Post by milezteg » Wed Jul 09, 2014 5:22 am

RE: http://en.securitylab.ru/lab/PT-2012-34

We're running a heavily modified version of OC 1.5.4. I'm dreading doing an update to the latest version due to all of our modifications. That said after looking at my web logs and seeing a TON of strange proxy addresses I think we are being attacked regarding the exploit linked above. I think the brute force is literally happening as I type this.

Could someone help me to identify what code needs to modified to close the exploit listed above? Would really appreciate it!

User avatar
New member

Posts

Joined
Wed Nov 28, 2012 11:00 am

Post by victorj » Wed Jul 09, 2014 5:31 am

most of time they are just bots trying to find a hole, copie one of those urls listed in logs and check how your site handels that request, it should sy 404 requested page not found, if so youre safe.

having said that, it eats a lot of traffic and procesor time off your site.
In your logs you can find ip adresses
just add this rule to your .htaccess
deny from xxx.xxx.xxx.xxx

xx.xxx.xxx.xxx stands for the ip adress found in logs.

just keep cheching your logs and keep adding ip adresses and in a short while you will get rid off these attacks

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com


User avatar
Expert Member

Posts

Joined
Sat Jun 25, 2011 4:09 am
Location - Alkmaar Holland

Post by milezteg » Wed Jul 09, 2014 5:35 am

Thanks but that is really not a good solution. They are using Tor and the list of proxy servers is huge. I'd much rather just block the hole by replacing the offending code which was fixed in an upstream update to OC.

User avatar
New member

Posts

Joined
Wed Nov 28, 2012 11:00 am

Post by victorj » Wed Jul 09, 2014 6:08 am

Upgrading can be a good way to go, but trying to block suspicious attackers is also a way to go.
i use both methodes, and also block ranges of ip adresses coming from rusia china vietnam etc as they are not going to provide any customers or interesting sales just to get rid of unnecesary traffic and possible attacks

I also ddi read the article (ben around quiete a while) and although there might be a some truth, i also did see these attacks on my sites, but when replicating the urls found in logs, opencart always retuned the right page that it could not be found.
I personally think that this article is over execurated and writen by someone who has a grunge against opencart.

Koeltechnische deurrubbers eenvoudig online op maat bestellen.
Alle niet stekplichtige onderdelen zoals scharnieren, sloten, randverwarming en verlichting voor alle typen koelingen en vriezers.
https://koelcel-onderdelen.com


User avatar
Expert Member

Posts

Joined
Sat Jun 25, 2011 4:09 am
Location - Alkmaar Holland

Post by rph » Wed Jul 09, 2014 6:25 am


-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by milezteg » Wed Jul 09, 2014 6:43 am

@rph: you're my hero, thanks a lot sir!

User avatar
New member

Posts

Joined
Wed Nov 28, 2012 11:00 am

Post by Gamesol » Thu Jul 10, 2014 3:51 am

@victorj

I gained some insight from your detailed guided posts , thank you


Sent from my iPhone using Tapatalk

https://t.me/pump_upp


User avatar
New member

Posts

Joined
Fri May 31, 2013 5:34 pm
Who is online

Users browsing this forum: Bing [Bot], edkny and 132 guests