Magento

I noticed some strange looking URL in the Last URL field of online customers. It looked like this:

http://thecric.free.frhttp://thecric.free.fr/AZenv/azenv.php

The IP address was from China.

Have you encounter something like this? What is your opinion about this?

this is a serious security issue. All the links from the store (catalog) now link to:

http://thecric.free.fr/index.php/name_of_the_category_here

What’s your store URL?

I will send you the URL via Private Message.

Hi there,

I have experienced the same thing - two days ago I saw these weird URLs in the online customer section and I thought it looked like some kind of automated process scraping my site....but my site doesnt seem to have suffered any ill effects as a result so I didnt think about more it.

Hydro - what happened to your site - did you suffer any problems as a result??

Please let me know,

Cheers, Rich

The content is back to normal now, I do not think there was any security compromise, maybe bad timing with misconfiguration?

Rich - 15 May 2008 09:33 AM

Hi there,

I have experienced the same thing - two days ago I saw these weird URLs in the online customer section and I thought it looked like some kind of automated process scraping my site....but my site doesnt seem to have suffered any ill effects as a result so I didnt think about more it.

Hydro - what happened to your site - did you suffer any problems as a result??

Please let me know,

Cheers, Rich

The thing is ... soon after I noticed the strange URL in the online customer field ...I visited the URL to see what is about (i was curious and i don’t know if this has anything to do with the issue). Then I noticed that the front end catalogue links of my shop were pointing to the strange URL (thecric.free.fr).

I restricted access to the website and downloaded the files from the web server to analyse.

After a while (1 or 2 hours) the links were back to normal pointing at the product in the catalogue as it should be. It looked to me that is only a cache issue but I still think is an issue.

So, if you don’t notice something strange in the couple of hours following the visit from the chinese IP address mentioned above.... you might not notice it at all (because the links are back to normal).

I have a question: is it normal/OK to see an URL in the Last URL field (Customers online) which is not the base URL of your shop?

Moshe - 15 May 2008 09:57 AM

The content is back to normal now, I do not think there was any security compromise, maybe bad timing with misconfiguration?

Thanks for your time Moshe. I will keep looking into it.

I think it finally clicked for me how this could happen…

We will be issuing blog post, next upgrade will update base URL configuration to have explicit domain names, and new installations will be pre-configured with domain name used during install wizard.

I just found someone looking for this URL on my site: http://heritagefineart.com/shop/js/fckeditor/

The person arrived from the Magento Wiki page… They received a 404 not found, but why would they be looking for that? Does the FCK editor have a security hole?

Info about this person:
213.60.67.188
Hostname red.mundo-r.com
Browser Firefox 2.0.0.14
Platform Windows