, I found that my manually added IPs still didn't get blocked, but yours actually works! I've always had to go into IIS and block IPs 1-by-1 or by group. Pretty monotinous. That's why I changed it to block status 'M' instead of 'H' YOURS works, xcart's doesn't. This GREATLY simplifies blocking malicious IPs for me.
As for the label, your mod labels it nicely as a hacker attempt. When adding an IP MANUALLY, it just says "Added by Administrator". I wanted a way (since I'm blocking the manually added IPs as well with your mod) to have blocked IPs that were added automatically by the mod to be labled as hacker attempts like you have it.... and the manually added ones to say "added by administrator". By changing the H to M, it labels the automatically added IPs by your mod as "Added by Administrator". The same as a manual add. I want to separate the two and have different labels. But remember, with the way I changed it to work for me on our W2k3 server, ALL blocked IPs are called by M. I wanted them to show in the list as blocked by whoever blocked them (the mod, or manually) Hope this makes sense... |
Re: [PATCH] Blocking those pesky hackers
Hi Scotty, .htaccess is not modified by the StopList module
Additionally, the StopList module is originally intended to block people from the cart, not from the website. My code just hijacked the module a bit to ban hackers from the site more easily. Regarding the H vs M, in auth.php, change the SQL statement to the following: PHP Code:
Also, revert the part that bans them, back to how it was: PHP Code:
And change the strpos bit, to this (to only match http, and ftp, at the beginning of the string): PHP Code:
|
Re: [PATCH] Blocking those pesky hackers
Very nice. Works perfectly for me. Thanks for the clarificaton on the stop list too. I think I was reading a thread about a mod that added the IPs to the .htaccess file. Musta got that confused. Sorry.
By reading your last post, is it safe to assume (ya... I know...) that you could effectively add any flag you wanted? PHP Code:
Or is that all wrong and I should go play with crayons in the corner. :? |
Re: [PATCH] Blocking those pesky hackers
lol, yes, you can use any flag you feel like defining, it will determine them a hacker based on the flag, and ban them.
|
Re: [PATCH] Blocking those pesky hackers
Is my syntax correct in the above post?
|
Re: [PATCH] Blocking those pesky hackers
I just got a bunch of these and they were not blocked. Can you take a look and see if there's something we need to change in the mod?
Quote:
Update: This seems to have taken care of all of it for now. Since none of these are ever used with HTTP in them in this way, I'm pretty sure they're all ok to use. I've bounced all over my site, clicked on froogle links and all..... everything seems to be working fine. I'll add to it as needed. PHP Code:
|
Re: [PATCH] Blocking those pesky hackers
doh, my bad, I was thinking the code was different. While your solution works for now, it's not recommended. I'll post back in a bit with a better solution (I'm upgrading a client site at the moment tho, so it'll be a bit)
|
| All times are GMT -8. The time now is 01:14 PM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.