More unwanted visitors!

Post Reply

13 posts Page 1 of 1

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Wed Aug 12, 2015 5:20 am

Last night I had new visitors which I believe you don't want to see!

Code: Select all

10/08/2015 19:38 Xss: /index.php?_route_=go.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 19:38 Xss: /index.php?_route_=away.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 19:38 Xss: /index.php?_route_=&site_language=go&http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 19:38 Xss: /index.php?_route_=redirect.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 19:38 Xss: /index.php?_route_=away&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 19:38 Xss: /redirect.php?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 19:38 Xss: /go.php?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 19:38 Xss: /go?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	37.144.40.101	Russie
10/08/2015 17:32 Xss: /index.php?_route_=&site_language=go&http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 17:32 Xss: /index.php?_route_=redirect.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 17:32 Xss: /index.php?_route_=away&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 17:32 Xss: /index.php?_route_=away.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 17:32 Xss: /index.php?_route_=go.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 17:32 Xss: /redirect.php?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 17:32 Xss: /go.php?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 17:32 Xss: /go?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	90.180.252.156	Tchéquie
10/08/2015 00:58 Xss: /index.php?_route_=go.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie
10/08/2015 00:58 Xss: /index.php?_route_=redirect.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie
10/08/2015 00:58 Xss: /go.php?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie
10/08/2015 00:58 Xss: /index.php?_route_=away.php&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie
10/08/2015 00:58 Xss: /go?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie
10/08/2015 00:58 Xss: /redirect.php?to=http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie
10/08/2015 00:58 Xss: /index.php?_route_=away&site_language=&http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie
10/08/2015 00:58 Xss: /index.php?_route_=&site_language=go&http://pastebin.com/raw.php%3fi=pA3y1PSN	195.88.59.49	Russie

They tried 20 times! I'm really tired of all those attack!

Were they trying to use the language switcher?

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Re: More unwanted visitors!

Dhaupin

Active Member

Posts

835

Joined

Tue May 13, 2014 3:45 am

Location

Post by Dhaupin » Thu Aug 13, 2015 11:06 pm

Sorta. They are trying to test for a successful redirect using [untainted] dynamic broadband connections against URL structures of a site/platform/framework/plugin that I do not know. The good news is that it might not be something you need to worry about, unless of course your OC bypasses index.php and uses things like go.php, redirect.php, away.php, etc. OC is an MVC and routes all through index, so def not a stock thing, if anything at all.

So the "_route_=" part you see is Opencarts underlying utility layer for assimilating SEO keywords to the real "route=". So this bot looks to be an automated scanner, meaning they are hastily trying various methods to exploit a redirect. Its not surprising that OC is returning this mashup URL, it's being discombobulated from the SEO keyword mechanism.

Interestingly, they are trying to finish a "&site_language=" "&to=" and "&go=" parameters with a pastebin URL as the query, which unless the target platform is very wonky, should not work. The pastebin URL is trying to put this as the query: "ohwairedirect", which upon basic searches doesn't return much. Its probably valid somewhere, like a username or something. Or maybe its more sinister and they changed the placeholder as needed. Anyways here are some sites that might be more susceptible to this scan...whatever frame they use could be the target:

- charter.net/files/charter/redirect.php?to=webmail
- answers.com/browse/go.php?to=qnc3jL8Se4ODh2cweW4mfI4qGhfGi4DPtl5bZ8onYobqdVEHECN6jGUpAI0Uakbhi_e_R69ne_pQ1ELMgbPGM75oyquHd3dBMt2Veix5NMxp2S9hSRM07TAJzsUiQWUWi8dehgtv0GmhH_Gycy6TJPyDi2RiYN8r
- drive.odometer.com/go.php?to=qnc3jL8Se4MOWq08Jiw_SUE9Y0M__-9Esjq4djSlhnljXk0avWcvuWKwJHRe2-2xJql2Mh2LaL0hER-PvqCHe5vUWm5pPz7z
- serbiancafe.com/click/go.php?to=miketic (maybe this one already got juiced)
- myndbook.com/go.php?to=207_886
- doc.owncloud.org/server/8.0/go.php?to=admin-dir_permissions
- meezoog.com/zp/go.php?to=lobby

Use Bing to find more, its slightly better than Google for "dumb searches" on things like URL or code snippets.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.

Dhaupin

Active Member

Posts

835

Joined

Tue May 13, 2014 3:45 am

Location - PA

Re: More unwanted visitors!

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Fri Aug 14, 2015 8:50 am

That's the report of my crawlprotect who blocked them, they were block as soon as cp saw the "redirect" or "language=" etc., I don't really care about them, It' s just that I'm tired of seeing all those attack everyday! My block list is getting longer every day

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Re: More unwanted visitors!

Dhaupin

Active Member

Posts

835

Joined

Tue May 13, 2014 3:45 am

Location

Post by Dhaupin » Sat Aug 15, 2015 12:30 am

Hah yeah, there are plenty of them out there. We ended up throttling all the crap countries (china, russia, ukraine, india, france, brazil, etc) and outright blocking known ASN ranges too. If you want a TON of ips for APF or something, here is a dump from today. BFD is recent abusers in temp ban state, usually reflects trends elsewhere in the internets pretty accurately

https://src.creadev.org/apps/blacklist/ ... ules-aug13

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.

Dhaupin

Active Member

Posts

835

Joined

Tue May 13, 2014 3:45 am

Location - PA

Re: More unwanted visitors!

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Sat Aug 15, 2015 8:35 am

My a.v. won't let me open that page! It says that the certificate "cloudflare-something" is not valid, same message for one of your link!

Could be an invalid warning!

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Re: More unwanted visitors!

Dhaupin

Active Member

Posts

835

Joined

Tue May 13, 2014 3:45 am

Location

Post by Dhaupin » Sat Aug 15, 2015 11:05 pm

Aye we don't support weak ciphers anymore and nor does Cloudflare

In this case, its sitting behind a CF certificate, which uses ecdh with a stronger curve. Windows doesnt support XP and therefore you may see that warning in all besides the lastest firefox on that OS. Or, if you are using a newer OS, it could be an outdated browser.

You can access it without https though, at least on the src url.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.

Dhaupin

Active Member

Posts

835

Joined

Tue May 13, 2014 3:45 am

Location - PA

Re: More unwanted visitors!

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Sun Aug 16, 2015 8:26 am

You are right! I was using my old dinosaur with xp! I have a faster one with W8.1 and my laptop with W7 but I'm always going back to the one with xp which I prefer

I don't know why I can't get use to the other 2 even if they are faster!

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Re: More unwanted visitors!

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Sun Aug 16, 2015 8:31 am

Wow! I thought my list was kind of long!!!!

I don't think I would be able to add all of them that way in cp, I have a place to add IP and another one for referer, it's just the IP follow by an "," and same for referer.

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Re: More unwanted visitors!

Tulip

New member

Posts

Joined

Sun Nov 15, 2015 10:59 am

Post by Tulip » Mon Nov 16, 2015 11:13 am

Cleo wrote:Wow! I thought my list was kind of long!!!!

I don't think I would be able to add all of them that way in cp, I have a place to add IP and another one for referer, it's just the IP follow by an "," and same for referer.

Cleo

Cleo,
Your pages are not encrypted.
That means anyone could intercept the information your customers fill out in the forms.
All forms submitting any kind of personal information should be encrypted.

If I'm wrong, please educate me.

Tulip

New member

Posts

Joined

Sun Nov 15, 2015 10:59 am

Re: More unwanted visitors!

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Mon Nov 16, 2015 11:29 am

@Tulip

I'm not sure about what you are saying because I just check in my system/setting/server/Encryption Key: and there is a long code there of letters/numbers/etc.!

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Re: More unwanted visitors!

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Mon Nov 16, 2015 12:12 pm

Cleo,
Your pages are not encrypted.
That means anyone could intercept the information your customers fill out in the forms.
All forms submitting any kind of personal information should be encrypted.

Why do you say so? How did you check for the encryption?

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Re: More unwanted visitors!

Tulip

New member

Posts

Joined

Sun Nov 15, 2015 10:59 am

Post by Tulip » Mon Nov 16, 2015 9:19 pm

Because when I opened one of your forms.....the page was HTTP:// and not HTTPS://

If a hacker REALLY wanted to, they could use a data packet sniffer and just read the information your customers submit.

Remember that when information is transmitted over the Internet, it goes out on lines that are shared by thousands if not millions of others. Like standing in a stadium with a loudspeaker and telling someone specific something. Internet is broadcasting. It's just that it's encapsulated and addressed to a specific IP address and session on the other end.

But hackers know how to intercept and read those packets unless they are encrypted.

So encryption is still like using a loud speaker to talk to one person in a crowded stadium, but with a secret language that only you and the intended listener can understand.

Another way to think about it is like this.....
Imagine if everyone in a crowded stadium could only communicate by writing a note, placing it in an envelope and writing the SEAT NUMBER of the person they wanted to send the message to....

If the message was written in plain English, anyone "could" open the envelope and read the message....before it got to the seat number you wrote on the outside of the envelope. Encryption is like you using a secret code system to write your message and only the person in the seat number you wrote on the outside of the envelope has the decryption key.

That's what the Internet is like...overly simplified of course.

Tulip

New member

Posts

Joined

Sun Nov 15, 2015 10:59 am

Re: More unwanted visitors!

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post by Cleo » Mon Nov 16, 2015 11:36 pm

@Tulip

Thank you for your reply, I don't have SSL yet that's why there is no HTTPS://

I thought about getting one but they are kind of expensive for a site with reallly little revenue

But I already ask my web host and waiting for a reply because my site is bilingual but with 2 different domain name instead of just a language switcher and my image are in a sub-folder so maybe I would need a wild card certificate instead of just a single one and that I won't be able to afford for sure.

I will see what they will say about it.

Regards

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)

Cleo

Active Member

Posts

793

Joined

Wed Mar 09, 2011 5:19 am

Post Reply

Jump to

Return to “Security & Server” Return to “Security & Server”

Who is online

Users browsing this forum: No registered users and 4 guests

More unwanted visitors!

Sign up to our newsletter