Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Recurring Url Code From One Ip-What Could It Mean? Rate Topic   - - - - -

 
  • pbannette
  • Senior Member
  • Members
  • Join Date: 09-Aug 07
  • 1035 posts

Posted 12 June 2018 - 11:25 PM #1

Hi,

I check visitor paths occasionally and found over 200 variations of the following URL's from one IP address.

Does anyone know what they are trying to do? Looks suspicious.

Thanks,

Bob

/login/?return_url=index.php%25%27+UNION+ALL+SELECT+NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--+hahY
 
/index.php?dispatch=orders.search%29+AND+%28SELECT+5361+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x7171706271%2C%28SELECT+%28ELT%285361%3D5361%2C1%29%29%29%2C0x7170787171%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%289839%3D9839

 

 

 


Version CS-Cart 4.3.5


 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3640 posts

Posted 12 June 2018 - 11:49 PM #2

Seeing that it's using SQL terminology I would say they are trying to find vulnerability in database.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10770 posts

Posted 13 June 2018 - 01:34 AM #3

Someone is trying to perform a "SQL Injection Attack".  Cs-cart is pretty well protected against this, but you should probably block that IP just to annoy them....


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 17827 posts

Posted 13 June 2018 - 06:23 AM #4

Agree, someone wants to hack you. Please make sure that all security patches are installed on your store. They can be found in the File area in CS-Cart HelpDesk


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    CS-Cart RU                         24500 руб.
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      CS-Cart RU + UniTheme    36000 руб.


 
  • pbannette
  • Senior Member
  • Members
  • Join Date: 09-Aug 07
  • 1035 posts

Posted 13 June 2018 - 09:44 AM #5

Hello,

Yes, it did look like a sql injection attack. It lasted 4 minutes. I saved all the URLs to Excel. Not sure if anyone could use it to see if current protection would block the attack. I am using cs-cart 4.3.5 and believe I applied all patches that were made available.

But, how would I know if the hack was successful or not?

I did block the IP address. According to one site using WHOIS.AFRINIC.NET , the address is Trump Tower, Panama another WHOIS shows that the IP is in Amsterdam.

I have the last URL which looks like a succession of increasing complexity of attempts.. Could the last one be the successful one?

I was going to post, but decided not to.

Thanks,

Bob


Version CS-Cart 4.3.5


 
  • eComLabs
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 27-Jan 14
  • 17827 posts

Posted 13 June 2018 - 01:35 PM #6

CS-Cart is protected from such attacks. Just in case, make full backup and monitor the situation


GET A FREE QUOTE | CS-Cart Add-ons | CS-Cart Licenses | CS-Cart Development | CS-Cart Design | Server Configuration | UniTheme and YOUPI
CS-Cart                USD 345     Multi-Vendor              USD 1250    CS-Cart RU                         24500 руб.
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      CS-Cart RU + UniTheme    36000 руб.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 10770 posts

Posted 13 June 2018 - 06:42 PM #7

Most likely this is being done through a chain of proxy servers.  Getting to a originating IP address will be difficult.  You can block countries where you don't want/expect business from by using an IP mask.  But otherwise, you will simply need to rely on cs-cart's SQL injection protection.

 

Backups are good as long as the backups don't contain any intrusion.

 

Personally, I'd suggest using our EZ Admin Helper and turning on the "Monitor Files" reporting daily.  It won't generate false positives like the built-in core files monitor and it will monitor all files (directories can be excluded if you're overwhelmed by changes to images and other file based changes).  Additionally, there is a scan for known cs-cart security intrusions and can detect if these have occurred on your site.  For $35, it's a pretty good tool.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • pbannette
  • Senior Member
  • Members
  • Join Date: 09-Aug 07
  • 1035 posts

Posted 13 June 2018 - 09:52 PM #8

Thanks for all your input.

Not knowing if there was a hack, I restored a full back-up from a couple of days before I saw the attempted hack.

Bob


Version CS-Cart 4.3.5