Post by butte » Sun Jun 23, 2013 1:17 am

Just empty it and save it with 0 byte, then slip it back into place, literally as index.html in name.extension only.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Cleo » Sun Jun 23, 2013 4:29 am

Ok, thanks

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by butte » Sun Aug 25, 2013 11:10 pm

One instance of text ".jpg" is executable, http://forum.opencart.com/viewtopic.php ... 00#p429300

When there is a double-extension it is capable of being parsed and then run as .php, so the prevention for that is to bar double-extensions. Many servers do prevent it, except where they utilize the usual *.sql.zip format for Import/Export of databases (WITHIN phpMyAdmin) or where resident OC or other programs hash files (adding gibberish to names AFTER those are taken in but before completing storage on disc) to prevent unauthorized downloads. A gibberish.jpg.gibberish file (for example even without .php in it) has two .extensions, both known to the hacker, thus potentially parsed and manipulated to fire as .php instead. Below is an example to prevent it; the comeback would be to reparse the "_". They never sleep, they're everywhere at once.

To keep the thought here in case the link http://docs.cksource.com/CKFinder_2.x/D ... extensions eventually disappears, its text is:

Dealing with Double File Extensions

Due to security issues with Apache modules it is recommended to leave the following setting enabled:

$config['CheckDoubleExtension'] = true ;

How does it work? Suppose the following scenario:

If php is added to the denied extensions list, a file named foo.php cannot be uploaded. If rar (or any other) extension is added to the allowed extensions list, one can upload a file named foo.rar. The file foo.php.rar has a rar extension so in theory, it can also be uploaded.

Under some circumstances Apache can treat the foo.php.rar file just like any other PHP script and execute it. If CheckDoubleExtension is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot (.) is replaced with an underscore (_). So the uploaded file foo.php.rar will be renamed into foo_php.rar.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Cleo » Tue Sep 17, 2013 5:01 pm

Hello

Someone tried to access my site by typing this:

Code: Select all

public_html/\xd7\xa9\xd7\x92\xd7\xa6\xd7\x9f\xd7\x9e.
is this an attempt of some sort?

Tks
Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by butte » Tue Sep 17, 2013 10:20 pm

Yes. Inept, but an attempt. Look at your tree for any .dirnames and 777s.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Cleo » Tue Sep 17, 2013 10:52 pm

Thanks for the reply

Are you sure it's an attempt? I want to be sure because the person with that ip sent threats emails about messing my site and that same person tried 10 times with different link including that one! But the server denied the address because I blocked it through cpanel and crawlprotect.

Regards
Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by butte » Tue Sep 17, 2013 11:10 pm

Yes, sure -- and all the more so with that added tidbit about the address. That it is via http underscores importance of looking at your tree(s) for oddments such as .dirnames, 777s, strange (alien) whatevername.php files, etc.. At the moment look explicitly for that string, in escaped hexadecimal public_html/\xd7\xa9\xd7\x92\xd7\xa6\xd7\x9f\xd7\x9e may mean more than meets the eye. Among d7a9d792d7a6d79fd79e the d7 repeats, suggesting that d7\x is important to him, and following that with the other "n\x" may mean something like parsing by d, a, d, 9, d, a, d, 9, d, 9 spaces in order to drop a double-extension and gibberish in order fire a php file, for example. (Note double extensions and denied extensions in 5th post above, http://forum.opencart.com/viewtopic.php ... 22#p431729 .)

Your problem now is to prevent both attempted code signatures and addresses (see PM). Threats will be taken very seriously by Canadian authorities.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by butte » Tue Sep 17, 2013 11:31 pm

That cuts it. The proxy is Israeli and jibes with the letter. Let Canadian and Israeli authorities and OC Support know that you have an extension author who seems incompetent even to understand reasonable ground for refund, and who moreover has literally threatened "insurgence code" in writing followed by a logged attempt and is for want of a better word whacko. Maybe somebody will put him in a rubber room with a wooden watch soon enough. [Also squash what will really hurt by additionally informing PayPal in your complaint there -- it is written, by him, along with the logs his machine helped to write in proper timeframe for the purpose.]

Back with crosslink in a moment. [. . . two.] We had this: http://forum.opencart.com/viewtopic.php ... 52#p438252 . We now also have this: http://forum.opencart.com/viewtopic.php ... 86#p438386 .
Last edited by butte on Wed Sep 18, 2013 7:37 am, edited 3 times in total.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Cleo » Tue Sep 17, 2013 11:40 pm

@butte

OC support already know but I didn't want to give too much details here in the forum about "who" and "for what reason" that's why I didn't post it :(


tks
Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by butte » Tue Sep 17, 2013 11:45 pm

Note edit. See PM. He went overboard, others need to know not to go there. If he had a weapon in public the logic would be the same. Here he is known and actually is hacking. [He is literally already attempting to retaliate, not to fix the website, which before his extension and he came along worked.] [The pattern is more intricate than what is showing here as the overall point.]

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Cleo » Wed Sep 18, 2013 12:32 am

Well looks like he's not as busy as he said because he tried again 10 more times :(

He should have take this time to fix the problem, that would have save a lot of s..... :(

Oh well time to take more action I believe.

Someone just told me that we have a good service here in Canada about those kind of person, and my web host like to play with those kind of (do you call that a person?)
Last edited by Cleo on Wed Sep 18, 2013 11:56 pm, edited 1 time in total.

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by butte » Wed Sep 18, 2013 12:39 am

He is an example of a bettered village idiot after something was made idiot-proof. Person, no; primate, technically yes.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Cleo » Wed Sep 18, 2013 12:45 am

One thing I'm sure of is that he really his a hardheaded man! Too bad he's not that way for fixing problem! It would have been done a long time ago! (10 days)

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by butte » Wed Sep 18, 2013 1:40 am

Mounties have several hallmarks, even the inattentive ones do not let go, even the little ones are enormous, and even the dumb ones are exceedingly bright. They always get their man and are actually quite politely professional about it all.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by butte » Wed Sep 18, 2013 8:33 am

From networking perspective the threat seems both contained and defused. Logs do facilitate preventive measures. What can be done among .htacess, cpanel, and crawlprotect, etc., can work very well, and servers do take an interest in seeing it through.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by butte » Thu Sep 26, 2013 1:44 am

NEW HACKING into /download/ . . . This time there is a hacking console, German, not as fully and viciously featured as a certain Russian one but able to change directories and permissions, see all files, drop below public directory, download and upload files, and create files. Equipped with "shift" php to fiddle with double-extensions. This one with some support files along with it is an example of shifting filespecs to execute the php in a double-extension or even, as here, a multiple-extension (above, http://forum.opencart.com/viewtopic.php ... 60#p431729). THIS is the sort of thing we were waiting not to see, and now we are seeing it.

(A) SPECS . . .

05,260 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpg.20a416d912c0d410f3af3a30a46b1338
46,663 Merch Aslum price list-1.xlsx.89fa80a366e6288f338cc13b34fa9103
00,631 route.php.jpg.4f9d4b6f659749f06564c482933d2889
70,095 111111111.php&#;.jpg.252e60290b076ee4942522cc2c2dda7f
70,095 x.php&#;.jpg.da376bced89a38f9264fb0d7746b4ea2
70,095 x.php&#;.jpg.f1750ea84490c52c426682e4af8b86e4

(B) "OBNOXIOSITY" . . .

MALICIOUS, INJECTION, IMPOTENT, 5.3 KB:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpg.20a416d912c0d410f3af3a30a46b1338

MALICIOUS, INJECTION, 0.6 KB:
route.php.jpg.4f9d4b6f659749f06564c482933d2889

MALICIOUS, COMPILED/MINIFIED, 46.7 KB:
Merch Aslum price list-1.xlsx.89fa80a366e6288f338cc13b34fa9103

HIGHLY MALICIOUS, PROUD OF HIMSELF PLUS INJECTION AND EXTENSION-SHIFTING WITH SUPPORT FILES FOR THAT, HACKING CONSOLE ITSELF, 70.1 KB:
x.php&#;.jpg.da376bced89a38f9264fb0d7746b4ea2
x.php&#;.jpg.f1750ea84490c52c426682e4af8b86e4
111111111.php&#;.jpg.252e60290b076ee4942522cc2c2dda7f

(C) The latter three are identical except in name, and as [anything].php execute. When such files are found, delete them, they are addressable in /download/ via http. If you use vqmod, install MarketInSG's utility (above, http://forum.opencart.com/viewtopic.php ... 20#p403255, his http://forum.opencart.com/download/file.php?id=16828), otherwise rename /download/. If one is a console, immediately check integrity of .htaccess (or rename .htaccess.txt to .htaccess -- with basedir / properly set), change database password, rename /download/ if not using the utility, change both config.php to match those changes. LEARN your tree, you are the foremost scanner for whatever does not belong, and for wrong permissions (yet, again, directories 755, files 644 -- or better, IF you know what you are doing ON your own server, Linux distributions have their own idiosyncrasies). THIS VERSION of THIS CONSOLE file is 70 kb; variants of the vicious Russian one range 29 kb to 43 kb.

(D) This is not a fault in OC itself. ALL web software has some directories and files with basic names that are readily guessed and tested. It is not practical (not sane, either) to avoid using any word in any dictionary. You can rename /download/ and make the corresponding changes in both config.php files as soon as you install OC, just as you can rename and make those changes for /admin/. Be certain to activate .htaccess (rename .htaccess.txt -- with basedir / properly set), as well as to remove /install/, when installation or upgrade is done.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by butte » Tue Oct 29, 2013 3:25 am

New attack, name-shifted executable attacks, active in a set of carts. Same essential routine, text fake .jpg and live .php, with 777 dirs and 755 files where there should be none, with a novel twist, 677 files, notably all of .htaccess, configs, logs, caches vulnerably exposed, showing a tad how it was done from outside. Stopped. More later.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by butte » Sat Nov 09, 2013 2:08 pm

New means of attack, in a set of carts. Same basic fake *.jpg.* plus two cleaned fully executable route.php.jpg.* name-shifted, all bearing the same block of exec(base64_decode for sessions with live echos looping foreach with outbuf, outstr, and htmlentities, augmented by new twists, an index.php_route=download%2Fdownload%2Fdownload.txt and scattered 776 along with usual wrong 777 and others. Stopped.

2013 oct 06 17:40 5,260 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jpg.12914fd30fb0c47d55aa0333e97550b3
2013 oct 06 17:40 0,631 route.php.jpg.c7111e0089b6802da4bd5f4a3388fc1a
2013 oct 06 17:40 0,631 route.php.jpg.9eb3fbb104e57829f1f3995470fa49d9
2013 oct 19 13:04 0,000 index.php_route=download%2Fdownload%2Fdownload.txt

In the latter instance size does not matter if its filespec simply reflects (back) three foreach finds or name-shifts for the sake of confirming the other three during http connection lasting under 2 sec..

Not any fault of OC, no .htaccess file(s) armed, files addressable at will.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by butte » Sat Nov 09, 2013 2:55 pm

An interesting aspect of the global dispersion and frequency of occurrences of the fake jpg attacks is that whether exploration is manual or robotic for commonplace /upload/, /download/, /install/, /admin/, and other targets, the relative efficiencies of discovery and mischief are the greater by robotic means. Apache logs in these instances often show common robots arriving as though sharks to blood, but those four directories are variably called and either visited or denied. Some of the robots seem not to be big guys. Frequencies of quad-decimal addresses in logs may be a way to simplify banning some of the little evil ones given to occasional and short visits.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am
Who is online

Users browsing this forum: No registered users and 7 guests