[PATCH] Blocking those pesky hackers

ReadytoCover · #51 08-17-2008, 12:35 PM

[quote=Scotty85]I started getting these URLs in the Users Online log. Is there a way I can block these too?

I know this is lame question...but where is the Users Online log? I looked under Summary->Logs and didn't see it?

Scotty85 · #52 08-17-2008, 12:48 PM

You have to have the 'Users Online' module enabled first. Then you can find it in the Statistics area. It isn't really a "log", but a listing of all the current users and their locations. There is also a hack that shows their IPs as well. I use it all the time.

Scotty

ReadytoCover · #53 08-17-2008, 01:11 PM

Oh ok thanks. Just enabled that module and I'll keep an eye out.

ReadytoCover · #54 08-17-2008, 02:39 PM

Ok got it working with the IP hack, out of curiosity...what do you look for in terms of security / protection?

Simply strange urls?

timbrrr · #55 08-20-2008, 08:19 AM

Did some more research on this and found the following suggestion over at worldpress forums...

would this be a good solution that they mention putting in the .htaccess file?
PLEASE DO NOT USE THIS unless you know what you are doing. I am only posting it here to get some feedback from the programming guru's.

RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]
RewriteRule ^.* - [F,L]

Testing, it throws you into a 403 Forbidden page, would a redirect work better ?

Comments on this please.
Thanks

intel352 · #56 08-22-2008, 04:27 AM

Hmm, that should work, as long as you never have a legitimate value in your query string called "declare". You ask if a redirect would be better, why should you redirect?

timbrrr · #57 08-22-2008, 06:36 AM

Agreed about the point of having a legitimate value in the querry for "declare" All though probably a rare chance, it could happen.

I thought of redirect simply for the chance that it was a human injecting the code, and not a hacked computer out probing every site it could. If it were a person that tried it, and it just appeared to ignore them, then they might be more likely to give up and not try refreshing the page a hundred times looking for results.

Have you deobfuscated the querry? From what I can gather,it basically tries to run a script (possibly located elsewhere such as the origination of the attack) against the database.
Do you have a better or cleaner way to avert this type of attempt?

Scotty85 · #58 08-25-2008, 12:54 PM

I'm getting more of these today. Any news on how to automatically block them with the mod?

2coolbaby · #59 08-27-2008, 01:35 PM

I have a question. Since installing this mod last week and I also installed the newest security updates, so cannot pinpoint the problem... I have been getting about 1 in 5 customers that get errors in the shopping cart when they try to enter their customer information during checkout. They get an error message, with no specific error. It just says their was an error in your form. Or something like that (I cannot reproduce the error, but all the phone calls tells me it is real). It then clears the form and they have to re-enter everything all over again. Very aggravating for them. When this happens they get the error repeatedly and never can place an order. They call us and we can place the order using the info they provide. Anyone else experienced this?

markwhoo · #60 08-27-2008, 03:48 PM

Quote:

Originally Posted by 2coolbaby

I have a question. Since installing this mod last week and I also installed the newest security updates, so cannot pinpoint the problem... I have been getting about 1 in 5 customers that get errors in the shopping cart when they try to enter their customer information during checkout. They get an error message, with no specific error. It just says their was an error in your form. Or something like that (I cannot reproduce the error, but all the phone calls tells me it is real). It then clears the form and they have to re-enter everything all over again. Very aggravating for them. When this happens they get the error repeatedly and never can place an order. They call us and we can place the order using the info they provide. Anyone else experienced this?

The issue is actually due to the recent security patch released to protect us from hackers cross site scripting, and it also helps prevent us from making sales, lol.

Look here for more info on it:

http://forum.x-cart.com/showthread.php?t=41583&page=3