am: 04. Dezember 2016, 11:05:05
Hallo Zusammen,
bin hier bisschen arg in Sorge!!! Hab im Log-Verzeichnis des Shops folgendes Logfile:
#####################################
2016-12-03 04:29:39
URL: www.xxxx.de/products_new.php
#####################################
The modified Shopsoftware has detected that somebody tried to send information to your site that may have been intended as a hack.
Do not panic, it may be harmless: maybe this detection was triggered by something you did! Anyway, it was detected and blocked.
The suspicious activity was recognized in /homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx/includes/xss_secure.php on line 117, and is of the type modified eCommerce Shopsoftware - Security Alert.
Additional information given by the code which detected this: Intrusion detection.
Below you will find a lot of information obtained about this attempt, that may help you to find what happened and maybe who did it.
=====================================
Information about this user:
=====================================
This person is not logged in.
IP numbers: [note: when you are dealing with a real cracker these IP numbers might not be from the actual computer he is working on]
IP according to HTTP_CLIENT_IP:
IP according to REMOTE_ADDR: 103.47.194.42
IP according to GetHostByName(103.47.194.42): 103.47.194.42
=====================================
Information in the $_REQUEST array
=====================================
REQUEST * page : 24 and 1=1
REQUEST * MODsid : cc375895b49fafe2xxxxxx08dxxxxx
=====================================
Information in the $_GET array
This is about variables that may have been in the URL string or in a 'GET' type form.
=====================================
GET * page : 24 and 1=1
=====================================
Information in the $_POST array
This is about visible and invisible form elements.
=====================================
=====================================
Browser information
=====================================
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; generic_01_01; YPC 3.2.0; .NET CLR 1.1.4322; yplus 5.3.04b)
BROWSER * 0 :
=====================================
Information in the $_SERVER array
=====================================
SERVER * REDIRECT_UNIQUE_ID : WEI8I9TjGCYAAG-hL6kAAAAM
SERVER * REDIRECT_DOCUMENT_ROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
SERVER * REDIRECT_UI_SUEXEC_DEFAULT_CHROOT_ID : 0
SERVER * REDIRECT_UI_SUEXEC_FSTATD_UNIXSOCKET : /run/ui-fstatd.suexec.socket
SERVER * REDIRECT_HTTPS : on
SERVER * REDIRECT_DBENTRY_HOST : xxxx.de
SERVER * REDIRECT_DBENTRY_VALUE : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
SERVER * REDIRECT_DBENTRY_DOCROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
SERVER * REDIRECT_DBENTRY_HASH : d0000
SERVER * REDIRECT_DBENTRY__CPU : 60
SERVER * REDIRECT_DBENTRY__MEM : 524288
SERVER * REDIRECT_DBENTRY__CGI : 786762
SERVER * REDIRECT_DBENTRY__NPROC : 16
SERVER * REDIRECT_DBENTRY__TAID : 35967634
SERVER * REDIRECT_DBENTRY__LANG : 0
SERVER * REDIRECT_DBENTRY__STAT : 1
SERVER * REDIRECT_DBENTRY__CHROOT : 7
SERVER * REDIRECT_DBENTRY : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
SERVER * REDIRECT_HANDLER : x-mapp-php5
SERVER * REDIRECT_STATUS : 200
SERVER * UNIQUE_ID : WEI8I9TjGCYAAG-hL6kAAAAM
SERVER * UI_SUEXEC_DEFAULT_CHROOT_ID : 0
SERVER * HTTPS : on
SERVER * DBENTRY_HOST : xxxx.de
SERVER * DBENTRY_VALUE : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
SERVER * DBENTRY_DOCROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
SERVER * DBENTRY_HASH : d0000
SERVER * DBENTRY__CPU : 60
SERVER * DBENTRY__MEM : 524288
SERVER * DBENTRY__CGI : 786762
SERVER * DBENTRY__NPROC : 16
SERVER * DBENTRY__TAID : 35967634
SERVER * DBENTRY__LANG : 0
SERVER * DBENTRY__STAT : 1
SERVER * DBENTRY__CHROOT : 7
SERVER * DBENTRY : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
SERVER * HTTP_HOST : www.xxxx.de
SERVER * HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; generic_01_01; YPC 3.2.0; .NET CLR 1.1.4322; yplus 5.3.04b)
SERVER * HTTP_ACCEPT : */*
SERVER * HTTP_COOKIE : MODsid=cc375895b49fafe25ca1cxxxxxx
SERVER * PATH : /bin:/usr/bin
SERVER * SERVER_SIGNATURE :
SERVER * SERVER_SOFTWARE : Apache
SERVER * SERVER_NAME : xxxx.de
SERVER * SERVER_ADDR : 212.xxx.xx.xx
SERVER * SERVER_PORT : 443
SERVER * REMOTE_ADDR : 103.47.194.42
SERVER * DOCUMENT_ROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
SERVER * REQUEST_SCHEME : https
SERVER * CONTEXT_PREFIX : /system-bin/
SERVER * CONTEXT_DOCUMENT_ROOT : /kunden/usr/lib/cgi-bin/
SERVER * SERVER_ADMIN : webmaster@xxxx.de
SERVER * SCRIPT_FILENAME : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx/products_new.php
SERVER * REMOTE_PORT : 58822
SERVER * REDIRECT_QUERY_STRING : page=24%20and%201%3D1
SERVER * REDIRECT_URL : /products_new.php
SERVER * GATEWAY_INTERFACE : CGI/1.1
SERVER * SERVER_PROTOCOL : HTTP/1.1
SERVER * REQUEST_METHOD : GET
SERVER * QUERY_STRING : page=24%20and%201%3D1
SERVER * REQUEST_URI : /products_new.php?page=24%20and%201%3D1
SERVER * SCRIPT_NAME : /products_new.php
SERVER * STATUS : 200
SERVER * ORIG_PATH_INFO : /products_new.php
SERVER * ORIG_PATH_TRANSLATED : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx/products_new.php
SERVER * PHP_SELF : /products_new.php
SERVER * REQUEST_TIME_FLOAT : 1480735779.3944
SERVER * REQUEST_TIME : 1480735779
SERVER * argv : Array
SERVER * argc : 1
=====================================
Information in the $_ENV array
=====================================
ENV * REDIRECT_UNIQUE_ID : WEI8I9TjGCYAAG-hL6kAAAAM
ENV * REDIRECT_DOCUMENT_ROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
ENV * REDIRECT_UI_SUEXEC_DEFAULT_CHROOT_ID : 0
ENV * REDIRECT_UI_SUEXEC_FSTATD_UNIXSOCKET : /run/ui-fstatd.suexec.socket
ENV * REDIRECT_HTTPS : on
ENV * REDIRECT_DBENTRY_HOST : xxxx.de
ENV * REDIRECT_DBENTRY_VALUE : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
ENV * REDIRECT_DBENTRY_DOCROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
ENV * REDIRECT_DBENTRY_HASH : d0000
ENV * REDIRECT_DBENTRY__CPU : 60
ENV * REDIRECT_DBENTRY__MEM : 524288
ENV * REDIRECT_DBENTRY__CGI : 786762
ENV * REDIRECT_DBENTRY__NPROC : 16
ENV * REDIRECT_DBENTRY__TAID : 35967634
ENV * REDIRECT_DBENTRY__LANG : 0
ENV * REDIRECT_DBENTRY__STAT : 1
ENV * REDIRECT_DBENTRY__CHROOT : 7
ENV * REDIRECT_DBENTRY : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
ENV * REDIRECT_HANDLER : x-mapp-php5
ENV * REDIRECT_STATUS : 200
ENV * UNIQUE_ID : WEI8I9TjGCYAAG-hL6kAAAAM
ENV * UI_SUEXEC_DEFAULT_CHROOT_ID : 0
ENV * HTTPS : on
ENV * DBENTRY_HOST : xxxx.de
ENV * DBENTRY_VALUE : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
ENV * DBENTRY_DOCROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
ENV * DBENTRY_HASH : d0000
ENV * DBENTRY__CPU : 60
ENV * DBENTRY__MEM : 524288
ENV * DBENTRY__CGI : 786762
ENV * DBENTRY__NPROC : 16
ENV * DBENTRY__TAID : 35967634
ENV * DBENTRY__LANG : 0
ENV * DBENTRY__STAT : 1
ENV * DBENTRY__CHROOT : 7
ENV * DBENTRY : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx:d0000#CPU 60 #MEM 524288 #CGI 786762 #NPROC 16 #TAID 35967634 #LANG 0 #STAT 1 #CHROOT 7
ENV * HTTP_HOST : www.xxxx.de
ENV * HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; generic_01_01; YPC 3.2.0; .NET CLR 1.1.4322; yplus 5.3.04b)
ENV * HTTP_ACCEPT : */*
ENV * HTTP_COOKIE : MODsid=cc375895b49fafxxxxxxxx50bxxxxxxx
ENV * PATH : /bin:/usr/bin
ENV * SERVER_SIGNATURE :
ENV * SERVER_SOFTWARE : Apache
ENV * SERVER_NAME : xxxx.de
ENV * SERVER_ADDR : 212.xx.xx.xx
ENV * SERVER_PORT : 443
ENV * REMOTE_ADDR : 103.47.194.42
ENV * DOCUMENT_ROOT : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx
ENV * REQUEST_SCHEME : https
ENV * CONTEXT_PREFIX : /system-bin/
ENV * CONTEXT_DOCUMENT_ROOT : /kunden/usr/lib/cgi-bin/
ENV * SERVER_ADMIN : webmaster@xxxx.de
ENV * SCRIPT_FILENAME : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx/products_new.php
ENV * REMOTE_PORT : 58822
ENV * REDIRECT_QUERY_STRING : page=24%20and%201%3D1
ENV * REDIRECT_URL : /products_new.php
ENV * GATEWAY_INTERFACE : CGI/1.1
ENV * SERVER_PROTOCOL : HTTP/1.1
ENV * REQUEST_METHOD : GET
ENV * QUERY_STRING : page=24%20and%201%3D1
ENV * REQUEST_URI : /products_new.php?page=24%20and%201%3D1
ENV * SCRIPT_NAME : /products_new.php
ENV * STATUS : 200
ENV * ORIG_PATH_INFO : /products_new.php
ENV * ORIG_PATH_TRANSLATED : /kunden/homepages/xx/xxxxxxxxx/xxxxxx/xxxxxxx/products_new.php
=====================================
Information in the $_COOKIE array
=====================================
COOKIE * MODsid : cc375895b49fafe25ca1xxxxx0xxxxxx
=====================================
Information in the $_FILES array
=====================================
=====================================
Information in the $_SESSION array
This is session info.
=====================================
Hab ja bereits in einem anderen Thema:
http://www.modified-shop.org/forum/index.php?topic=36120.msg329426#msg329426 bereits in den letzten Tagen massiven Zugriff aus Russland festgestellt und soweit als möglich alle IPs über die htaccess blockiert. Dieser Angriff hier ist wohl aus Vietnam. Hab die IP: 103.47.194.42 mal so: deny from 103.47.194.0/21 in die htaccess eingetragen.
Muss ich mir hier nun Sorgen machen? Was kann ich noch machen? Danke.
Linkback: https://www.modified-shop.org/forum/index.php?topic=36159.0