Claudia M Posted April 10, 2019 Share Posted April 10, 2019 I found these in the cPanel error log. Any idea what they mean? What should I do to quit getting them as I got the same ones yesterday too. Thanks in advance for any and all help. I replaced my database name with xxx Claudia 10-Apr-2019 01:19:57 UTC] PHP Warning: Invalid Security Token in /home/xxx/public_html/classes/sanitize.class.php on line 155 [10-Apr-2019 01:21:01 UTC] PHP Warning: Stored session data did not match DB record. Session aborted as possible session hijack. Old IP Address: '91.121.222.157' New IP Address: '91.121.222.157' Old User Agent: '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:" in /home/xxx/public_html/classes/session.class.php on line 700 [09-Apr-2019 21:32:46 America/Louisville] PHP Warning: No customer information detected. Order summary was not built or inserted. in /home/xxx/public_html/classes/order.class.php on line 1362 [10-Apr-2019 01:35:13 UTC] PHP Warning: Invalid Security Token in /home/xxx/public_html/classes/sanitize.class.php on line 155 [10-Apr-2019 16:24:28 UTC] PHP Warning: Stored session data did not match DB record. Session aborted as possible session hijack. Old IP Address: '192.99.4.102' New IP Address: '192.99.4.102' Old User Agent: '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:" in /home/xxx/public_html/classes/session.class.php on line 700 [10-Apr-2019 16:24:55 UTC] PHP Warning: Security Warning: Illegal array key "#post_render" was detected and was removed. in /home/xxx/public_html/classes/sanitize.class.php on line 114 [10-Apr-2019 16:24:55 UTC] PHP Warning: Security Warning: Illegal array key "#type" was detected and was removed. in /home/xxx/public_html/classes/sanitize.class.php on line 114 [10-Apr-2019 16:24:55 UTC] PHP Warning: Security Warning: Illegal array key "#markup" was detected and was removed. in /home/xxx/public_html/classes/sanitize.class.php on line 114 [10-Apr-2019 16:24:55 UTC] PHP Warning: Security Warning: Illegal array key "#post_render" was detected and was removed. in /home/xxx/public_html/classes/sanitize.class.php on line 114 [10-Apr-2019 16:24:55 UTC] PHP Warning: Security Warning: Illegal array key "#type" was detected and was removed. in /home/xxx/public_html/classes/sanitize.class.php on line 114 [10-Apr-2019 16:24:55 UTC] PHP Warning: Security Warning: Illegal array key "#markup" was detected and was removed. in /home/xxx/public_html/classes/sanitize.class.php on line 114 [10-Apr-2019 16:26:07 UTC] PHP Warning: Stored session data did not match DB record. Session aborted as possible session hijack. Old IP Address: '192.99.4.102' New IP Address: '192.99.4.102' Old User Agent: '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:" in /home/xxx/public_html/classes/session.class.php on line 700 [10-Apr-2019 16:26:25 UTC] PHP Warning: Stored session data did not match DB record. Session aborted as possible session hijack. Old IP Address: '192.99.4.102' New IP Address: '192.99.4.102' Old User Agent: '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:" in /home/xxx/public_html/classes/session.class.php on line 700 Link to comment Share on other sites More sharing options...
bsmither Posted April 10, 2019 Share Posted April 10, 2019 The Illegal array key warning may have come from the same IP address. If so, they are the follow-on components of a 2015 exploit against JOOMLA, a content management system (CMS). The mismatched User Agent (UA) string caused CubeCart to cancel the session info and kill the cookies for that visitor. Al would have to check to see if any latest versions of CubeCart can exploited with this method. Link to comment Share on other sites More sharing options...
Claudia M Posted April 10, 2019 Author Share Posted April 10, 2019 Is there anything I should do? Should this be reported? Link to comment Share on other sites More sharing options...
bsmither Posted April 10, 2019 Share Posted April 10, 2019 You might drop a note to your hosting provider. Advise them there have been probes against your site attempting to discover an exploitable Joomla installation. But probes happen. Not much you can do about it. Link to comment Share on other sites More sharing options...
havenswift-hosting Posted April 11, 2019 Share Posted April 11, 2019 Most of that is CubeCart doing what it should do and nothing to worry about Link to comment Share on other sites More sharing options...
Claudia M Posted April 11, 2019 Author Share Posted April 11, 2019 What about the part that isn't "Most of that"? Link to comment Share on other sites More sharing options...
bsmither Posted April 11, 2019 Share Posted April 11, 2019 There is a Invalid Security Token and No customer information detected. Both of these could happen if the visitor requests pages from CubeCart out of a specific order - as if page requests were randomly being made, probably with a customized payload probing for the exploitable Joomla installation. CubeCart maintains a security token and includes it on every page that has a submittable form (the POST payload). If a specially constructed POST payload is missing that token or has a stale token, CubeCart logs that event and kills the session. Should the visitor continue with making page requests and ends up POSTing form data during any step in the checkout process, but now having all session data trashed, CubeCart reports that the order is missing identifying customer info. The above is the "mess on the floor". When one throws spaghetti against the wall to see what sticks, rarely does the discussion turn to what to do about the "mess on the floor". Link to comment Share on other sites More sharing options...
Claudia M Posted April 11, 2019 Author Share Posted April 11, 2019 Got it Brian. I'll just delete them and be happy CubeCart is doing such a good job keeping my site safe. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.