Jump to content

Anti Hack Hook


EZi

Recommended Posts

We get the usual hacks mostly through attempts to change the address details in the client profile.

Would it be hard to code a hook the looks at a string of text in the address field (for example "FROM tbladmins)")and if this string is present, to delete the account.

 

Is there such a thing already out there because it is just irritating having to delete these accounts regularly.

Link to comment
Share on other sites

Well, we get notified when someone changes their contact details.

Normally, this looks like this:

 

Address 1: 'cyberteam' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'

Address 2: 'cyberteam' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'

City: 'cyberteam' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)'

State: 'saint' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)'

Default Payment Method: '' to ''

Affiliate registration: 'Google' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

So any string or stings that occurs regularly in the hack which is unlikely to represent an address.

I.e., from my original post something like; FROM tbladmins)

 

So if the string is recognised when saving the changes in the address the user will get a message to #uc& off and concurrently the account is deleted.

Link to comment
Share on other sites

Had a similar thing happen today (username was tbladmins) ... they tried to purchase a domain just to create an account on the system but of course didn't pay for the domain name they ordered. I deleted the account pretty quickly but I was currently back a few versions running 5.3.6 which I just updated to 5.3.10. Is there anything I need to be concerned about or looking for?

Link to comment
Share on other sites

  • 2 months later...
If you use Mod_Security you can block these attempts. If you run CSF in conjunction with Mod_Security you can configure it to block the IP at the firewall after xx attempts.

 

Hi, please further your info on this. I get an attempt to register domains from "cyberteam" a few times per week, always from a different IP. How can CSF and Mod_Security thwart these new registrations?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated