Recurring Url Code From One Ip-What Could It Mean?

Hi,

I check visitor paths occasionally and found over 200 variations of the following URL's from one IP address.

Does anyone know what they are trying to do? Looks suspicious.

Thanks,

Bob

			
/login/?return_url=index.php%25%27+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+hahY
/index.php?dispatch=orders.search%29+AND+%28SELECT+5361+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x7171706271%2C%28SELECT+%28ELT%285361%3D5361%2C1%29%29%29%2C0x7170787171%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%289839%3D9839

Seeing that it's using SQL terminology I would say they are trying to find vulnerability in database.

Someone is trying to perform a "SQL Injection Attack". Cs-cart is pretty well protected against this, but you should probably block that IP just to annoy them....

Agree, someone wants to hack you. Please make sure that all security patches are installed on your store. They can be found in the File area in CS-Cart HelpDesk

Hello,

Yes, it did look like a sql injection attack. It lasted 4 minutes. I saved all the URLs to Excel. Not sure if anyone could use it to see if current protection would block the attack. I am using cs-cart 4.3.5 and believe I applied all patches that were made available.

But, how would I know if the hack was successful or not?

I did block the IP address. According to one site using WHOIS.AFRINIC.NET , the address is Trump Tower, Panama another WHOIS shows that the IP is in Amsterdam.

I have the last URL which looks like a succession of increasing complexity of attempts.. Could the last one be the successful one?

I was going to post, but decided not to.

Thanks,

Bob

CS-Cart is protected from such attacks. Just in case, make full backup and monitor the situation

Most likely this is being done through a chain of proxy servers. Getting to a originating IP address will be difficult. You can block countries where you don't want/expect business from by using an IP mask. But otherwise, you will simply need to rely on cs-cart's SQL injection protection.

Backups are good as long as the backups don't contain any intrusion.

Personally, I'd suggest using our EZ Admin Helper and turning on the "Monitor Files" reporting daily. It won't generate false positives like the built-in core files monitor and it will monitor all files (directories can be excluded if you're overwhelmed by changes to images and other file based changes). Additionally, there is a scan for known cs-cart security intrusions and can detect if these have occurred on your site. For $35, it's a pretty good tool.

Thanks for all your input.

Not knowing if there was a hack, I restored a full back-up from a couple of days before I saw the attempted hack.

Bob