My crawlprotect denied this ip address from India: 22.214.171.124 for sql injection,
Looks like they tried to use email for the injection
Do you think it's a real injection attempt?
Opencart v126.96.36.199 fr/en
Maybe I didn't configured it the right way and it's blocking visitors that shouldn't be block!
Opencart v188.8.131.52 fr/en
[Below are the steps I just took through an hour in moving from suspicion to proof, including testing the infection for what it is. IT IS NOT INNOCUOUS: IT IS VICIOUS SOCIOPATHY WITH A LIVE VIRUS (READ ON). You're dealing with an unwelcome visit by a socipathic slug who should now be turned in to . . . Google itself for abusing its own gmail services to spread something that is actually virulent and even has a name.]
(1) The address is suspicious. The dns is truncated, and the parent has only these:
Mail Server 184.108.40.206 India Sifyinfranet SIFY INFRASTRUCTURE 220.127.116.11 18.104.22.168 Hostmaster Satyam Infoway Sify Limited,, Second Floor, Tidel Park,, No.4,Canal Bank Road,, Taramani, Chennai - 600113 email@example.com +91-44-22540770 +91-44-22540771 APNIC
Domain Name Server 22.214.171.124 India Sifyinfranet SIFY INFRASTRUCTURE 126.96.36.199 188.8.131.52 Hostmaster Satyam Infoway Sify Limited,, Second Floor, Tidel Park,, No.4,Canal Bank Road,, Taramani, Chennai - 600113 firstname.lastname@example.org +91-44-22540770 +91-44-22540771 APNIC
(2) The address is already considered suspicious. At http://www.projecthoneypot.org/ip_184.108.40.206
"The Project Honey Pot system has detected behavior from the IP address consistent with that of a spam harvester. Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts."
(3) The address is already considered suspicious. At http://spam-ip.com/find.php
"220.127.116.11 email email@example.com user user name - See more at: http://spam-ip.com/find.php#sthash.W7DLNutd.dpuf"
(4) THE CODE IS PRIMA FACIE SUSPICIOUS. The linebreaks that you see in your initial post appear in text to be a space, linefeed, and tab. There are 30 of those. When those are found-and-replaced there are in those 30 instances FULLY 693 REPLACEMENTS! That's a piddling 23.1 characters PER LINE BREAK AND INDENT. Look at 'em, do you see 23.1 averaged characters' breadth in there? Noop. Worse, there are then STILL 30 TABS, which in turn when stripped collapse the text. THAT gets rid of your injection code. THAT CODE is virulent, it is called "screen lock", and while active it is fortunately an incompetent copy.
(5) THE CODE IS RECOGNIZABLE IN THE FIRST INSTANCE AS SUSPICIOUS. The resulting edited text should have a familiar ring to it relating to your opening post. Strip out the gibberish and you have yet another idiot promising money-back in incompetent English to put you number one in Google datadumps, but that's just a guise for spreading the virus:
Sqlinjection: /index.php?route=information/contact?variable_POST=hi lesbricoles team hope you are doing fine. i thought you might like to know some of the reasons why you are not getting enough totoanic traffic most often you stick to ad wtotos to get mtoto traffic which is quite expensive and the chances is high of getting a spam traffic as well. Alet me tell you that your website still does not totoanically rank on major search engine's first page for most of the popular keywords which means people searching for your products are not able to find your website and you are losing traffic. Asome of the major facttoto which can be overcome for your website to rank well in serp totoanically and increase your social media presence are seems like your website carries a lot of technical errtoto which prevents search engine to crawl and index your website properly. your website needs a proper keywtoto totoon and optimization. your website is not well furnished with enough quality and theme based back links. your website should be mtoto inclined towards social media promotion and a regular toto in major social netwtotos.%0D%0A5. missing quality web and promotion contents article blogs etc. which is preventing your website to gain mtoto authtototy and ranking in web market. Ain the present day scenario it's very essential to take a proper care of your website and keep it toto with fresh and totoginal contents. there are many additional improvements which can help your website to gain mtoto traffic and visibility. if you are interested to learn mtoto and curious to know how we can help you to improve your website to get a higher traffic%2C then i would be glad to provide you a detailed proposal for your website. Aour services include seo%2C reputation management smo for websites to make them popular in the web market. we have a dedicated google analytics certified team seo professionals who takes care of our campaign process. our clients consistently tell us that their customers find them because they are on the top of google. being on the top of google is the best thing you can do for your sales and online reputation. this email just tells you the fraction of things we do our optimization process involves many other technical facttoto which can be sent to you on your request. if you would like to know mtoto about our services then please write us back else you can give us a call us in our number mentioned below. this is our marketing strategy to use a gmail account. once you reply us back we will communicate with you through our ctotototote email id. Alet me know your thoughts and looking ftotoard to wtoto together. best regards justin taylor senior seo advisor Aph. no 320815-255-085500 skype seo.service this is a onetime email and you may ask us to remove if you are interested i will send details on our identity company profile why you should choose us price list money back etc. in my next mail.
(6) UPSHOT. Turn the bastard in to Google for posing as firstname.lastname@example.org and attempting to inject and spread a virulent but fortunately incompetent copy of a virus known as "screen lock" which is actually active. THAT is what the vast majority of the 631 mostly invisible characters were all about.
(7) UPSHOT. You innocently took a step the bastard counted upon.
(7)(A) IMMEDIATELY DELETE THE LIVE VIRULENT CODE IN YOUR INITIAL POST AND REPLACE IT WITH "[VIRULENT CODE DELETED]" -- that's one reason for posting a screenshot rather than alien code.
(7)(B) ABSOLUTELY DO NOT ATTEMPT TO OPEN THAT FILE, YOU RISK LOCKING YOUR MACHINE. YOUR ANTI-VIRAL SOFTWARE HAS ALREADY FAILED TO SEE IT.
(7)(C) IMMEDIATELY DELETE THE FILE ON YOUR OWN MACHINE from which you plucked the code in your opening post, USING A SECURE SHREDDER BY MALWAREBYTES OR NORTON OR ANYBODY.
(8) Now you can sleep tight tonight.
First I didn't open that email because I didn't get it, CrawlProtect blocked it and made the report in my admin panel, that's why I was able to c/p the code
The 2nd one I posted from Mexico the ip is: 18.104.22.168 which was also blocked/reported by CrawlProtect.
I am unable to see the login/post attempt in my cpanel because CrawlProtect deny them as soon as they arrive on the site! The only thing I can see in my cpanel is in the error log and it says: 22.214.171.124 denied by server configuration, that's as far as they can go!
Opencart v126.96.36.199 fr/en
I actually didn't get around to the second one, which a brief moment ago went poof along with the upper one. Thanky, ya done it good.
[Edit, added:] I was just about to grab the second code sample when it went poof as you edited it out. The second quad-decimal isn't listed with honeypot but is has a similar mail relay setup:
The second one shows
dsl-189-238-213-247-dyn.prod-infinitum.com.mx (a dsl user, so they can find him and throttle his Easter Bunny)
with a Stateside parent with only two servers:
Web Server 188.8.131.52 USA - California OVERSEE-NET-2 Oversee.net 184.108.40.206 220.127.116.11 Oversee.net 515 S. Flower St, Suite 4400, Los Angeles email@example.com firstname.lastname@example.org +1-213-408-0080 ARIN
Mail Server 18.104.22.168 USA - Virginia DL-6 Deteque LLC 22.214.171.124 126.96.36.199 Deteque LLC 5211 Ballycastle Circle, Alexandria email@example.com firstname.lastname@example.org +1-703-362-0067 ARIN
Name: Admin -
Organization: Oversee Domain Management, LLC
Address: 515 S. Flower Street, Suite 4400
City, Province, Post Code: Los Angeles, California, 90071
Abuse Desk Email Address: email@example.com
Whoo hoo! Calm down!You might not even be able to get at the Apache and ftp logs via cPanel, Plesk, or equivalent, it's often necessary to get them from support. However, what CrawlProtect gave you to look at is live, so go into the control panel and get rid of it there, too, and if you can't do that then ask support to get rid of it. If it's fed to the control panel from your shop (where CrawlProtect presumably snoozes in its own directory), then you can go in via ftp and put a Linux axe through the file there, by way of its timestamp. That damned thing is live, virulent, and active, just waiting to be spread by whatever means. It went from CrawlProtect to control panel to your machine (^C^V) and to your post. From there it was in safe hands, I have means of summary expungement, and war is war. ("Don't try this at home.")
Why?You might not even be able to get at the Apache and ftp logs via cPanel, Plesk, or equivalent
what CrawlProtect gave you to look at is live, so go into the control panel and get rid of it there, too, and if you can't do that then ask support to get rid of it
Whoo hoo! It's just a picture/image of it! I didn't get it and I didn't look at it! It's not on the server because it couldn't access it!
As a matter of fact you are wrong! It didn't go to Crawlprotect, CP stopped it, made an image of it and post that image in my CP report file, it's not in control panel, and it's not on my machine either! The file is block as soon as it tries to access the server and redirect to a "You do not have permission to access this site" File!That damned thing is live, virulent, and active, just waiting to be spread by whatever means. It went from CrawlProtect to control panel to your machine
Every time I get something like that: Sql/or code injection attempt I report them to the web hosting and they add the IP to their block list too, they also added more security a few weeks ago and also installed an antivirus for us for we can scan our web site.
I'm not in the paranoid stage yet!
Opencart v188.8.131.52 fr/en
Users browsing this forum: No registered users and 48 guests