Under feature products on the home page, I noticed the thumb image SRC was changed to a URL to a chinese site.
Was I hacked and how can I prevent this? Thanks.
nop 3.5 feature images changed
- 117
- 1006
- 9/6/2014
- Australia
Tim,
I'm hosting nop 3.5 on a Win Server 2012 R2 VM on Microsoft Azure (datacentre in Australia). The backend database is Azure SQL.
When I inspected the thumb IMG SRC attribute, the host was replaced by a chinese site. The path to the image resource was OK.
Anyway, I went into admin and deleted the product image and uploaded the image again. That seem to fix the broken link.
If you have any ideas, please let me know....
I'm hosting nop 3.5 on a Win Server 2012 R2 VM on Microsoft Azure (datacentre in Australia). The backend database is Azure SQL.
When I inspected the thumb IMG SRC attribute, the host was replaced by a chinese site. The path to the image resource was OK.
Anyway, I went into admin and deleted the product image and uploaded the image again. That seem to fix the broken link.
If you have any ideas, please let me know....
- 1
- 5
- 10/6/2014
- Russia
Hi Tim, i have the same issue. I'm using nop-templates theme and windows VPS. Store located on a technical URL (just IP address). I saved page HTML code with changed image src and i can send it to you. i've checked the image in categories during "attack" and the image was OK. Also i saw this issue previously on 3.40 version.
It was just 2 times, but it looks like security issue. Changed src example: http://www.ly.com/content/images/thumbs/0000015_25-virtual-gift-card_360.jpeg
Just let me know if i can help
It was just 2 times, but it looks like security issue. Changed src example: http://www.ly.com/content/images/thumbs/0000015_25-virtual-gift-card_360.jpeg
Just let me know if i can help
- 52
- 848
- 10/18/2010
- Romania
Hi,
I bumped into this from the 3.00 version days ... (see https://www.nopcommerce.com/boards/t/26045/fake-url-injection-in-homepage-nop-300-site.aspx).
It broke several nop 3.00 and 3.40 websites on several physical machines, with several different OS versions, etc.
1. I never found any malware on the machine having this symptom and I used several different anti-malware applications from different companies.
2. All the website attacked were deployed using only the nopcommerce_no_source files, with no file or folder changes.
3. I used only plugins downloaded from this site, with full respect of the installation procedures.
4. In every affected case the website was deployed on a physical machine in my own company, me being the only admin. No hosting...
5. Every affected nop deployment was configured to use a local SQL Server database with no Windows or SQL Server remote management allowed.
6. In some cases the product pictures image link were changed to point to www.baidu.com, in other cases to www.ly.com (both points to China ...)
7. Despite my best efforts I found no suspicious Java script files on the affected machines.
8. It seems the attack is auto-eliminated when the guest customer accounts gets removed by the scheduled task. After that the picture link URLs have the correct values.
9. I noticed for every such incident that there are more than one Guest Customer Role listed in the Customer Roles page. Somehow several Guest Roles are created and many (I mean many !) guest customer accounts appear to be registered in the Customer list ... and seems to remain there. I recall some cases when I found several thousand guest customer accounts linked to more than 30 customer roles all named ”Guest”. This might be just a coincidence with the replacement of the product picture URLs.
I suspect the cause is some kind of XSS attack and the consequences get's wiped out automatically (URLs get's restored) periodically at 5 minutes interval (the schedule task is ser to clean guests every 300 seconds), thus making detecting this a little more tricky.
If someone has any suggestions on solving this very annoying problem I'd be very happy to know it !
I bumped into this from the 3.00 version days ... (see https://www.nopcommerce.com/boards/t/26045/fake-url-injection-in-homepage-nop-300-site.aspx).
It broke several nop 3.00 and 3.40 websites on several physical machines, with several different OS versions, etc.
1. I never found any malware on the machine having this symptom and I used several different anti-malware applications from different companies.
2. All the website attacked were deployed using only the nopcommerce_no_source files, with no file or folder changes.
3. I used only plugins downloaded from this site, with full respect of the installation procedures.
4. In every affected case the website was deployed on a physical machine in my own company, me being the only admin. No hosting...
5. Every affected nop deployment was configured to use a local SQL Server database with no Windows or SQL Server remote management allowed.
6. In some cases the product pictures image link were changed to point to www.baidu.com, in other cases to www.ly.com (both points to China ...)
7. Despite my best efforts I found no suspicious Java script files on the affected machines.
8. It seems the attack is auto-eliminated when the guest customer accounts gets removed by the scheduled task. After that the picture link URLs have the correct values.
9. I noticed for every such incident that there are more than one Guest Customer Role listed in the Customer Roles page. Somehow several Guest Roles are created and many (I mean many !) guest customer accounts appear to be registered in the Customer list ... and seems to remain there. I recall some cases when I found several thousand guest customer accounts linked to more than 30 customer roles all named ”Guest”. This might be just a coincidence with the replacement of the product picture URLs.
I suspect the cause is some kind of XSS attack and the consequences get's wiped out automatically (URLs get's restored) periodically at 5 minutes interval (the schedule task is ser to clean guests every 300 seconds), thus making detecting this a little more tricky.
If someone has any suggestions on solving this very annoying problem I'd be very happy to know it !
- 117
- 1006
- 9/6/2014
- Australia
ssolescu wrote:
Thanks ssolescu for such an informative post.
When the issue occurred, I validated the database and also hosted content to ensure there were no modifications to the website. It was OK and there were no virus/trojans reported. Hence, most likely an XSS attack.
I've found that if you're image links get broken, you could also 'Clear Cache' under the Administration page to restore your images. There is also a scheduled task to clear the cache if you want to automate this process if this becomes too much of a problem. Scheduling the clearing of the cache may impact performance so you may need to do some benchmarking on your site.
I'm using IIS 8.0+ Dynamic IP Address Restrictions and blocking all IP ranges from China. I haven't experience the problem since. A tedious measure but at least I can sleep at night now.
Hi,
I bumped into this from the 3.00 version days ... (see https://www.nopcommerce.com/boards/t/26045/fake-url-injection-in-homepage-nop-300-site.aspx).
It broke several nop 3.00 and 3.40 websites on several physical machines, with several different OS versions, etc.
I bumped into this from the 3.00 version days ... (see https://www.nopcommerce.com/boards/t/26045/fake-url-injection-in-homepage-nop-300-site.aspx).
It broke several nop 3.00 and 3.40 websites on several physical machines, with several different OS versions, etc.
Thanks ssolescu for such an informative post.
When the issue occurred, I validated the database and also hosted content to ensure there were no modifications to the website. It was OK and there were no virus/trojans reported. Hence, most likely an XSS attack.
I've found that if you're image links get broken, you could also 'Clear Cache' under the Administration page to restore your images. There is also a scheduled task to clear the cache if you want to automate this process if this becomes too much of a problem. Scheduling the clearing of the cache may impact performance so you may need to do some benchmarking on your site.
I'm using IIS 8.0+ Dynamic IP Address Restrictions and blocking all IP ranges from China. I haven't experience the problem since. A tedious measure but at least I can sleep at night now.
Team Member
- 16611
- 155810
- 10/22/2008
- Armenia
jayc wrote:
XSRF attack is possible. Please find more info here. I'm currently working on this task. It'll be fixed soon.
But you've written that picture URL issue can be temporary fixed by cache reseting. So I'm not sure that this XSRF attach is related to it.
Hence, most likely an XSS attack
XSRF attack is possible. Please find more info here. I'm currently working on this task. It'll be fixed soon.
But you've written that picture URL issue can be temporary fixed by cache reseting. So I'm not sure that this XSRF attach is related to it.
Team Member
- 16611
- 155810
- 10/22/2008
- Armenia
a.m. wrote:
And here we go. Fixed. Please find more info at https://www.nopcommerce.com/boards/t/33952/cross-site-request-forgeryconfused-deputy-problem.aspx?p=2#139701
XSRF attach is possible. Please find more info here. I'm currently working on this task. It'll be fixed soon.
And here we go. Fixed. Please find more info at https://www.nopcommerce.com/boards/t/33952/cross-site-request-forgeryconfused-deputy-problem.aspx?p=2#139701