Yet another hack attempt! Check your logs

greenspun.com : LUSENET : S-Mart Shopping Cart : One Thread

I wanted to let everyone who has their site listed in the board which shows "Sites that use S-Mart" should check their logs and see if they have been hacked.

This morning approx 5:37am EST March 22nd, an individual from the ip 38.26.166.149 was "fishing" for accesss files on my server such as the smartadmin.cgi file. You might want to check your logs for this IP to see if this same individual gained access to your machine.

Just FYI - The reverse DNS on this ip came out to: ip149.moorestown5.nj.pub-ip.psi.net - So, it looks like a dial-up user somewhere in the New York or New Jersey area using PSI.net. I'll be contacting them after I finish with posting this notice.

So, just a friendly word of warning to all - PROTECT YOUR FILES SO THAT YOUR CUSTOMERS PERSONAL INFORMATION IS PROTECTED!

Until next time,

-BP

-- BP (bppilot@aol.com), March 22, 2000

Answers

Most appreciated.

-- Patrick Chan (patrickccf@hotmail.com), March 22, 2000.

This is worth repeating. The NUMBER ONE thing you can do to protect your files is to have an index file in EVERY directory. Index.htm, index.shtml (bad idea), or index.cgi. Without an index.* you will get a file listing on any http directory.

I have an anti-hacker (index.cgi) script available for download.

HOST-HERE ANTI-HACKER INDEX.CGI

http://host-here.com/cgi-local/index.cgi

Over 100 people have grabed it this month already. You can install it in ANY directory. If it is outside your cgi-bin and will not execute it will return a server error, which protects the directory just as well.

Also, while you are there, grap the free CHECKER Payment engine for S- mart and have a look at the new smart.cgi.

Greg Swofford

-- Gregory Swofford (computer@web-store.net), March 23, 2000.


Regarding the anti-hacker script.

UPDATE: The link below is a DEMO. HOST-HERE ANTI-HACKER INDEX.CGI: http://host-here.com/cgi-local/index.cgi

Here is the DOWNLOAD URL. HOST-HERE CHECKER, ANTI-HACKER, Smart DOWNLOAD ENGINE: http://host-here.com/cgi-local/download/downloader.cgi

Thanks, Greg Swofford

-- Gregory Swofford (computer@web-store.net), March 23, 2000.


JUST TO MOTIVATE YOU: 30 seconds after I posted the last answer, I got an email alert: (the anti-hacker alerts me by email of hacking attempts)

Return-Path: Date: Thu, 23 Mar 2000 10:00:22 -0500 (EST) To: computer@web-store.net From: computer@web-store.net (WEB-STORE.NET Support) Subject: ATTEMPTED HACKER ALERT

The following was recorded:

SERVER_SOFTWARE = Apache/1.3.9 (Unix) PHP/3.0.13 mod_frontpage/3.0.4.3 GATEWAY_INTERFACE = CGI/1.1 DOCUMENT_ROOT = /home/hosth2/virtual_html REMOTE_ADDR = 204.186.44.186 SERVER_PROTOCOL = HTTP/1.1 REQUEST_METHOD = GET HTTP_REFERER = http://host-here.com/cgi-local/index.cgi QUERY_STRING = HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; PenTeleData/ProLog) PATH = /usr/contrib/bin:/usr/local/bin:/usr/bin:/bin HTTP_ACCEPT = */* HTTP_CONNECTION = Keep-Alive REMOTE_PORT = 2380 HTTP_ACCEPT_LANGUAGE = en-us SCRIPT_NAME = /cgi-local/index.cgi HTTP_ACCEPT_ENCODING = gzip, deflate SCRIPT_FILENAME = /home/hosth2/virtual_html/cgi-local/index.cgi SERVER_NAME = www.host-here.com SERVER_PORT = 80 HTTP_HOST = host-here.com SERVER_ADMIN = hosth2@host-here.com

GET the script. It works. Greg

-- Gregory Swofford (computer@web-store.net), March 23, 2000.


Greg, That was me, Rick Williams from the Penteledata. I was just testing the url you had posted. Anyway this little script is fantastic for keeping the hacks down but another nice feature it seems to have is if you put it in your cgi-bin and click on it yourself it will tell you alot of information about your own server. When I first started playing with scripts I would like to have had it. I think it would have helped me to figure out some of the variables that had to be set.

-- Richard Williams (rob1000@ptd.net), March 23, 2000.


Moderation questions? read the FAQ