Post by HAO » Thu Jun 22, 2017 10:31 pm

I have just received a large number of unknown submission form requests.

Successfully submitted for the following functions:
Contact Us
Returns
Customer search

These forms, I have to use reCAPTCHA to protect, But still being cracked.

There are also a number of instructions that attempt to execute SQL from the connection log file.

Code: Select all

ssl_log(12311): 47.52.72.3 - - [22/Jun/2017:18:45:14 +0800] "GET /db.sql HTTP/1.1" 404 52839 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(12312): 47.52.72.3 - - [22/Jun/2017:18:45:14 +0800] "GET /jboss-net/services/listServices HTTP/1.1" 404 52839 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
I believe that this is related to these error messages:

Code: Select all

2017-06-22 21:38:14 - PHP Notice:  Array to string conversion in /home/xxx/public_html/catalog/controller/startup/router.php on line 12
2017-06-22 21:38:14 - PHP Notice:  Array to string conversion in /home/xxx/public_html/system/library/url.php on line 18
2017-06-22 21:38:14 - PHP Notice:  Array to string conversion in /home/xxx/public_html/catalog/controller/common/column_left.php on line 7
2017-06-22 21:38:14 - PHP Notice:  Array to string conversion in /home/xxx/public_html/catalog/controller/common/column_right.php on line 7
2017-06-22 21:38:14 - PHP Notice:  Array to string conversion in /home/xxx/public_html/catalog/controller/common/content_top.php on line 7
2017-06-22 21:38:14 - PHP Notice:  Array to string conversion in /home/xxx/public_html/catalog/controller/common/content_bottom.php on line 7
Can someone tell me what the reason is this?

Code: Select all

		if (isset($this->request->get['route'])) {
			$route = (string)$this->request->get['route'];
		} else {
			$route = 'common/home';
		}
If this is a security hole, Please tell we how to fix it!

Because we can not accept the loss of continuous order leakage, Please help us!

Thank you!

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by IP_CAM » Fri Jun 23, 2017 3:14 am

well, better don't panic, such happen on a daily bases, just make sure,
your server is able to 'handle' such in a decent manner. :D

But if you run a busy Shop, you should also be able, and willing, to spend
a fraction of your profit, to engage a Security Pro, it's the only way, and a daily
task again, to hopefully at least keep Hackers out for good.

Whereby, this:
PHP Notice: Array to string conversion in /home/xxx/public_html/catalog/controller/startup/router.php on line 12
does not have to be related, but it could, if someone tries to 'do something', the OC-Software cannot do this way.
Good Luck
Ernie

Ernie's OpenShop v.1.75 + OpenCart v.1.5.6.5 LIGHT Test Sites with free responsive Themes
http://www.bigmax.ch/shop/ - http://www.ebikes.li - http://www.ipc.li/shop/ - http://www.openshop.li/shop/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by HAO » Fri Jun 23, 2017 11:19 am

Frankly said that this is an unauthorized Acunetix Vulnerability Scanner action, The test project is just like Acunetix.

Just hackers using cracked Acunetix to scan our site, So be a hacker attack behavior, In this process, I just want to confirm why Google reCAPTCHA V2 will be easily cracked?

Because in this process hackers through Acunetix successful registration account, Also submit a large number of forms, Do I have a problem with my reCAPTCHA verification code?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by ADD Creative » Fri Jun 23, 2017 10:17 pm

HAO wrote:
Thu Jun 22, 2017 10:31 pm

Code: Select all

ssl_log(12311): 47.52.72.3 - - [22/Jun/2017:18:45:14 +0800] "GET /db.sql HTTP/1.1" 404 52839 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(12312): 47.52.72.3 - - [22/Jun/2017:18:45:14 +0800] "GET /jboss-net/services/listServices HTTP/1.1" 404 52839 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
These are not related to the OpenCart errors. In fact the URLs are nothing to do with OpenCart.

HAO wrote:
Thu Jun 22, 2017 10:31 pm

Code: Select all

2017-06-22 21:38:14 - PHP Notice: Array to string conversion in /home/xxx/public_html/catalog/controller/startup/router.php on line 12
2017-06-22 21:38:14 - PHP Notice: Array to string conversion in /home/xxx/public_html/system/library/url.php on line 18
2017-06-22 21:38:14 - PHP Notice: Array to string conversion in /home/xxx/public_html/catalog/controller/common/column_left.php on line 7
2017-06-22 21:38:14 - PHP Notice: Array to string conversion in /home/xxx/public_html/catalog/controller/common/column_right.php on line 7
2017-06-22 21:38:14 - PHP Notice: Array to string conversion in /home/xxx/public_html/catalog/controller/common/content_top.php on line 7
2017-06-22 21:38:14 - PHP Notice: Array to string conversion in /home/xxx/public_html/catalog/controller/common/content_bottom.php on line 7
Can someone tell me what the reason is this?

Code: Select all

 if (isset($this->request->get['route'])) {
 $route = (string)$this->request->get['route'];
 } else {
 $route = 'common/home';
 }
Someone tried to request an array of multiple route parameters. The conversion to string will mean no route will be found and a 404 error page will be returned.

HAO wrote:
Fri Jun 23, 2017 11:19 am
Frankly said that this is an unauthorized Acunetix Vulnerability Scanner action, The test project is just like Acunetix.

Just hackers using cracked Acunetix to scan our site, So be a hacker attack behavior, In this process, I just want to confirm why Google reCAPTCHA V2 will be easily cracked?

Because in this process hackers through Acunetix successful registration account, Also submit a large number of forms, Do I have a problem with my reCAPTCHA verification code?
Looking at the reCAPTCHA. It does look to me like there may be a small issue in that reCAPTCHA only has to completed once per session. Do you find that a 2nd form can be submitted even if the reCAPTCHA is not completed the 2nd time?

If so try putting the code back to how it was before the last change.
https://github.com/opencart/opencart/co ... 5ff1ae570a

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by HAO » Sat Jun 24, 2017 12:36 am

I'm sorry, I may not be very clear.

I want to say, The hacker tried to use Acunetix to attack my site.

Several of these projects are a large number of GET & POST directives.

I just want to know if the hacker will really download our database?

Also related to the path of the error message:

Code: Select all

ssl_log(54889): 47.52.72.3 - - [22/Jun/2017:20:01:31 +0800] "GET /index.php?limit=25&route=/www.vulnweb.com&search=%CE%EF%CD%E2%20%E4%93%B9P HTTP/1.1" 404 56968 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54891): 47.52.72.3 - - [22/Jun/2017:20:01:25 +0800] "GET /index.php?route=product/search&search=&limit=/etc/passwd&page=2 HTTP/1.1" 200 132436 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54892): 47.52.72.3 - - [22/Jun/2017:20:01:32 +0800] "GET /index.php?limit=15&route=product/search&search=%25CE%25EF%25CD%25E2%2520%25E4%2593%25B9P HTTP/1.1" 200 87110 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54893): 47.52.72.3 - - [22/Jun/2017:20:01:33 +0800] "GET /index.php?limit=15&route=%bf'%bf\"&search=%CE%EF%CD%E2%20%E4%93%B9P HTTP/1.1" 404 56920 "https://www.xxxx.tw" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54894): 47.52.72.3 - - [22/Jun/2017:20:01:34 +0800] "GET /index.php?limit=25&route=906536&search=%CE%EF%CD%E2%20%E4%93%B9P HTTP/1.1" 404 56938 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54895): 47.52.72.3 - - [22/Jun/2017:20:01:34 +0800] "GET /index.php?product_id=5036&route=product/product&search=%2525%2545%2537%2525%2538%2539%2525%2541%2539%2525%2545%2535%2525%2541%2534%2525%2539%2536%2525%2532%2530%2525%2545%2539%2525%2538%2542%2525%2542%2543%2525%2545%2537%2525%2541%2544%2525%2538%2536%2522%256F%256E%256D%256F%2575%2573%2565%256F%2576%2565%2572%253D%2543%256A%2559%2548%2528%2539%2531%2537%2535%2529%2522 HTTP/1.1" 200 86223 "https://www.xxxx.tw" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54897): 47.52.72.3 - - [22/Jun/2017:20:01:33 +0800] "GET /index.php?limit=25&route=product/search&search=YARD HTTP/1.1" 200 110541 "https://www.xxxx.tw" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54900): 47.52.72.3 - - [22/Jun/2017:20:01:32 +0800] "GET /index.php?order=DESC&path=134_170&product_id=5430&route=product/product&sort=p.price\"sTYLe='acu:Expre/**/SSion(tEn6(9643))'bad=\" HTTP/1.1" 200 85756 "https://www.xxxx.tw" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54903): 47.52.72.3 - - [22/Jun/2017:20:01:35 +0800] "GET /index.php?limit=15&route=product/search&search=index.php HTTP/1.1" 200 86998 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
ssl_log(54905): 47.52.72.3 - - [22/Jun/2017:20:01:35 +0800] "GET /index.php?route=product/search&search=&limit=/etc/passwd&page=3 HTTP/1.1" 200 132492 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
Is it a mistake to perform a path like this? This means that it is not in the normal state when it is scanned?

Do you mean that?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by IP_CAM » Sat Jun 24, 2017 8:18 am

I just want to know if the hacker will really download our database?

Negative, the DB is not placed in the Website Directories, so, it could not just be downloaded.
But as I said, Hacking attempts are a daily 'thing', at least on my Sites, so, you just have to make
sure, to (hopefully) keep them from doing bad things to your software, like:

1. Use a very competent Hoster only, don't rely on Cheapies, just to save a few Bucks a month.

2. Block complete IP-Groups from further access, related to Attacks, by use of your .htaccess file.
My personal Anti-Hacker ROOT .htaccess file, updated to today! You don't need the whole
WORLD, beeing able to access your Site, just make sure, not to block your Customers ! :D
http://www.ipc.li/os/htaccess.zip
REMOVE the BOTTOM 3 LINES, they are not required, and on of them configures PHP-7 on my Site !!

3. Reroute/Redirect HTTP Links, used by Attackers, to automatically send them somewhere else,
if they use COMMON Attack methods/links, even if those IP's or IP-Ranges are not blocked already.
https://www.opencart.com/index.php?rout ... h=redirect
https://www.opencart.com/index.php?rout ... n_id=28158
https://www.opencart.com/index.php?rout ... n_id=27437
https://www.opencart.com/index.php?rout ... n_id=25864
https://www.opencart.com/index.php?rout ... n_id=10640

4. Secure your ADMIN Access, you don't even have to rename Admin Directory for this!
https://www.opencart.com/index.php?rout ... n_id=21371
https://www.opencart.com/index.php?rout ... n_id=24045
https://www.opencart.com/index.php?rout ... n_id=23969
https://www.opencart.com/index.php?rout ... n_id=14775
https://www.opencart.com/index.php?rout ... n_id=15901
https://www.opencart.com/index.php?rout ... n_id=17569
https://www.opencart.com/index.php?rout ... n_id=25074
---
Try to access this URL, and see, what happen: http://www.opencart.li/shop/admin/index.php

And similar errors like this happen, depending on the Routine/Code, used by hackers, once ot twice a week:

Code: Select all

2017-06-22 21:38:14 - PHP Notice: Array to string conversion in /home/xxx/public_html/catalog/controller/startup/router.php on line 12
And check your Logs on a daily bases !
The GERMAN Bundeswehr is beeing attacked ~2'500 times per day,
according to TV Media news from just a few hours ago!
Good Luck! ;)
Ernie

PS: Some of the Extensions above are for v.1.5.x and some for v.2.x Versions.
---
Samples of such Attempts from one of my Sites:
Image

Attachments

hackertimes.jpg

hackertimes.jpg (350.67 KiB) Viewed 1104 times


Ernie's OpenShop v.1.75 + OpenCart v.1.5.6.5 LIGHT Test Sites with free responsive Themes
http://www.bigmax.ch/shop/ - http://www.ebikes.li - http://www.ipc.li/shop/ - http://www.openshop.li/shop/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by HAO » Wed Jun 28, 2017 12:27 am

Can you tell me which one you are using the "Reroute / Redirect HTTP Links" extension?

I want to buy extensions to this malicious URL to other sites, But I do not know which one to use for me.

I have used the other suggestions.

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by IP_CAM » Wed Jun 28, 2017 3:36 am

Well, it would not be of much use, since you use another OC-Version. :-\
But two that come near are those:
https://www.opencart.com/index.php?rout ... n_id=14775
https://www.opencart.com/index.php?rout ... n_id=23969
and multiple REDIRECT Extensions can be found here:
https://www.opencart.com/index.php?rout ... search=301
as well as some other Gizmos, like those, found here:
https://www.opencart.com/index.php?rout ... ti%20flood
and this Extension could also be of help:
https://www.opencart.com/index.php?rout ... n_id=28739
Good Luck !
Ernie

Ernie's OpenShop v.1.75 + OpenCart v.1.5.6.5 LIGHT Test Sites with free responsive Themes
http://www.bigmax.ch/shop/ - http://www.ebikes.li - http://www.ipc.li/shop/ - http://www.openshop.li/shop/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by HAO » Tue Jul 11, 2017 6:42 pm

Could you tell me the extension URL you are currently using?

I would like to ask whether the developer is willing to assist the corresponding version 2.3.0.2, Because I want to know all the attempts to access the URL records I do not exist.

If I want to be able to query the IP address and related information, Even instant email notifications, I think this is what I need most.

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm
Who is online

Users browsing this forum: No registered users and 14 guests