Injection attempts and error

Hello

I found those errors in the error.log:

2015-11-23 17:38:50 - PHP Warning: is_dir() expects parameter 1 to be a valid path, string given in /home/XXXXXXXX/public_html/system/engine/action.php on line 16
2015-11-23 17:38:50 - PHP Warning: is_file() expects parameter 1 to be a valid path, string given in /home/XXXXXXXX/public_html/system/engine/action.php on line 24

And then I found those warning in my security log:



Are those attempt related to the error above?

Regards
Cleo

Whoe, late reply but yes those errors are due to the action.php not being able to understand the paths/parameters/querystrings presented in 2 of those injection attempts. If you look at the code in action.php you will see various replaces of dotslashes, they should line up with the 2 instances of folder traversal upwards (../../../) to get to linux user files (etc/passwd) causing errors in the action lines presented as error (line 16 and 24). This is probably because of the fact they are traversing way above the "DIR_APPLICATION" constant (variable) and out of the scope of the OC app.

Your instance here is def bad, like 99% likely any things like this you see in the future will be too...but keep in mind before you block the IP, sometimes things trying to inject might actually be good scanners testing for vulnerabilities. Examples of this include security companies scanning for weak parts of the web, PCI compliance shooting non-harmful paths, scheduled hosting provider webapp scans, etc.

If you are very careful and conservative with it, and constantly monitor apache error logs, WHM cPanel mod security plugin (mod_sec) with the OWASP ruleset may help to prevent executions like these in the future. Only enable the rule you need though and only in areas you need. Mod_sec is super hardcore...will block Google on a whim under default settings. Keep in mind, half the mod_sec settings are in WHM, there are more available in the domains cPanel interface.

Another angle is Cloudflare pro account. They have a app firewall similar to mod_sec (prob is based on its codebase?) among other cool features such as free SSL everywhere, hassle free CDN, threat throttling, etc.

@Dhaupin

Thank you for the reply.

I always check who/where the IP is coming from before blocking it.

I don't get error often that's why I thought they were related.

I thought about Cloudflare but many people seems to have different problem with it!

I will check it again.

Regards

Cleo

Good deal

Yeah CF can cause a bit of problems if not set up correctly, but its not too bad, and its easier than many other services that use a different type of CDN with lesser SSL systems. Its worth it in my opinion, especially considering they just pushed http/2 to all sites on their service. This should probably be a seperated post, but examples of things you may run into on CF with OC:

- Turn off Rocket Loader everywhere, its too crufty with OC scripts in various places like checkout.

- Use the standard caching level with an 8 day cache (to pass pagespeed). Then turn off caching with a pagerule to *.yoursite.com/checkout/* (and/or *.yoursite.com/index.php?route=checkout/*)

- If you use HTTPS you need to enforce it everywhere, this will eat 1 pagerule but it fixes APPs not understanding whether or not they have SSL mode on. Be careful with the HSTS settings, read what can happen if you set it up too hardcore and happen to decide not to use SSL anymore (locked out). Be careful setting preload or subdomain flags, better to leave them off unless needed.

- If OC is having troubles understanding what is going on in regards to current SSL mode, you may also need to re-write the $this->server method in system/library/request.php to support more HTTPS headers found in various frontend proxies/balancers/clusters. Example for 1.5.6x series....(this is super secret part of pay mod, might have to remove later jk). Replace $this->server = $_SERVER; with:
- Install the CF apache module to re-write visitor IPs correctly....or....use the "CF-Connecting-IP" header to get it at app level (needs re-write). The module works better, but if you are on shared server or something, here is the fix for OC, again found in system/library/request.php. Example, add this before the $this->server stuff in OC 1.5.6x series:
- Optimize your orgin server and OC install. It must have fast responses to CF. You have 90 seconds max to establish connection, and if your server is spooling heavy loads, it may not reply with SYN/ACK in time, causing 1 of the 2 types of timeout errors.

Yeurk!!! Look very complicated for a little old head like mine

I had a look at ssl too because my host is having a really great deal right now: SSL Certificate. Includes a dedicated IP! regular price: $79.95 CAD at 75% Off = $19.99 CAD/yr, which is: $14.97 USD for a year including dedicated IP!

Link if you want to see the deals they have right now!

But because I'm using multistore with subdomain I cannot get that I would need a wildcard certificate which is to expensive for me right now and when I looked at all the change that need to be done for the link I will wait again. Anyway I am not accepting payment on my site everything is done on Paypal site.

It's just for security purpose because google is not pushing to much right now about the SSL, apparently there is only about 2% sites that are using SSL so I believe I can wait a little before getting it!

But thank you for the tips and explanation, but if I decide to go for it I will have to hire someone to do it for me because it looks to complicated for me!

Best regards

Cleo

I understand and dont blame ya. In relativity though, its not really that complicated with a concise explanation Its complicated to do it with nothing, as a pioneer, per-say.

And as far as ssl, cloudflare has free (front facing) wildcard SSLs with bootloads of tweaks you may have to devote much much time/money into making happen (VPS edge) otherwise...the speed of front end proxy alone is worth it more than the ranking benefits of SSL....for now. I dunno just wanted to suggest it.

Thank you for your time and suggestion, I really appreciate. I will save all those informations just in case!

Because to tell you the truth my website is just to keep me busy and help me raise some money to help all the stray cats/dogs around here, to pay for the vet bills, food, etc. I'm not doing it for a living and most of the items I am selling are second hand so I don't make a lot of money and I will never get rich with it!

But I like doing it because I'm learning new things everyday, I get to know nice/helping people like you and others, it keeps me busy and I am helping at the same time. Oh and I'm practicing my English at the same time!
What more could I ask for?

Regards

Cleo