Oscmax spam

[josemanuel]

I hope this is okay to post in this forum, I believe it may be.

I have a functioning oscmax site, and recently started analyzing the server logs alot. I see an amount of visits that are to "http://mysite.com /index.php?cName=http:/spamsite.com/images?",

Mysite.com is the pseudonym I will use for my site name, and the spamsite.com replaces their names. There are many names that are there.

I wonder:

1: is oscmax vulnerable to something here,

2: is there something that I can add to my .htacess that denies these types of visits.

I would appreciate if you can point me in the right direction,

Jose Manuel

[neil]

If you have cpanel there is a function in there that denys images to spamsite.
You could also block IPs - also in cpanel.

[josemanuel]

Thanks Neil. Unfortunately, I do not have cpanel. Is it possible to do this with htaccess?

[neil]

Google
.htaccess block images
Pages of results like:
Preventing Image Bandwidth Theft With .htaccess (thesitewizard.com)
Back up your .htaccess first before making any changes!

[josemanuel]

That is useful, and I found some good information that I used to protect my images in the htaccess.

I made the changes, and in a few hours will know if this is a solution, but I am not sure, as the activity in my traffic program is not watching the images, it is watching my urls for pages, and they are grabbing:
http://mysite.com/index.php?cName=ht...u/rumusic.wav?

[josemanuel]

Well, while I am glad to protect my images, this spam is still coming in. It is strange, the link does not seem to do anything. Any thoughts on what it does, what it is called (so I can search on it), and how to stop it?

[neil]

You can block the ip address it is coming from, using .htaccess as well.
Do a similar google search on
block the ip address .htaccess
Results like Clockwatchers - .htaccess Tutorial - Block An IP Address
Spammers tend to change their IP addresses so it will be an ongoing process.

[josemanuel]

Thanks Neil.

Your comments are all good, but given that they keep coming from different IP addresses, I gave up on trying that.

However, I did find a website earlier, called blockacountry.com, which creates a list of IP ranges structured for my htaccess, which will block all undesirable countries from my site. I hope I am not accidentally blocking any clients in my wanted country.

This still does not fix the fear of this problem, and why they seem to be increasing this type of attack.

[BobH]

I've been seeing the same sort of thing on my sites, and found this thread which addresses a possible solution: infobox passing unfriendly URL with SQL hack script - Help - osCommerce Community Support Forums
I don't have cPanel, so am having to install mod_security the "old-fashioned" way. Googling "mod_security install" gives some decent installation instructions as well as recommended configurations.

My hosting tech support folks suggested:
"Where we don't provide Mod_security as one of our services, there is an alternative to help prevent these scripts from running. You will have to go into your php.ini file and turn allow_url_fopen off. This will make it so Apache does not treat url's like http://amymusicgirl.h17.ru/mysong.txt as a file. By not treating it as a file it won't execute any of the code located on the url."

Unfortunately, turning "allow_url_fopen" to off blew up both my sites because of the rss news feeds on them plus didn't allow the SEO Assistant contrib to function, so I had to turn it back on. It may work for you, however.

I hope this helps to give you some things to look at .

Bob

[josemanuel]

I know that this is not a vulnerability, but it was making it very hard for me to track my traffic. So, I kept working it, actually googled part of the source of this attempted old fashioned hack. I found this that helped alot After 3 great years, I'm being hacked! - osCommerce Community Support Forums. I posted the following into my application_top, and it seems to help:

// redirect attempted remote file include exploits
if (strpos(strtolower($_SERVER['QUERY_STRING']),'http:') !== false){
header("Location: http://www.othersite.com");
exit;
}